WL#9290: InnoDB: Support Transparent Data Encryption for Redo Log

Affects: Server-8.0   —   Status: Complete 

This work will provide encryption support for redo log.

1:Encrypt redo log blocks in I/O layer.
We will en/decrypt the redo log in the I/O layer. Which means, the en/decryption
only happens when the redo log blocks read or write from/to disk. And the redo
log data in memory will stay in unencrypted status.

2:Encryption metadata will be stored in the header of first log file.
There are 2 key levels here, master key and tablespace key.
Master key is stored in keyring plugin, and it's used to en/decrypt tablespace
key and iv. Tablespace key is for en/decrypt redo log blocks, and it will be 
stored into the 3rd block of first redo log file(ib_logfile0).
So, we will not encrypt redo log file header, which is in the first 4 blocks. 

The first 4 blocks of first redo log file will contains these information:
first block: log file header
2nd   block: checkpoint1
3rd   block: encryption metadata
4th   block: checkpoint2

The encryption meta data information of redo log has the same format with it in 
normal tablespaces. like:
encryption version + master key id + server uuid + encrypted tablespace key + IV

This meta data will be read from ib_logfile0 in server startup.

3:The redo log block is encrypted one by one.
For each block, we will not encrypt the block header. It's because we use a bit
in the block header to indicate if it's an encrypted block or not.
When a redo log block is writing into disk, this bit will be set after
this block has been encrypted. And it will be checked when it's read from disk. 
The decrypt function will be called if this bit is set.

4:For key rotation, we will just need to save the new encryption metadata 
information to block 3, and flush it to disk.
Key rotation steps:
Step1: Create a new master key and fetch it from keyring;
Step2: Use the new master key to encrypt redo log tablespace key and iv.
Step3: Store the new encryption metadata into the 3rd block for ib_logfile0.

5:We added a new global variable innodb_redo_log_encrypt=ON/OFF for en/disable 
redo log encryption.
And after user enable redo log encryption, the redo log blocks will be encrypted 
when it's writing into disk. the previous redo log which is already in disk
will be leaved as not encrypted status.
On the other hand, after it's disable, the old redo log blocks will be leave as
encrypted status, and the new redo log blocks will not be encrypted.

If innodb_redo_log_encrypt is enabled in bootstrap, we use a default master key
for encrypting redo log tablespace key and iv. It's because there's no necessary
information like server uuid in bootstrap. And in the next master key rotation, 
the default master key will be thrown away.

Limitations
===========
1:If the ib_logfile0 is removed, redo log encryption will be disabled. It's 
because the encryption metadata in ib_logfile0 has also been removed with 
ib_logfile0.
2:Normal restart without keyring plugin/missing key file is not possible once 
redo log encryption is enabled when server was up. This is because InnoDB need 
to scan some redo blocks in normal startup, and these blocks are possible 
encrypted if redo log encryption was enabled before. User still can startup 
server by trying to startup with --innodb_force_recovery= SRV_FORCE_NO_LOG_REDO.


Copyright (c) 2000, 2025, Oracle Corporation and/or its affiliates. All rights reserved.