Skip to content
logo
Percona Server for MySQL
Advanced encryption key rotation
Initializing search
    percona/psmysql-docs
    percona/psmysql-docs
    • Home
      • Release notes index
      • Percona Server for MySQL 8.0.33-25 Update (2023-08-02)
      • Percona Server for MySQL 8.0.33-25 (2023-06-15)
      • Percona Server for MySQL 8.0.32-24 (2023-03-20)
      • Percona Server for MySQL 8.0.31-23 (2023-02-09)
        • Percona Server for MySQL 8.0.30-22 Update (2022-11-21)
        • Percona Server for MySQL 8.0.30-22 (2022-11-21)
        • Percona Server for MySQL 8.0.29-21 (2022-08-08)
        • Percona Server for MySQL 8.0.28-20 (2022-06-20)
        • Percona Server for MySQL 8.0.28-19 (2022-05-12)
        • Percona Server for MySQL 8.0.27-18 (2022-03-02)
        • Percona Server for MySQL 8.0.26-17 (2022-01-26)
        • Percona Server for MySQL 8.0.26-16 (2021-10-20)
        • Percona Server for MySQL 8.0.25-15 (2021-07-13)
        • Percona Server for MySQL 8.0.23-14 (2021-05-12)
        • Percona Server for MySQL 8.0.22-13 (2020-12-14)
        • Percona Server for MySQL 8.0.21-12 (2020-10-13)
        • Percona Server for MySQL 8.0.20-11 (2020-07-21)
        • Percona Server for MySQL 8.0.19-10 (2020-03-23)
        • Percona Server for MySQL 8.0.18-9
        • Percona Server for MySQL 8.0.17-8
        • Percona Server for MySQL 8.0.16-7
        • Percona Server for MySQL 8.0.15-6
        • Percona Server for MySQL 8.0.15-5
        • Percona Server for MySQL 8.0.14
        • Percona Server for MySQL 8.0.13-4
        • Percona Server for MySQL 8.0.13-3
        • Percona Server for MySQL 8.0.12-2rc1
      • Limiting the disk space used by binary log files
      • Extended mysqlbinlog
      • Slow query log rotation and expiration
      • Extended SELECT INTO OUTFILE/DUMPFILE
      • Support for PROXY protocol
      • SEQUENCE_TABLE(n) function
      • Trigger updates
      • Expanded fast index creation
      • Kill idle transactions
      • Percona Toolkit UDFs
      • Utility user
      • The ProcFS plugin
      • Adaptive network buffers
      • Thread pool
      • Quickstart guide for Percona Server for MySQL
      • Install Percona Server for MySQL from repositories
        • Use APT repositories
        • Files in DEB package
        • Build APT packages
        • Downloaded DEB packages
        • Apt pinning
        • Run Percona Server for MySQL
        • Uninstall
        • Use RPM repositories
        • Files in RPM package
        • Downloaded RPM packages
        • Run Percona Server for MySQL
        • Uninstall
        • Install with binary tarballs
        • Binary tarballs available
        • Install Percona Server for MySQL from a source tarball
        • Compile Percona Server for MySQL 8.0 from source
        • Install using Docker
        • Docker environment variables
      • Upgrade guide
      • Upgrade using the Percona repositories
      • Upgrade from systems that use the MyRocks or TokuDB storage engine and partitioned tables
      • Upgrade using Standalone Packages
      • Downgrade
      • Binary logs and replication improvements
      • Post-installation
      • Working with AppArmor
      • Working with SELinux
      • Extended SHOW GRANTS
      • Backup and restore overview
      • Backup locks
      • Extended mysqldump
      • Start transaction with consistent snapshot
        • Using LDAP authentication plugins
        • LDAP authentication plugin system variables
      • Data masking
      • PAM authentication plugin
      • SSL improvements
      • Server variables
      • FIDO authentication plugin
      • Encryption functions
        • Data at Rest Encryption
        • Use the keyring component or keyring plugin
          • Using the Key Management Interoperability Protocol (KMIP)
          • Use the Amazon Key Management Service (AWS KMS)
          • Encrypt File-Per-Table Tablespace
          • Encrypt schema or general tablespace
          • Encrypt system tablespace
          • Encrypt temporary files
          • Encrypt Binary Log Files and Relay Log Files
          • Encrypting the Redo Log data
          • Encrypt the undo tablespace
          • Rotate the master key
          • Advanced encryption key rotation
            • innodb_encryption_threads
            • innodb_online_encryption_rotate_key_age
            • innodb_encryption_rotation_iops
            • innodb_default_encryption_key_id
            • Use Keyring Encryption
          • Encrypt doublewrite buffers
          • Verify the encryption for tables, tablespaces, and schemas
      • Manage group replication flow control
      • Group replication system variables
      • Audit log plugin
      • Jemalloc memory allocation profiling
      • User statistics
      • Slow query log
      • Process list
      • Misc. INFORMATION_SCHEMA tables
      • Use Percona Monitoring and Management (PMM) Advisors
      • Too many connections warning
      • Handle corrupted tables
      • Thread based profiling
      • Stacktrace
      • Libcoredumper
        • The Percona XtraDB storage engine
        • Improved MEMORY storage engine
        • Improved InnoDB I/O scalability
        • Enforcing storage engine
        • Extended show engine InnoDB status
        • Show storage engines
        • Compressed columns with dictionaries
        • InnoDB full-text search improvements
        • XtraDB changed page tracking
        • XtraDB performance improvements for I/O-bound highly-concurrent workloads
        • Multiple page asynchronous I/O requests
        • Prefix index queries optimization
        • Limit the estimation of records in a Query
        • InnoDB page fragmentation counters
        • Percona MyRocks introduction
        • Percona MyRocks installation guide
        • Updated supported features
        • MyRocks limitations
        • Differences between Percona MyRocks and Facebook MyRocks
        • MyRocks Information Schema tables
        • MyRocks server variables
        • MyRocks status variables
        • Gap locks detection
        • Data loading
        • Installing and configuring Percona Server for MySQL with ZenFS support
        • TokuDB introduction
        • TokuDB installation
        • Use TokuDB
        • Fast updates with TokuDB
        • TokuDB files and file types
        • TokuDB file management
        • TokuDB background ANALYZE TABLE
        • TokuDB variables
        • TokuDB status variables
        • TokuDB fractal tree indexing
        • TokuDB troubleshooting
        • TokuDB Performance Schema integration
        • Frequently asked questions
        • Migrate and removing the TokuDB storage engine
        • Percona TokuBackup
      • List of variables introduced in Percona Server for MySQL 8.0
      • List of features available in Percona Server for MySQL releases
      • Percona Server for MySQL feature comparison
      • Understand version numbers
      • Development of Percona Server for MySQL
      • Trademark policy
      • Index of INFORMATION_SCHEMA tables
      • Frequently asked questions
      • Copyright and licensing information
      • Glossary

