InnoDB temporary files and temporary tables encryption

Registered by Sergei Glushchenko on 2017-09-19

InnoDB is using temporary files for merge sort for online alter table.
It also creates temporary tables for online alter.

When destination table for online alter operation is encrypted merge
file will also be encrypted. InnoDB writing and reading merge files in
blocks. Each block encrypted with tablespace key of target tablespace.
Key version used to encrypt this block prepended to each block. Since
Percona Server does not support key rotation currently, key version is
always 0. Block encrypted with AES256 in CBC mode with IV consisting of
space_id+offset. IV is encrypted to make it non-predictable. Since CBC
can only encrypt data in multiples of block size, remainder of the
buffer is XOR'ed with encrypted IV.

When InnoDB needs to create temporary table for online alter operation
on encrypted table, temp table will be encrypted as well.

Things to consider:
- only encrypt temp files when `innodb-temp-tablespace-encrypt' is ON

Blueprint information

Status:
Started
Approver:
None
Priority:
High
Drafter:
Sergei Glushchenko
Direction:
Approved
Assignee:
Sergei Glushchenko
Definition:
Review
Series goal:
Accepted for 5.7
Implementation:
Needs Code Review
Milestone target:
None
Started by
Laurynas Biveinis on 2017-09-21

Related branches

Sprints

Whiteboard

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.