In-depth Percona Server/MySQL encryption Robert Golebiowski - - PowerPoint PPT Presentation

In-depth Percona Server/MySQL encryption

Robert Golebiowski Percona

Keyrings

3

Keyrings

• General Concept
• Plugin installation
• always successful
• keyrings variables may need correction
• keyring_vault_config
• keyring_file_data

4

Keyrings

KEY ID KEY TYPE KEY OWNER KEY LENGTH KEY MK 1 AES 32 00101010 1 ... Key 1 AES Robert 16 100111010 ... Keyring file

5

Keyrings

KEY ID KEY TYPE KEY OWNER KEY LENGTH KEY MK 1 Key 1 Keyring vault

6

Keyrings

• Writes to keyring_file
• backup file keyring.backup (whole content is rewritten)
• Writes to keyring_vault
• connection lags (only one key is send)

7

Keyrings

Per server separation of keyrings

• why needed ?
• “natural” for keyring_file
• work needed for keyring_vault

8

Keyrings

keyring_vault’s configuration file vault_url vault_ca secret_mount_point token OPTIONAL

9

Keyrings

keyring_vault’s per server separation

• separate mount point per each server

curl -L -H "X-Vault-Token: TOKEN" –cacert VAULT_CA

• -data '{"type":"generic"}'
• -request POST

VAULT_URL/v1/sys/mounts/SECRET_MOUNT_POINT

• separate *directory* inside mount point per each server

config for server1: secret_mount_point= <mount_point>/server1 config for server2: secret_mount_point=<mount_point>/server2

1

Keyrings

keys inside Vault server are base64 encoded echo NDhfSU5OT0RCS2V5LTc2NGQzODJhLTczMjQtMTFlOS1hZDhmLTljYjZkMGQ1 ZGM5OS0xMF8= | base64 -d 48_INNODBKey-764d382a-7324-11e9-ad8f-9cb6d0d5dc99-10_

1 1

Keyrings, keyring_udf

Used for storing user’s secret inside keyrings. Set of UDFs:

• keyring_key_generate
• keyring_key_fetch
• keyring_key_length_fetch
• keyring_key_type_fetch
• keyring_key_store
• keyring_key_remove

Keys do not contains server’s UUID

INNODB encryption

1 3

INNODB encryption

Reminder: Tablespace consists of pages. What is Master Key encryption ? KEY 1 KEY 2 KEY N MASTER KEY ENCRYPTS ENCRYPTS ENCRYPTS TABEL A TABEL B TABEL Z KEYRING

1 4

INNODB encryption

Tablespace’s encryption header. Reside in page 0. Page 0 is never encrypted. ENCRYPTION_KEY_MAGIC (_V1,_V2,_V3) KEY ID UUID ENCRYPTED (TABLESPACE KEY, IV) CRC32 OF (TABLESPACE KEY,IV) INNODBKey-srv_uuid-master_key_id

1 5

INNODB encryption

• How do we know which Master Key we should fetch keyring to decrypt

the table ?

• How do we know if the key used is the correct one ?
• How do we make sure that we are able to decrypt table when we need

it?

1 6

INNODB encryption

Encrypted tables validation

• Read page 0
• Read encryption information from page 0
• Get master key from keyring
• Decrypt tablespace key and iv with master key
• Make sure crc32 is correct

If any failed : Mark tablespace as missing

1 7

INNODB encryption

• AES 256 ECB for tablespace key and iv encryption (hardcoded)

AES 128 bits

• f

plaintext 128 bits of ciphertext 256 bit long encryption key ⨁ IV What crypto are used ?

• AES 256 CBC for page encryption (hardcoded)

(do not confuse with block_encryption_mode variable)

1 8

INNODB encryption

Master Key rotation

• Generate new Master Key
• Go over all encrypted tables. For each table:
• Re-encrypt tablespace key and iv with new Master Key
• Update the encryption information in tablespace header (page 0)

ENCRYPTION_KEY_MAGIC (_V1,_V2,_V3) KEY ID NEW KEY ID UUID NEW UUID ENCRYPTED (TABLESPACE KEY, IV) RE-ENCRYPTED CRC32 OF (TABLESPACE KEY,IV) RE-CALCULATED

1 9

INNODB encryption

Master Key rotation Why needed ?:

• Improves safety
• Speeds up the innodb startup in case we have restored tables from

different backups

2

INNODB encryption

Core dumps Could contain sensitive information like tablespace encryption keys and Master Key

• ption core-file
• should be generated in encrypted place (core_pattern)

No mitigation for leaked tablespace keys !

System key rotation

2 2

System key rotation

System encryption keys can be rotated (new version of a key is generated) PS 5.7 and < 8.0.14

• percona_binlog
• percona_innodb (work in progress)
• percona_redo (work in progress)

5.7 and >= 8.0.14

• percona_innodb (work in progress)

2 3

System key rotation

Keys versioning Appends version to the key id in keyring: percona_binlog:1 (starts with version 1) SELECT rotate_system_key(“percona_binlog”); percona_binlog:2 (version 2)

INNODB encryption

Keyring encryption

2 5

INNODB encryption, keyring encryption

Tablespace keys comes directly from keyring. KEY 1 KEY 2 KEY N ENCRYPTS ENCRYPTS TABEL A TABEL B TABEL Z KEYRING ENCRYPTS

2 6

INNODB encryption, keyring encryption

CREATE TABLE t1 (a varchar(255)) encryption='KEYRING'; SHOW CREATE TABLE t1; Table>--Create Table t1>-CREATE TABLE `t1` ( `a` varchar(255) DEFAULT NULL ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='KEYRING' ENCRYPTION_KEY_ID=0 innodb_default_encryption_key_id = 0 [Value from session scope ]

2 7

INNODB encryption, keyring encryption

CREATE TABLE t1 (a varchar(255)) encryption='KEYRING' ENCRYPTION_KEY_ID=X; ALTER TABLE t1 ENCRYPTION_KEY_ID=Y; How it relates to the actual keyring key ? percona_innodb-Y:<version> percona_innodb-1:1 We can rotate these keys. But what for ?

