Encrypted temporary files

Registered by Yura Sorokin on 2017-07-06

For each temporary file, an encryption key is generated locally, only kept in memory for the lifetime of the temporary file, and discarded afterwards.
Note that this is implementation is different from MariaDB in order to reduce latency which might be inflicted by going to a remote key source through the encryption plugin.
Implementation will ensure that local per-file key generation is cheap enough even in the case of high rate of temp file creation. If it is found to be too expensive, then implementation will switch to local keys that are shared between temp files and are regenerated at certain intervals.

The feature is enabled by a new non-dynamic, boolean, global encrypt-tmp-files option, ported from MariaDB.

File data must be encrypted using AES 256-bit algorithm in CBC block mode.

Blueprint information

Status:
Started
Approver:
Laurynas Biveinis
Priority:
High
Drafter:
Yura Sorokin
Direction:
Approved
Assignee:
Yura Sorokin
Definition:
Approved
Series goal:
Accepted for 5.7
Implementation:
Needs Code Review
Milestone target:
None
Started by
Yura Sorokin on 2017-07-06

Related branches

Sprints

Whiteboard

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.