Details
-
New Feature
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
None
-
None
Description
Specification:
1. Support cloning a Innodb table encrypted on disk.
- ENGINE=InnoDB ENCRYPTED=YES
- innodb_encrypt_tables = ON
2. Support cloning when Innodb redo logs are encrypted on disk
- innodb_encrypt_log=ON
Development Note:
MySQL encryption works by keeping the tablespace key in page-0 encrypted by a master key from the active keyring plugin associated with server. The tablespace key is never changed and it is only re-encrypted by a new master key during key rotation. During cloning thus it is enough to decrypt the tablespace key and re-encrypt it by a new master key in recipient.
For Mariadb, the design is different and the tablespace encryption key is also generated by the keyring plugin and the entire tablespace is re-encrypted with new key during rotation. We need a different design here.
1. One way is to decrypt the entire data. It is expensive and may not be desirable always.
2. To perform at the same level as MySQL for replica provisioning we might need a better solution. It should be possible to preserve the donor encryption key by encryption it by recipient and keeping it in data directory file master key and hold it till the next key rotation.
It is not implemented in the prototype code main-MDEV-35248
Attachments
Issue Links
- is blocked by
-
-
- Open
-