Details
-
Bug
-
Status: Stalled (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.6, 10.11, 11.1(EOL), 11.2, 11.4
-
None
Description
Temporary tablespace encryption uses the innodb redo log encryption key to
encrypt the temporary tablespace pages. If we rotate the encryption key then
InnoDB updates the redo log key version with latest key version. Since temporary
tablespace uses the redo log key information then there is a possibility
that few pages are encrypted using one key version(v1) and other pages could
be encrypted using different key version(v2). Temporary tablespace
doesn't store any key version in page0. This could lead to error while trying
to decrypt the temporary tablespace page(v1) using different key (v2).
Test case to demonstrate the problem:
--source include/have_innodb.inc
|
--source include/have_debug.inc
|
--source include/have_sequence.inc
|
CREATE TEMPORARY TABLE temp(f1 INT NOT NULL, f2 INT NOT NULL)ENGINE=InnoDB;
|
INSERT INTO temp select seq, seq from seq_1_to_16384;
|
set global debug_key_management_version=10;
|
select @@debug_key_management_version;
|
set global innodb_log_checkpoint_now=1;
|
INSERT INTO temp select seq, seq FROM seq_1_to_65536;
|
select count(*) from temp;
|
let $restart_parameters=--debug_key_management_version=10;
|
--source include/restart_mysqld.inc
|
set global debug_key_management_version=1;
|
.opt file:
--innodb-encrypt-log=1
|
--plugin-load-add=$DEBUG_KEY_MANAGEMENT_SO
|
--innodb_encrypt_temporary_tables=1
|
--innodb_buffer_pool_size=5M
|
Kept the less buffer pool size to persist the temporary tablespace pages.