WL#9289: InnoDB: Support Transparent Data Encryption for Undo Tablespaces
Affects: Server-8.0 — Status: Complete — Priority: Medium
This work will provide encryption support for undo tablespaces. Basically, for encryption, undo log tablespace has no difference with regular tablespace. The special thing is how to en/disable undo log encryption. 1:We added a new global variable innodb_undo_log_encrypt=ON/OFF for en/disable undo log encryption. And after user enable undo log encryption, the undo log pages will be encrypted when they're writing into disk. the previous undo log pages which is already on disk will be left as not encrypted status. On the other hand, after it's disable, the old undo log pages will be leave as encrypted status, and the new undo log pages will not be encrypted. If innodb_undo_log_encrypt is enabled in bootstrap, we use a default master key for encrypting undo log tablespace key and iv. It's because there's no necessary information like server uuid in bootstrap. And in the next master key rotation, the default master key will be thrown away. 2:In this worklog, we only support encryption of independent undo tablespaces. Since currently, we don't support encryption of shared tablespaces, so, we will not support encrypting undo log pages in system tablespace. This feature will be provided in the coming worklog. 3:Same as regular tablespace, the encryption metadata will be stored in the first page of data file. And in the future work undo tablespace metadata is stored in the Global Data Dictionary dd::Tablespace object, and loaded on server startup. Then, the encryption metadata can be stored in dd::Tablespace::options or dd::Tablespace::se_private_data. The main thing that is missing is the SQL interface to specify encryption when creating a tablespace. 4:Performance impact of undo log encryption will be less than 10%.
Requirements F1 - Support AES encryption F2 - En/disable undo tablespace encryption by set innodb_undo_log_encrypt=ON/OFF. F3 - Support Key rotation. F4 - Read encryption information from header of undo* properly (recovery after crash) F5 - Don't support encryption of undo log in system tablespace. Non-Functional requirements NF-1 - Performance impact of undo log encryption will be less than 10%
1:En/disable undo log tablespace encryption: Introduce a global system variable innodb_undo_log_encrypt ie:set global innodb_undo_log_encrypt=ON, start encrypt undo log pages. 2:En/decrypt undo log pages: Since the undo log pages has not different format with normal data page, we don't need to do anything special for this, just use the exist en/decrypt functions in class Encryption. But we need to set the proper encryption metadata into IORequest. 3:Store encryption metadata: No difference with regular tablespaces. The encryption metadata will be stored in the header of data file, which is in the page 0, and The encryption metadata information of undo tablespace has the same format with it in regular tablespaces. like: encryption version + master key id + server uuid + encrypted tablespace key + IV 4:Key rotation and recovery If the undo log tablespace has been set as encrypted, we will rotate the undo log tablespace key, even innodb_undo_log_encrpyt is OFF. Since it is possible that some of undo log pages are still in encrypted status, and they need encryption metadata to decrypt.
1:En/disable undo log encryption: Add new global variable innodb_undo_log_encrypt definition in ha_innobase.cc: static MYSQL_SYSVAR_BOOL(undo_log_encrypt, srv_undo_log_encrypt, PLUGIN_VAR_OPCMDARG, "Enable or Disable Encrypt of UNDO tablespace.", NULL, NULL, FALSE); 2:Add a function to enable undo log encryption in server startup. /** Try to enable encryption of an undo log tablespace. @param[in] space undo log tablespace @return DB_SUCCESS if success */ static dberr_t srv_undo_tablespace_enable_encryption( fil_space_t* space);
Copyright (c) 2000, 2019, Oracle Corporation and/or its affiliates. All rights reserved.