in depth percona server mysql encryption
play

In-depth Percona Server/MySQL encryption Robert Golebiowski - PowerPoint PPT Presentation

Sep 05, 2023 •303 likes •780 views

In-depth Percona Server/MySQL encryption Robert Golebiowski Percona Keyrings Keyrings General Concept Plugin installation - always successful - keyrings variables may need correction - keyring_vault_config - keyring_file_data 3

  1. In-depth Percona Server/MySQL encryption Robert Golebiowski Percona

  2. Keyrings

  3. Keyrings • General Concept • Plugin installation - always successful - keyrings variables may need correction - keyring_vault_config - keyring_file_data 3

  4. Keyrings Keyring file KEY ID KEY TYPE KEY KEY KEY OWNER LENGTH MK 1 AES 32 00101010 1 ... Key 1 AES Robert 16 100111010 ... 4

  5. Keyrings Keyring vault KEY ID KEY TYPE KEY KEY KEY OWNER LENGTH MK 1 Key 1 5

  6. Keyrings • Writes to keyring_file - backup file keyring.backup (whole content is rewritten) • Writes to keyring_vault - connection lags (only one key is send) 6

  7. Keyrings Per server separation of keyrings - why needed ? - “natural” for keyring_file - work needed for keyring_vault 7

  8. Keyrings keyring_vault’s configuration file vault_url secret_mount_point token vault_ca OPTIONAL 8

  9. Keyrings keyring_vault’s per server separation separate mount point per each server • curl -L -H "X-Vault-Token: TOKEN" – cacert VAULT_CA --data '{"type":"generic"}' --request POST VAULT_URL/v1/sys/mounts/SECRET_MOUNT_POINT separate *directory* inside mount point per each server • config for server1: secret_mount_point= <mount_point>/server1 config for server2: secret_mount_point=<mount_point>/server2 9

  10. Keyrings keys inside Vault server are base64 encoded echo NDhfSU5OT0RCS2V5LTc2NGQzODJhLTczMjQtMTFlOS1hZDhmLTljYjZkMGQ1 ZGM5OS0xMF8= | base64 -d 48_INNODBKey-764d382a-7324-11e9-ad8f-9cb6d0d5dc99-10_ 1 0

  11. Keyrings, keyring_udf Used for storing user’s secret inside keyrings. Set of UDFs: • keyring_key_generate • keyring_key_fetch • keyring_key_length_fetch • keyring_key_type_fetch • keyring_key_store • keyring_key_remove Keys do not contains server’s UUID 1 1

  12. INNODB encryption

  13. INNODB encryption Reminder: Tablespace consists of pages. What is Master Key encryption ? TABEL A ENCRYPTS KEY 1 KEYRING TABEL B ENCRYPTS MASTER KEY KEY 2 ENCRYPTS TABEL Z KEY N 1 3

  14. INNODB encryption Tablespace’s encryption header. Reside in page 0. Page 0 is never encrypted. ENCRYPTION_KEY_MAGIC (_V1,_V2,_V3) KEY ID UUID ENCRYPTED (TABLESPACE KEY, IV) CRC32 OF (TABLESPACE KEY,IV) INNODBKey-srv_uuid-master_key_id 1 4

  15. INNODB encryption • How do we know which Master Key we should fetch keyring to decrypt the table ? • How do we know if the key used is the correct one ? • How do we make sure that we are able to decrypt table when we need it? 1 5

  16. INNODB encryption Encrypted tables validation • Read page 0 • Read encryption information from page 0 • Get master key from keyring • Decrypt tablespace key and iv with master key • Make sure crc32 is correct If any failed : Mark tablespace as missing 1 6

  17. INNODB encryption What crypto are used ? • AES 256 ECB for tablespace key and iv encryption (hardcoded) • AES 256 CBC for page encryption (hardcoded) (do not confuse with block_encryption_mode variable) IV 256 bit long encryption key 128 bits 128 bits of AES ⨁ of ciphertext plaintext 1 7

  18. INNODB encryption Master Key rotation • Generate new Master Key • Go over all encrypted tables. For each table: Re-encrypt tablespace key and iv with new Master Key • Update the encryption information in tablespace header (page 0) • ENCRYPTION_KEY_MAGIC (_V1,_V2,_V3) KEY ID NEW KEY ID UUID NEW UUID ENCRYPTED (TABLESPACE KEY, IV) RE-ENCRYPTED CRC32 OF (TABLESPACE KEY,IV) RE-CALCULATED 1 8

