MySQL 8.0 Release Notes
MySQL 8.0 Source Code Documentation
For NDB Transparent Data Encryption (TDE),
data nodes encrypt user data at rest, with security provided by
a password (file system password), which is used to encrypt and
decrypt a secrets file on each data node. The secrets file
contains a Node Master Key (NMK), a key used later to encrypt
the different file types used for persistence.
NDB TDE encrypts user data files including
LCP files, redo log files, tablespace files, and undo log files.
You can use the ndbxfrm utility to see whether a file is encrypted, as shown here:
> ndbxfrm -i ndb_5_fs/LCP/0/T2F0.Data
File=ndb_5_fs/LCP/0/T2F0.Data, compression=no, encryption=yes
> ndbxfrm -i ndb_6_fs/LCP/0/T2F0.Data
File=ndb_6_fs/LCP/0/T2F0.Data, compression=no, encryption=noBeginning with NDB 8.0.31, it is possible to obtain the key from the secrets file using the ndb_secretsfile_reader program added in that release, like this:
> ndb_secretsfile_reader --filesystem-password=54kl14 ndb_5_fs/D1/NDBCNTR/S0.sysfile
ndb_secretsfile_reader: [Warning] Using a password on the command line interface can be insecure.
cac256e18b2ddf6b5ef82d99a72f18e864b78453cc7fa40bfaf0c40b91122d18The per-node key hierarchy can be represented as follows:
A user-supplied passphrase (P) is processed by a key-derivation function using a random salt to generate a unique passphase key (PK).
The PK (unique to each node) encrypts the data on each node in its own secrets file.
The data in the secrets file includes a unique, randomly generated Node Master Key (NMK).
The NMK encrypts (using wrapping) one or more randomly generated data encryption key (DEK) values in the header of each encrypted file (including LCP and TS files, and redo and undo logs).
Data encryption key values (DEK0, ..., DEKn) are used for encryption of [subsets of] data in each file.
The passphrase indirectly encrypts the secrets file containing the random NMK, which encrypts a portion of the header of each encrypted file on the node. The encrypted file header contains random data keys used for the data in that file.
Encryption is implemented transparently by the
NDBFS layer within the data
nodes. NDBFS internal client blocks operate
on their files as normal; NDBFS wraps the
physical file with extra header and footer information
supporting encryption, and encrypts and decrypts data as it is
read from and written to the file. The wrapped file format is
referred to as ndbxfrm1.
The node password is processed with PBKDF2 and the random salt to encrypt the secrets file, which contains the randomly generated NMK which is used to encrypt the randomly generated data encryption key in each encrypted file.
The work of encryption and decryption is performed in the NDBFS
I/O threads (rather than in signal execution threads such as
main, tc, ldm, or rep). This is similar to what happens with
compressed LCPs and compressed backups, and normally results in
increased I/O thread CPU usage; you may wish to adjust
ThreadConfig (if in
use) with regard to the I/O threads.