    • innodb_encryption_threads
    • innodb_online_encryption_rotate_key_age
    • innodb_encryption_rotation_iops
    • innodb_default_encryption_key_id
    • Use Keyring Encryption

    Advanced encryption key rotation¶

    Important

    This feature, and associated system variables, status variables, and options have been removed in Percona Server for MySQL 8.0.31-23.

    The Advanced Encryption Key Rotation feature lets you perform specific encryption and decryption tasks in real time.

    The following table explains the benefits of Advanced Encryption Key Rotation:

    Advanced Encryption Key Rotation Master Key Encryption
    Encrypts any existing tablespaces in a single operation. Advanced Encryption Key Rotation allows encryption to be applied to all or selected existing tablespaces. You can exclude tablespaces. Encrypts each existing tablespace as a separate operation.
    Encrypts tables with a key from a keyring. Encrypts tables with a key that is then stored in the encryption header of the tablespace.
    Re-encrypts each tablespace page by page when the key is rotated. Re-encrypts only the tablespace encryption header when the key is rotated.

    If you enable Advanced Encryption Key Rotation with a Master key encrypted tablespace, the tablespace is re-encrypted with the keyring key in a background process. If the Advanced Encryption Key Rotation feature is enabled, you cannot convert a tablespace to use Master key encryption. You must disable the feature before you convert the tablespace.

    This feature is in tech preview.

    You must have the SYSTEM_VARIABLES_ADMIN privilege or the SUPER privilege to set these variables.

    innodb_encryption_threads¶

    This variable is removed in Percona Server for MySQL 8.0.31-23.

    Option Description
    Command-line –innodb-encryption-threads
    Scope Global
    Dynamic Yes
    Data type Numeric
    Default 0

    This variable works in combination with the default_table_encryption variable set to ONLINE_TO_KEYRING. This variable configures the number of threads for background encryption. For the online encryption, the value must be greater than zero.

    innodb_online_encryption_rotate_key_age¶

    This variable is removed in Percona Server for MySQL 8.0.31-23.

    Option Description
    Command-line –innodb-online-encryption-rotate-key-age
    Scope Global
    Dynamic Yes
    Data type Numeric
    Default 1

    Defines the rotation for the re-encryption of a table encrypted using KEYRING. The value of this variable determines the how frequently the encrypted tables are re-encrypted.

    For example, the following values would trigger a re-encryption in the following intervals:

    • The value is 1, and the table is re-encrypted on each key rotation.

    • The value is 2, and the table is re-encrypted on every other key rotation.

    • The value is 10, and the table is re-encrypted on every tenth key rotation.

    You should select the value which best fits your operational requirements.

    innodb_encryption_rotation_iops¶

    This variable is removed in Percona Server for MySQL 8.0.31-23.

    Option Description
    Command-line –innodb-encryption-rotation-iops
    Scope Global
    Dynamic Yes
    Data type Numeric
    Default 100

    Defines the number of input/output operations per second (iops) available for use by a key rotation process.

    innodb_default_encryption_key_id¶

    This variable is removed in Percona Server for MySQL 8.0.31-23.

    Option Description
    Command-line –innodb-default-encryption-key-id
    Scope Session
    Dynamic Yes
    Data type Numeric
    Default 0

    Defines the default encryption ID used to encrypt tablespaces.

    Use Keyring Encryption¶

    This feature is removed in Percona Server for MySQL 8.0.31-23.

    Keyring management is enabled for each table, per file table, separately when you set encryption in the ENCRYPTION clause to KEYRING in the supported SQL statement.

    • CREATE TABLE … ENCRYPTION=’KEYRING’

    • ALTER TABLE … ENCRYPTION=’KEYRING’

    Note

    Running an ALTER TABLE ... ENCRYPTION='N' on a table created with ENCRYPTION='KEYRING' converts the table to the existing MySQL schema, tablespace, or table encryption state.

    Contact us

    For free technical help, visit the Percona Community Forum.

    To report bugs or submit feature requests, open a JIRA ticket.

    For paid support and managed or consulting services , contact Percona Sales.

    Last update: 2023-02-09
    Percona LLC and/or its affiliates, © 2023
    Made with Material for MkDocs

    Cookie consent

    We use cookies to recognize your repeated visits and preferences, as well as to measure the effectiveness of our documentation and whether users find what they're searching for. With your consent, you're helping us to make our documentation better. Read more about Percona Cookie Policy.