  19. INNODB encryption Master Key rotation Why needed ?: • Improves safety • Speeds up the innodb startup in case we have restored tables from different backups 1 9

  20. INNODB encryption Core dumps Could contain sensitive information like tablespace encryption keys and Master Key option core-file • should be generated in encrypted place (core_pattern) • No mitigation for leaked tablespace keys ! 2 0

  21. System key rotation

  22. System key rotation System encryption keys can be rotated (new version of a key is generated) PS 5.7 and < 8.0.14 • percona_binlog • percona_innodb (work in progress) • percona_redo (work in progress) 5.7 and >= 8.0.14 percona_innodb (work in progress) • 2 2

  23. System key rotation Keys versioning Appends version to the key id in keyring: percona_binlog:1 (starts with version 1) SELECT rotate_system_key(“percona_binlog”); percona_binlog:2 (version 2) 2 3

  24. INNODB encryption Keyring encryption

  25. INNODB encryption, keyring encryption Tablespace keys comes directly from keyring. KEYRING ENCRYPTS KEY 1 TABEL A ENCRYPTS TABEL B KEY 2 ENCRYPTS TABEL Z KEY N 2 5

  26. INNODB encryption, keyring encryption CREATE TABLE t1 (a varchar(255)) encryption='KEYRING'; SHOW CREATE TABLE t1; Table>--Create Table t1>-CREATE TABLE `t1` ( `a` varchar(255) DEFAULT NULL ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='KEYRING' ENCRYPTION_KEY_ID=0 innodb_default_encryption_key_id = 0 [Value from session scope ] 2 6

  27. INNODB encryption, keyring encryption CREATE TABLE t1 (a varchar(255)) encryption='KEYRING' ENCRYPTION_KEY_ID=X; ALTER TABLE t1 ENCRYPTION_KEY_ID=Y; How it relates to the actual keyring key ? percona_innodb-Y:<version> percona_innodb-1:1 We can rotate these keys. But what for ? 2 7

  28. INNODB encryption Encryption threads

  29. INNODB encryption, encryption threads Background threads. Number of threads is set by variable innodb_encryption_threads Can : • encrypt/decrypt tables (inndb_encrypt_tables) • re-encrypt tables - with new version of encryption key (key rotation) innodb_encrypt_tables := ONLINE_TO_KEYRING | ONLINE_TO_KEYRING_FORCE | ONLINE_FROM_KEYRING_TO_UNENCRYPTED 2 9

  30. INNODB encryption, encryption threads SET GLOBAL innodb_encrypt_tables = ONLINE_TO_KEYRING; SET GLOBAL innodb_encryption_threads = 4; SET GLOBAL innodb_default_encryption_key_id = 0; CREATE TABLE t1 (a VARCHAR(255)); 3 0

  31. INNODB encryption, encryption threads INNODB_TABLESPACE_ENCRYPTION (selected columns): SPACE NAME ENCRYPTION_ MIN_KEY_ CURRENT_ CURRENT_ SCHEME VERSION KEY_ID KEY_VERSI ON 42949672 mysql 1 1 1 0 94 0 innodb 1 1 1 0 _syste m 4 test/t1 1 1 1 0 3 1

  32. INNODB encryption, encryption threads Re-encryption of a table with key rotation. innodb_encryption_rotate_key_age = 1 - re-encrypt all the tables every time key is rotated = 2 - re-encrypt all the tables every second time key is rotated etc = 0 -disable re-encryption SET GLOBAL rotate_system_key(“percona_innodb - 0”); 3 2

  33. INNODB encryption, encryption threads INNODB_TABLESPACE_ENCRYPTION (selected columns): SPACE NAME ENCRYPTION_ MIN_KEY_ CURRENT_ CURRENT_ SCHEME VERSION KEY_ID KEY_VERSI ON 42949672 mysql 1 2 2 0 94 0 innodb 1 2 2 0 _syste m 4 test/t1 1 2 2 0 3 3

  34. INNODB encryption, encryption threads Being more specific. CREATE TABLE t1 ENCRYPTION=’N’; - t1 stays uencrypted “forever” CREATE TABLE t1 ENCRYPTION_KEY_ID=X; - will get encrypted with key X when encryption threads get to it Of course above work also with ALTER innodb_default_encryption_key_id: - SESSION scope used by ENCRYPTION=’KEYRING” - GLOBAL scope used by encryption threads 3 4