INNODB encryption

Encryption threads

2 9

INNODB encryption, encryption threads

Background threads. Number of threads is set by variable innodb_encryption_threads Can :

• encrypt/decrypt tables (inndb_encrypt_tables)
• re-encrypt tables - with new version of encryption key (key rotation)

innodb_encrypt_tables := ONLINE_TO_KEYRING | ONLINE_TO_KEYRING_FORCE | ONLINE_FROM_KEYRING_TO_UNENCRYPTED

3

INNODB encryption, encryption threads

SET GLOBAL innodb_encrypt_tables = ONLINE_TO_KEYRING; SET GLOBAL innodb_encryption_threads = 4; SET GLOBAL innodb_default_encryption_key_id = 0; CREATE TABLE t1 (a VARCHAR(255));

3 1

INNODB encryption, encryption threads

INNODB_TABLESPACE_ENCRYPTION (selected columns): SPACE NAME ENCRYPTION_ SCHEME MIN_KEY_ VERSION CURRENT_ KEY_VERSI ON CURRENT_ KEY_ID 42949672 94 mysql 1 1 1 innodb _syste m 1 1 1 4 test/t1 1 1 1

3 2

INNODB encryption, encryption threads

Re-encryption of a table with key rotation. innodb_encryption_rotate_key_age = 1 - re-encrypt all the tables every time key is rotated = 2 - re-encrypt all the tables every second time key is rotated etc = 0 -disable re-encryption SET GLOBAL rotate_system_key(“percona_innodb-0”);

3 3

INNODB encryption, encryption threads

INNODB_TABLESPACE_ENCRYPTION (selected columns): SPACE NAME ENCRYPTION_ SCHEME MIN_KEY_ VERSION CURRENT_ KEY_VERSI ON CURRENT_ KEY_ID 42949672 94 mysql 1 2 2 innodb _syste m 1 2 2 4 test/t1 1 2 2

3 4

INNODB encryption, encryption threads

CREATE TABLE t1 ENCRYPTION=’N’; - t1 stays uencrypted “forever” CREATE TABLE t1 ENCRYPTION_KEY_ID=X; - will get encrypted with key X when encryption threads get to it Of course above work also with ALTER innodb_default_encryption_key_id:

• SESSION scope used by ENCRYPTION=’KEYRING”
• GLOBAL scope used by encryption threads

Being more specific.

3 5

INNODB encryption, encryption threads

What about tables already encrypted with Master Key ? They will get re-encrypted with keyring encryption by encryption threads. What about tables already encrypted with keyring encryption ? Nothing, they are already there in INNODB_TABLESPACE_ENCRYPTION. but ...

3 6

INNODB encryption, encryption threads

Decryption with encryption threads innodb_encrypt_tables=ONLINE_FROM_KEYRING_TO_UNENCRYPTED Will only decrypt tables that were encrypted by encryption threads.

Binlog encryption

3 8

Binlog encryption, 5.7

• -encrypt_binlog
• -master_verify_checksum

New event: Start_encryption_event. After Start_encryption_event rest of the binlog is encrypted. This event is never send over the network. The events between master and slave are not encrypted (use TLS) mysqlbinlog cannot decrypt, however there is --read-from-remote-server

3 9

Binlog encryption, 5.7

binlog encryption key rotation SELECT rotate_system_key(“percona_binlog”); FLUSH BINARY LOGS;

Binlog encryption, 8.0 compatibility with 5.7

4

Nothing to worry about. 8.0 can read 5.7 encrypted binlogs.

Binlog encryption, 8.0

4 1

Upstream implementation. Follows Master key encryption rules. KEY 1 KEY 2 KEY N REPLICATION MASTER KEY ENCRYPTS ENCRYPTS ENCRYPTS bin 000001 bin 000002 bin 000003 KEYRING

Binlog encryption, 8.0

4 2

Encrypted binlog header. MAGIC HEADER Replication logs encryption version Replication Encryption Key ID Encrypted file password (The key) IV for encrypting file password Padding

Undo and redo log encryption

4 4

Undo and redo log encryption

Undo tablespace encryption:

• for MK pages are encrypted/decrypted as innodb_undo_log_encrypt is

ON/OFF

• for encryption with encryption threads existing undo logs will get

encrypted/decrypted

• encryption threads can encrypt undo pages in system tablespace

Redo log encryption almost the same as binary log encryption.

System tablespace and double write buffers encryption

4 6

System tablespace encryption

System tablespace encryption with MK

• innodb_sys_tablespace_encrypt

Parallel double write buffer encryption:

• innodb_parallel_dblwr_encrypt

Questions ?