Documentation Home
MySQL 8.0 Reference Manual
Related Documentation Download this Manual
PDF (US Ltr) - 42.7Mb
PDF (A4) - 42.7Mb
Man Pages (TGZ) - 270.0Kb
Man Pages (Zip) - 379.7Kb
Info (Gzip) - 4.1Mb
Info (Zip) - 4.1Mb
Excerpts from this Manual

MySQL 8.0 Reference Manual  /  ...  /  Configuring MySQL Enterprise Encryption

6.6.2 Configuring MySQL Enterprise Encryption

The amount of CPU resources required by MySQL Enterprise Encryption's key generation functions increases as the key length increases. For some installations, this might result in unacceptable CPU usage if applications frequently generate excessively long keys.

OpenSSL imposes a minimum key length of 1,024 bits for all keys. OpenSSL also imposes a maximum key length of 10,000 bits and 16,384 bits for DSA and RSA keys, respectively, for create_asymmetric_priv_key(), and a maximum key length of 10,000 bits for create_dh_parameters(). If those maximum values are too high, three environment variables are available to enable MySQL server administrators to set lower maximum lengths for key generation, and thereby to limit CPU usage:

  • MYSQL_OPENSSL_UDF_DSA_BITS_THRESHOLD: Maximum DSA key length in bits for create_asymmetric_priv_key(). The minimum and maximum values for this variable are 1,024 and 10,000.

  • MYSQL_OPENSSL_UDF_RSA_BITS_THRESHOLD: Maximum RSA key length in bits for create_asymmetric_priv_key(). The minimum and maximum values for this variable are 1,024 and 16,384.

  • MYSQL_OPENSSL_UDF_DH_BITS_THRESHOLD: Maximum key length in bits for create_dh_parameters(). The minimum and maximum values for this variable are 1,024 and 10,000.

To use any of these environment variables, set them in the environment of the process that starts the server. If set, their values take precedence over the maximum key lengths imposed by OpenSSL. For example, to set a maximum key length of 4,096 bits for DSA and RSA keys for create_asymmetric_priv_key(), set these variables:

export MYSQL_OPENSSL_UDF_DSA_BITS_THRESHOLD=4096
export MYSQL_OPENSSL_UDF_RSA_BITS_THRESHOLD=4096

The example uses Bourne shell syntax. The syntax for other shells may differ.