  35. INNODB encryption, encryption threads What about tables already encrypted with Master Key ? They will get re-encrypted with keyring encryption by encryption threads. What about tables already encrypted with keyring encryption ? Nothing, they are already there in INNODB_TABLESPACE_ENCRYPTION. but ... 3 5

  36. INNODB encryption, encryption threads Decryption with encryption threads innodb_encrypt_tables=ONLINE_FROM_KEYRING_TO_UNENCRYPTED Will only decrypt tables that were encrypted by encryption threads. 3 6

  37. Binlog encryption

  38. Binlog encryption, 5.7 --encrypt_binlog --master_verify_checksum New event: Start_encryption_event. After Start_encryption_event rest of the binlog is encrypted. This event is never send over the network. The events between master and slave are not encrypted (use TLS) mysqlbinlog cannot decrypt, however there is --read-from-remote-server 3 8

  39. Binlog encryption, 5.7 binlog encryption key rotation SELECT rotate_system_key(“percona_binlog”); FLUSH BINARY LOGS; 3 9

  40. Binlog encryption, 8.0 compatibility with 5.7 Nothing to worry about. 8.0 can read 5.7 encrypted binlogs. 4 0

  41. Binlog encryption, 8.0 Upstream implementation. Follows Master key encryption rules. bin 000001 ENCRYPTS KEY 1 bin 000002 KEYRING ENCRYPTS REPLICATION KEY 2 MASTER KEY ENCRYPTS bin 000003 KEY N 4 1

  42. Binlog encryption, 8.0 Encrypted binlog header. MAGIC HEADER Replication logs encryption version Replication Encryption Key ID Encrypted file password (The key) IV for encrypting file password Padding 4 2

  43. Undo and redo log encryption

  44. Undo and redo log encryption Undo tablespace encryption: - for MK pages are encrypted/decrypted as innodb_undo_log_encrypt is ON/OFF - for encryption with encryption threads existing undo logs will get encrypted/decrypted - encryption threads can encrypt undo pages in system tablespace Redo log encryption almost the same as binary log encryption. 4 4

  45. System tablespace and double write buffers encryption

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Percona Server for MySQL 8.0 Laurynas Biveinis Percona First of All, What Is Percona Server

Percona Server for MySQL 8.0 Laurynas Biveinis Percona First of All, What Is Percona Server

Percona Server for MySQL 8.0 Laurynas Biveinis Percona First of All, What Is Percona Server for MySQL? a free, fully compatible, enhanced and open source drop-in replacement for any MySQL database 2 First of All, What Is

2.47k views • 28 slides
At Rest Encryption with MySQL &amp; Vault Tate McDaniel Charles Thompson Percona Empowered

At Rest Encryption with MySQL &amp; Vault Tate McDaniel Charles Thompson Percona Empowered

At Rest Encryption with MySQL &amp; Vault Tate McDaniel Charles Thompson Percona Empowered Welcome and Introductions Charles Thompson Empowered Senior MySQL DBA with over seven years of experience in the industry. Proficient in server

755 views • 46 slides
MySQL/Percona Server/MariaDB Server security features overview Colin Charles, Chief Evangelist,

MySQL/Percona Server/MariaDB Server security features overview Colin Charles, Chief Evangelist,

MySQL/Percona Server/MariaDB Server security features overview Colin Charles, Chief Evangelist, Percona Inc. colin.charles@percona.com / byte@bytebot.net http://bytebot.net/blog/ | @bytebot on Twitter Percona Live Santa Clara 2018, Santa Clara,

681 views • 64 slides
Enhancing MySQL Security Vinicius Grippa Percona About me Support Engineer at Percona since

Enhancing MySQL Security Vinicius Grippa Percona About me Support Engineer at Percona since

Enhancing MySQL Security Vinicius Grippa Percona About me Support Engineer at Percona since 2017 Working with MySQL for over 5 years - Started with SQL Server Working with databases for 7 years 2 Agenda OS/Cloud security

1.16k views • 78 slides
Securing your MySQL/MariaDB Server Data Colin Charles, Ronald Bradford, Hank Eskin Percona Live

