Encrypted temporary files
For each temporary file, an encryption key is generated locally, only kept in memory for the lifetime of the temporary file, and discarded afterwards.
Note that this is implementation is different from MariaDB in order to reduce latency which might be inflicted by going to a remote key source through the encryption plugin.
Implementation will ensure that local per-file key generation is cheap enough even in the case of high rate of temp file creation. If it is found to be too expensive, then implementation will switch to local keys that are shared between temp files and are regenerated at certain intervals.
The feature is enabled by a new non-dynamic, boolean, global encrypt-tmp-files option, ported from MariaDB.
File data must be encrypted using AES 256-bit algorithm in CBC block mode.
Blueprint information
- Status:
- Started
- Approver:
- None
- Priority:
- High
- Drafter:
- Yura Sorokin
- Direction:
- Approved
- Assignee:
- Yura Sorokin
- Definition:
- Approved
- Series goal:
- Accepted for 5.7
- Implementation:
-
Needs Code Review
- Milestone target:
- None
- Started by
- Yura Sorokin
- Completed by
