MySQL 8.0 Release Notes
MySQL 8.0 Source Code Documentation
MySQL Enterprise Encryption lets you limit keys to a length that provides adequate
security for your requirements while balancing this with resource
usage. You can also configure the functions provided by the
component_enterprise_encryption component from
MySQL 8.0.30, to support decryption and verification for content
produced by the legacy openssl_udf shared
library functions.
By default, the functions provided by the
component_enterprise_encryption component
from MySQL 8.0.30 do not decrypt encrypted text, or verify
signatures, that were produced by the legacy functions provided
in earlier releases by the openssl_udf shared
library. The component functions assume that encrypted text uses
the RSAES-OAEP padding scheme, and signatures use the RSASSA-PSS
signature scheme. However, encrypted text produced by the legacy
functions uses the RSAES-PKCS1-v1_5 padding scheme, and
signatures produced by the legacy functions use the
RSASSA-PKCS1-v1_5 signature scheme.
If you want the component functions to support content produced
by the legacy functions before MySQL 8.0.30, set the
component’s system variable
enterprise_encryption.rsa_support_legacy_padding
to ON. The system variable is available when
the component is installed. When you set it to
ON, the component functions first attempt to
decrypt or verify content assuming it has their normal schemes.
If that does not work, they also attempt to decrypt or verify
the content assuming it has the schemes used by the legacy
functions. This behavior is not the default because it increases
the time taken to process content that cannot be decrypted or
verified at all. If you are not handling content produced by the
legacy functions, leave the system variable to default to
OFF.
The amount of CPU resources required by MySQL Enterprise Encryption's key generation functions increases as the key length increases. For some installations, this might result in unacceptable CPU usage if applications frequently generate excessively long keys.
OpenSSL specifies a minimum key length of 1024 bits for all keys. OpenSSL also specifies a maximum key length of 16384 bits for RSA keys, 10000 bits for DSA keys, and 10000 bits for DH keys.
From MySQL 8.0.30, the functions provided by the
component_enterprise_encryption component
have a higher minimum key length of 2048 bits for RSA keys,
which is in line with current best practice for minimum key
lengths. The component's system variable
enterprise_encryption.maximum_rsa_key_size
specifies the maximum key size, and it defaults to 4096 bits.
You can change this to allow keys up to the maximum length
allowed by OpenSSL, 16384 bits.
For releases before MySQL 8.0.30, the legacy functions provided
by the openssl_udf shared library default to
OpenSSL's minimum and maximum limits. If the maximum values are
too high, you can specify a lower maximum key length using the
following system variables:
MYSQL_OPENSSL_UDF_DSA_BITS_THRESHOLD: Maximum DSA key length in bits forcreate_asymmetric_priv_key(). The minimum and maximum values for this variable are 1024 and 10000.MYSQL_OPENSSL_UDF_RSA_BITS_THRESHOLD: Maximum RSA key length in bits forcreate_asymmetric_priv_key(). The minimum and maximum values for this variable are 1024 and 16384.MYSQL_OPENSSL_UDF_DH_BITS_THRESHOLD: Maximum key length in bits forcreate_dh_parameters(). The minimum and maximum values for this variable are 1024 and 10000.
To use any of these environment variables, set them in the
environment of the process that starts the server. If set, their
values take precedence over the maximum key lengths imposed by
OpenSSL. For example, to set a maximum key length of 4096 bits
for DSA and RSA keys for
create_asymmetric_priv_key(), set these
variables:
export MYSQL_OPENSSL_UDF_DSA_BITS_THRESHOLD=4096
export MYSQL_OPENSSL_UDF_RSA_BITS_THRESHOLD=4096The example uses Bourne shell syntax. The syntax for other shells may differ.