Advanced encryption key rotation¶
Important
This feature, and associated system variables, status variables, and options have been removed in Percona Server for MySQL 8.0.31-23.
The Advanced Encryption Key Rotation feature lets you perform specific encryption and decryption tasks in real time.
The following table explains the benefits of Advanced Encryption Key Rotation:
| Advanced Encryption Key Rotation | Master Key Encryption |
|---|---|
| Encrypts any existing tablespaces in a single operation. Advanced Encryption Key Rotation allows encryption to be applied to all or selected existing tablespaces. You can exclude tablespaces. | Encrypts each existing tablespace as a separate operation. |
| Encrypts tables with a key from a keyring. | Encrypts tables with a key that is then stored in the encryption header of the tablespace. |
| Re-encrypts each tablespace page by page when the key is rotated. | Re-encrypts only the tablespace encryption header when the key is rotated. |
If you enable Advanced Encryption Key Rotation with a Master key encrypted tablespace, the tablespace is re-encrypted with the keyring key in a background process. If the Advanced Encryption Key Rotation feature is enabled, you cannot convert a tablespace to use Master key encryption. You must disable the feature before you convert the tablespace.
This feature is in tech preview.
You must have the SYSTEM_VARIABLES_ADMIN privilege or the SUPER privilege to set these variables.
innodb_encryption_threads¶
This variable is removed in Percona Server for MySQL 8.0.31-23.
| Option | Description |
|---|---|
| Command-line | –innodb-encryption-threads |
| Scope | Global |
| Dynamic | Yes |
| Data type | Numeric |
| Default | 0 |
This variable works in combination with the
default_table_encryption variable set to ONLINE_TO_KEYRING.
This variable
configures the number of threads for background encryption. For the online
encryption, the value must be greater than zero.
innodb_online_encryption_rotate_key_age¶
This variable is removed in Percona Server for MySQL 8.0.31-23.
| Option | Description |
|---|---|
| Command-line | –innodb-online-encryption-rotate-key-age |
| Scope | Global |
| Dynamic | Yes |
| Data type | Numeric |
| Default | 1 |
Defines the rotation for the re-encryption of a table encrypted using KEYRING. The value of this variable determines the how frequently the encrypted tables are re-encrypted.
For example, the following values would trigger a re-encryption in the following intervals:
-
The value is 1, and the table is re-encrypted on each key rotation.
-
The value is 2, and the table is re-encrypted on every other key rotation.
-
The value is 10, and the table is re-encrypted on every tenth key rotation.
You should select the value which best fits your operational requirements.
innodb_encryption_rotation_iops¶
This variable is removed in Percona Server for MySQL 8.0.31-23.
| Option | Description |
|---|---|
| Command-line | –innodb-encryption-rotation-iops |
| Scope | Global |
| Dynamic | Yes |
| Data type | Numeric |
| Default | 100 |
Defines the number of input/output operations per second (iops) available for use by a key rotation process.
innodb_default_encryption_key_id¶
This variable is removed in Percona Server for MySQL 8.0.31-23.
| Option | Description |
|---|---|
| Command-line | –innodb-default-encryption-key-id |
| Scope | Session |
| Dynamic | Yes |
| Data type | Numeric |
| Default | 0 |
Defines the default encryption ID used to encrypt tablespaces.
Use Keyring Encryption¶
This feature is removed in Percona Server for MySQL 8.0.31-23.
Keyring management is enabled for each table, per file table, separately when
you set encryption in the ENCRYPTION clause to KEYRING in the supported
SQL statement.
-
CREATE TABLE … ENCRYPTION=’KEYRING’
-
ALTER TABLE … ENCRYPTION=’KEYRING’
Note
Running an ALTER TABLE ... ENCRYPTION='N' on a table created with ENCRYPTION='KEYRING' converts the table to the existing MySQL schema, tablespace, or table encryption state.
Get expert help¶
If you need assistance, visit the community forum for comprehensive and free database knowledge, or contact our Percona Database Experts for professional support and services.