Skip to content

Advanced encryption key rotation

Important

This feature, and associated system variables, status variables, and options have been removed in Percona Server for MySQL 8.0.31-23.

The Advanced Encryption Key Rotation feature lets you perform specific encryption and decryption tasks in real time.

The following table explains the benefits of Advanced Encryption Key Rotation:

Advanced Encryption Key Rotation Master Key Encryption
Encrypts any existing tablespaces in a single operation. Advanced Encryption Key Rotation allows encryption to be applied to all or selected existing tablespaces. You can exclude tablespaces. Encrypts each existing tablespace as a separate operation.
Encrypts tables with a key from a keyring. Encrypts tables with a key that is then stored in the encryption header of the tablespace.
Re-encrypts each tablespace page by page when the key is rotated. Re-encrypts only the tablespace encryption header when the key is rotated.

If you enable Advanced Encryption Key Rotation with a Master key encrypted tablespace, the tablespace is re-encrypted with the keyring key in a background process. If the Advanced Encryption Key Rotation feature is enabled, you cannot convert a tablespace to use Master key encryption. You must disable the feature before you convert the tablespace.

This feature is in tech preview.

You must have the SYSTEM_VARIABLES_ADMIN privilege or the SUPER privilege to set these variables.

innodb_encryption_threads

This variable is removed in Percona Server for MySQL 8.0.31-23.

Option Description
Command-line –innodb-encryption-threads
Scope Global
Dynamic Yes
Data type Numeric
Default 0

This variable works in combination with the default_table_encryption variable set to ONLINE_TO_KEYRING. This variable configures the number of threads for background encryption. For the online encryption, the value must be greater than zero.

innodb_online_encryption_rotate_key_age

This variable is removed in Percona Server for MySQL 8.0.31-23.

Option Description
Command-line –innodb-online-encryption-rotate-key-age
Scope Global
Dynamic Yes
Data type Numeric
Default 1

Defines the rotation for the re-encryption of a table encrypted using KEYRING. The value of this variable determines the how frequently the encrypted tables are re-encrypted.

For example, the following values would trigger a re-encryption in the following intervals:

  • The value is 1, and the table is re-encrypted on each key rotation.

  • The value is 2, and the table is re-encrypted on every other key rotation.

  • The value is 10, and the table is re-encrypted on every tenth key rotation.

You should select the value which best fits your operational requirements.

innodb_encryption_rotation_iops

This variable is removed in Percona Server for MySQL 8.0.31-23.

Option Description
Command-line –innodb-encryption-rotation-iops
Scope Global
Dynamic Yes
Data type Numeric
Default 100

Defines the number of input/output operations per second (iops) available for use by a key rotation process.

innodb_default_encryption_key_id

This variable is removed in Percona Server for MySQL 8.0.31-23.

Option Description
Command-line –innodb-default-encryption-key-id
Scope Session
Dynamic Yes
Data type Numeric
Default 0

Defines the default encryption ID used to encrypt tablespaces.

Use Keyring Encryption

This feature is removed in Percona Server for MySQL 8.0.31-23.

Keyring management is enabled for each table, per file table, separately when you set encryption in the ENCRYPTION clause to KEYRING in the supported SQL statement.

  • CREATE TABLE … ENCRYPTION=’KEYRING’

  • ALTER TABLE … ENCRYPTION=’KEYRING’

Note

Running an ALTER TABLE ... ENCRYPTION='N' on a table created with ENCRYPTION='KEYRING' converts the table to the existing MySQL schema, tablespace, or table encryption state.

Get expert help

If you need assistance, visit the community forum for comprehensive and free database knowledge, or contact our Percona Database Experts for professional support and services.


Last update: 2023-09-27