GCache encryption and Write-Set cache encryption¶
These features are tech preview. Before using these features in production, we recommend that you test restoring production from physical backups in your environment, and also use the alternative backup method for redundancy.
GCache and Write-Set cache encryption¶
Enabling this feature encrypts the Galera GCache and Write-Set cache files with a File Key.
GCache has a RingBuffer on-disk file to manage write-sets. The keyring only stores the Master Key which is used to encrypt the File Key used by the RingBuffer file. The encrypted File Key is stored in the RingBuffer’s preamble. The RingBuffer file of GCache is non-volatile, which means this file survives a restart. The File Key is not stored for GCache off-pages and Write-Set cache files.
See also
For more information, see Understanding GCache and Record-set Cache, and the Percona Database Performance Blog: All you need to know about GCache
Sample preamble key-value pairs
Version: 2
GID: 3afaa71d-6665-11ed-98de-2aba4aabc65e
synced: 0
enc_version: 1
enc_encrypted: 1
enc_mk_id: 3
enc_mk_const_id: 3ad045a2-6665-11ed-a49d-cb7b9d88753f
enc_mk_uuid: 3ad04c8e-6665-11ed-a947-c7e346da147f
enc_fk_id: S4hRiibUje4v5GSQ7a+uuS6NBBX9+230nsPHeAXH43k=
enc_crc: 279433530
Key descriptions¶
The following table describes the encryption keys defined in the preamble. All other keys in the preamble are not related to encryption.
| Key | Description |
|---|---|
enc_version |
The encryption version |
enc_encrypted |
If the GCache is encrypted or not |
enc_mk_id |
A part of the Master Key ID. Rotating the Master Key increments the sequence number. |
enc_mk_const_id |
A part of the Master Key ID, a constant Universally unique identifier (UUID). This option remains constant for the duration of the galera.gcache file and simplifies matching the Masater Key inside the keyring to the instance that generated the keys. Deleting the galera.gcache changes the value of this key. |
enc_mk_uuid |
The first Master Key or if Galera detects that the preamble is inconsistent, which causes a full GCache reset and a new Master Key is required, generates this UUID. |
enc_fk_id |
The File Key ID encrypted with the Master Key. |
enc_crc |
The cyclic redundancy check (CRC) calculated from all encryption-related keys. |
Controlling encryption¶
Encryption is controlled using the wsrep_provider_options.
| Variable name | Default value | Allowed values |
|---|---|---|
gcache.encryption |
off | on/off |
gcache.encryption_cache_page_size |
32KB | 2-512 |
gcache.encryption_cache_size |
16MB | 2 - 512 |
allocator.disk_pages_encryption |
off | on/off |
allocator.encryption_cache_page_size |
32KB | |
allocator.encryption_cache_size |
16MB |
Rotate the GCache Master Key¶
GCache and Write-Set cache encryption uses either a keyring plugin or a keyring component. This plugin or component must be loaded.
Store the keyring file outside the data directory when using a keyring plugin or a keyring component.
mysql> ALTER INSTANCE ROTATE GCACHE MASTER KEY;
Variable descriptions¶
GCache encryption¶
The following sections describe the variables related to GCache encryption. All variables are read-only.
gcache.encryption¶
Enable or disable GCache cache encryption.
gcache.encryption_cache_page_size¶
The size of the GCache encryption page. The value must be multiple of the CPU page size (typically 4kB). If the value is not, the server reports an error and stops.
gcache.encryption_cache_size¶
Every encrypted file has an encryption.cache, which consists of pages. Use gcache.encryption_cache_size to configure the encryption.cache size.
Configure the page size in the cache with gcache.encryption_cache_page_size.
The maximum size for the encryption.cache is 512 pages. This value is a hint. If the value is larger than the maximum, the value is rounded down to 512 x gcache.encryption_cache_page_size.
The minimum size for the encryption.cache is 2 pages. If the value is smaller, the value is rounded up.
Write-Set cache encryption¶
The following sections describe the variables related to Write-Set cache encryption. All variables are read-only.
allocator.disk_pages_encryption¶
Enable or disable the Write-Set cache encryption.
allocator.encryption_cache_page_size¶
The size of the encryption cache for Write-Set pages. The value must be multiple of the CPU page size (typically 4kB). If the value is not, the server reports an error and stops.
allocator.encryption_cache_size¶
Every Write-Set encrypted file has an encryption.cache, which consists of pages. Use allocator.encryption_cache_size to configure the size of the encryption.cache.
Configure the page size in the cache with allocator.encryption_cache_page_size.
The maximum size for the encryption.cache is 512 pages. This value is a hint. If the value is larger than the maximum, the value is rounded down to 512 x gcache.encryption_cache_page_size.
The minimum size for the encryption.cache is 2 pages. If the value is smaller, the value is rounded up.