Securing your MySQL/MariaDB Server Data Colin Charles, Ronald Bradford, Hank Eskin Percona Live

Securing your MySQL/MariaDB Server Data Colin Charles, Ronald Bradford, Hank Eskin Percona Live Santa Clara 2017 #PerconaLive @bytebot @RonaldBradford @HankEskin About: Colin Charles Chief Evangelist (in the CTO office), Percona Inc

643 views • 52 slides
Vinicius Grippa Percona About me Support Engineer at Percona since 2017 Working with MySQL

Vinicius Grippa Percona About me Support Engineer at Percona since 2017 Working with MySQL

Whats new in Mongo 4.0 Vinicius Grippa Percona About me Support Engineer at Percona since 2017 Working with MySQL for over 5 years - Started with SQL Server Working with databases for 7 years 2 Agenda Transactions Support

744 views • 52 slides
Deploying MySQL and MongoDB in Kubernetes Alexander Rubin Percona About me Working with

Deploying MySQL and MongoDB in Kubernetes Alexander Rubin Percona About me Working with

Deploying MySQL and MongoDB in Kubernetes Alexander Rubin Percona About me Working with MySQL for 10-15 years Started at MySQL AB, Sun Microsystems, Oracle (MySQL Consulting) Joined Percona in 2013 2 What is Kubernetes?

734 views • 60 slides
MySQL Performance Optimization and Troubleshooting with PMM Peter Zaitsev, CEO, Percona Percona

MySQL Performance Optimization and Troubleshooting with PMM Peter Zaitsev, CEO, Percona Percona

MySQL Performance Optimization and Troubleshooting with PMM Peter Zaitsev, CEO, Percona Percona Live, Santa Clara 25 April 2018 Few words about Percona Monitoring and Management (PMM) 100% Free, Open Source database troubleshooting and

1.11k views • 74 slides
Forecasting MySQL Scalability Baron Schwartz O'Reilly MySQL Conference &amp; Expo 2011

Forecasting MySQL Scalability Baron Schwartz O'Reilly MySQL Conference &amp; Expo 2011

Forecasting MySQL Scalability Baron Schwartz O'Reilly MySQL Conference &amp; Expo 2011 Consulting Support Training Development For MySQL Percona Server Replaces MySQL Faster Queries More Consistent More Measurable More

670 views • 41 slides
Online Backups with Percona Live Amsterdam - October 2016 2 / 42 Kenny Gryp @gryp MySQL

Online Backups with Percona Live Amsterdam - October 2016 2 / 42 Kenny Gryp @gryp MySQL

1 / 42 Online Backups with Percona Live Amsterdam - October 2016 2 / 42 Kenny Gryp @gryp MySQL Practice Manager 3 / 42 Agenda What is Percona XtraBackup Backup Process Restore Process Incremental Compression, Streaming, Encryption Cloud

455 views • 42 slides
Database Encryption for MongoDB Peter Schwaller Senior Director Server Engineering, Percona

Database Encryption for MongoDB Peter Schwaller Senior Director Server Engineering, Percona

Open Source Transparent Database Encryption for MongoDB Peter Schwaller Senior Director Server Engineering, Percona Agenda Why encrypt? What gets encrypted? What is supported where? How does it all work? Future of open

227 views • 11 slides
Diagnosing and Fixing MySQL Performance Problems Percona, Inc. http://www.percona.com/ 1

Diagnosing and Fixing MySQL Performance Problems Percona, Inc. http://www.percona.com/ 1

Diagnosing and Fixing MySQL Performance Problems Percona, Inc. http://www.percona.com/ 1 Monday, April 12, 2010 Table Of Contents 0. Welcome 5. Your Toolchest 1. Defining Performance 6. CPUs and Tasks 2. The Stack at 10000 Feet 7.

