Enables encryption of binlog and relay logs
A new binary log event type is defined, Start_encryption, which stores the key version, and all subsequent events in the log are encrypted individually. The feature is enabled by --encrypt-binlog server option.
Master stores encrypted events in binary log. When slave wants to receive an event from master, master sends the unencrypted event to slave using a secure communication channel (SSL connection). When encryption is turned-on on slave the relay logs get encrypted and – given the binary log is on on slave – the binary log gets encrypted too.
Standalone mysqlbinlog is not capable of reading encrypted binary logs – it can read binary log by using mysqld server as proxy-decryptor with use of –read-from-
Percona binlog key stored in keyring will be of the following scheme: <key_version>
<key_version> is a version of the percona_binlog key. Version must be in the range <0; UINT_MAX>.
<key_data> is the 128 bits long AES key.
The naming of the percona binlog key will be percona_
From keyring point of view percona_binlog is a system key. Please refer to PS-3997 for more information on system keys and system key rotation. PS-3997 also adds percona_binlog rotation function and extends binlog encryption framework so it would be capable of working with different percona_binlog key versions.
Blueprint information
- Status:
- Complete
- Approver:
- Laurynas Biveinis
- Priority:
- High
- Drafter:
- Robert Golebiowski
- Direction:
- Approved
- Assignee:
- Robert Golebiowski
- Definition:
- New
- Series goal:
- Accepted for 5.7
- Implementation:
- Implemented
- Milestone target:
- 5.7.20-19
- Started by
- Laurynas Biveinis
- Completed by
- Laurynas Biveinis