2.2k views • 198 slides
Learning MySQL 5.7 Jervin Real Percona Live 2017 1 / 21 Agenda 1. Background 2. New Features

Learning MySQL 5.7 Jervin Real Percona Live 2017 1 / 21 Agenda 1. Background 2. New Features

Learning MySQL 5.7 Jervin Real Percona Live 2017 1 / 21 Agenda 1. Background 2. New Features 3. Upgrading to 5.7 2 / 21 Background and Current State 3 / 21 Background and Current State In Comparison, MySQL 5.7 is: Percona Server 5.7

329 views • 21 slides
Percona MySQL About Me Qunar.com DB Director

Percona MySQL About Me Qunar.com DB Director

Percona MySQL About Me Qunar.com DB Director MySQL Inception MySQL ACMUG Oracle MySQL ACE Director What do we need to do for MySQL in

320 views • 20 slides
How a MySQL DBA see Postgresql (and why their company should worry about) Marco Tusa Percona

How a MySQL DBA see Postgresql (and why their company should worry about) Marco Tusa Percona

How a MySQL DBA see Postgresql (and why their company should worry about) Marco Tusa Percona About me Marco The Grinch Former UN, MySQL AB, Pyt hian, Percona 2 kids, 1 wife History of Religions; Ski; Snowboard; Scuba

764 views • 25 slides
Geographic Features in MySQL Tibor Korocz Percona What do I try to answer today? - Can MySQL

Geographic Features in MySQL Tibor Korocz Percona What do I try to answer today? - Can MySQL

Geographic Features in MySQL Tibor Korocz Percona What do I try to answer today? - Can MySQL 8 help us with the common usecases? - Distance Calculation. - What is near by me? - Does MySQL 8 give us better options/solutions for these

1.14k views • 52 slides
Reconsidering the Security Bound of AES-GCM-SIV Tetsu Iwata 1 and Yannick Seurin 2 1 Nagoya

Reconsidering the Security Bound of AES-GCM-SIV Tetsu Iwata 1 and Yannick Seurin 2 1 Nagoya

Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Reconsidering the Security Bound of AES-GCM-SIV Tetsu Iwata 1 and Yannick Seurin 2 1 Nagoya University, Japan 2 ANSSI, France March 7, 2018 FSE 2018

1.11k views • 70 slides
AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University KU Leuven and iMinds DIAC 2016 AEGIS 1 AEGIS: A shield carried by Athena and Zeus DIAC 2016 AEGIS 2 Different Design

524 views • 18 slides
Q1 2020 results May 6, 2020 Q1 2020 webcast 2 Q1 2020 Results May 6th, 2020 Forenote This

Q1 2020 results May 6, 2020 Q1 2020 webcast 2 Q1 2020 Results May 6th, 2020 Forenote This

Q1 2020 results May 6, 2020 Q1 2020 webcast 2 Q1 2020 Results May 6th, 2020 Forenote This presentation may contain forward-looking information. Forward-looking statements describe expectations, plans, strategies, goals, future events or

602 views • 16 slides
Advances in Internet data flow transport ISAE-SUPAERO Macquarie University, the 22nd November

Advances in Internet data flow transport ISAE-SUPAERO Macquarie University, the 22nd November

Advances in Internet data flow transport ISAE-SUPAERO Macquarie University, the 22nd November 2018 ISAE-SUPAERO 2018 1 / 1 Toulouse complex for space and aeronautic Toulouse, south west of France 1 000 000 inhabitants and we love rugby

2.02k views • 170 slides
Better proofs for rekeying Rekeying seems less dangerous. D. J. Bernstein Expand k into F (

Better proofs for rekeying Rekeying seems less dangerous. D. J. Bernstein Expand k into F (

1 2 Better proofs for rekeying Rekeying seems less dangerous. D. J. Bernstein Expand k into F ( k ) = (AES k (0) ; : : : ; AES k (999999)). Security of AES-256 key k is Split F ( k ) into 500000 subkeys. far below 2 256 in most

881 views • 58 slides
Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers will always cheat xkcd #538 What is side channel cryptanalysis? Side Channels: whatever the designers ignored Key Plaintext Encryption Cipher

1.14k views • 112 slides
Using Linear Codes as a Fault Countermeasure for Non-Linear Operations : Application to AES and

Using Linear Codes as a Fault Countermeasure for Non-Linear Operations : Application to AES and

Using Linear Codes as a Fault Countermeasure for Non-Linear Operations : Application to AES and Formal Verification work co-funded by the PRINCE project Sabine Azzi, Bruno Barras, Maria Christofi , David Vigilant PROOFS workshop 2015, September

493 views • 45 slides
Objectives Introduction to Finite Fields AES Algorithm Sub Byte Shift row

Objectives Introduction to Finite Fields AES Algorithm Sub Byte Shift row

Modern Block Cipher Standards (AES) Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Introduction to Finite Fields AES

604 views • 31 slides

More recommend