in depth percona server mysql encryption
play

In-depth Percona Server/MySQL encryption Robert Golebiowski - PowerPoint PPT Presentation

In-depth Percona Server/MySQL encryption Robert Golebiowski Percona Keyrings Keyrings General Concept Plugin installation - always successful - keyrings variables may need correction - keyring_vault_config - keyring_file_data 3


  1. In-depth Percona Server/MySQL encryption Robert Golebiowski Percona

  2. Keyrings

  3. Keyrings • General Concept • Plugin installation - always successful - keyrings variables may need correction - keyring_vault_config - keyring_file_data 3

  4. Keyrings Keyring file KEY ID KEY TYPE KEY KEY KEY OWNER LENGTH MK 1 AES 32 00101010 1 ... Key 1 AES Robert 16 100111010 ... 4

  5. Keyrings Keyring vault KEY ID KEY TYPE KEY KEY KEY OWNER LENGTH MK 1 Key 1 5

  6. Keyrings • Writes to keyring_file - backup file keyring.backup (whole content is rewritten) • Writes to keyring_vault - connection lags (only one key is send) 6

  7. Keyrings Per server separation of keyrings - why needed ? - “natural” for keyring_file - work needed for keyring_vault 7

  8. Keyrings keyring_vault’s configuration file vault_url secret_mount_point token vault_ca OPTIONAL 8

  9. Keyrings keyring_vault’s per server separation separate mount point per each server • curl -L -H "X-Vault-Token: TOKEN" – cacert VAULT_CA --data '{"type":"generic"}' --request POST VAULT_URL/v1/sys/mounts/SECRET_MOUNT_POINT separate *directory* inside mount point per each server • config for server1: secret_mount_point= <mount_point>/server1 config for server2: secret_mount_point=<mount_point>/server2 9

  10. Keyrings keys inside Vault server are base64 encoded echo NDhfSU5OT0RCS2V5LTc2NGQzODJhLTczMjQtMTFlOS1hZDhmLTljYjZkMGQ1 ZGM5OS0xMF8= | base64 -d 48_INNODBKey-764d382a-7324-11e9-ad8f-9cb6d0d5dc99-10_ 1 0

  11. Keyrings, keyring_udf Used for storing user’s secret inside keyrings. Set of UDFs: • keyring_key_generate • keyring_key_fetch • keyring_key_length_fetch • keyring_key_type_fetch • keyring_key_store • keyring_key_remove Keys do not contains server’s UUID 1 1

  12. INNODB encryption

  13. INNODB encryption Reminder: Tablespace consists of pages. What is Master Key encryption ? TABEL A ENCRYPTS KEY 1 KEYRING TABEL B ENCRYPTS MASTER KEY KEY 2 ENCRYPTS TABEL Z KEY N 1 3

  14. INNODB encryption Tablespace’s encryption header. Reside in page 0. Page 0 is never encrypted. ENCRYPTION_KEY_MAGIC (_V1,_V2,_V3) KEY ID UUID ENCRYPTED (TABLESPACE KEY, IV) CRC32 OF (TABLESPACE KEY,IV) INNODBKey-srv_uuid-master_key_id 1 4

  15. INNODB encryption • How do we know which Master Key we should fetch keyring to decrypt the table ? • How do we know if the key used is the correct one ? • How do we make sure that we are able to decrypt table when we need it? 1 5

  16. INNODB encryption Encrypted tables validation • Read page 0 • Read encryption information from page 0 • Get master key from keyring • Decrypt tablespace key and iv with master key • Make sure crc32 is correct If any failed : Mark tablespace as missing 1 6

  17. INNODB encryption What crypto are used ? • AES 256 ECB for tablespace key and iv encryption (hardcoded) • AES 256 CBC for page encryption (hardcoded) (do not confuse with block_encryption_mode variable) IV 256 bit long encryption key 128 bits 128 bits of AES ⨁ of ciphertext plaintext 1 7

  18. INNODB encryption Master Key rotation • Generate new Master Key • Go over all encrypted tables. For each table: Re-encrypt tablespace key and iv with new Master Key • Update the encryption information in tablespace header (page 0) • ENCRYPTION_KEY_MAGIC (_V1,_V2,_V3) KEY ID NEW KEY ID UUID NEW UUID ENCRYPTED (TABLESPACE KEY, IV) RE-ENCRYPTED CRC32 OF (TABLESPACE KEY,IV) RE-CALCULATED 1 8

  19. INNODB encryption Master Key rotation Why needed ?: • Improves safety • Speeds up the innodb startup in case we have restored tables from different backups 1 9

  20. INNODB encryption Core dumps Could contain sensitive information like tablespace encryption keys and Master Key option core-file • should be generated in encrypted place (core_pattern) • No mitigation for leaked tablespace keys ! 2 0

  21. System key rotation

  22. System key rotation System encryption keys can be rotated (new version of a key is generated) PS 5.7 and < 8.0.14 • percona_binlog • percona_innodb (work in progress) • percona_redo (work in progress) 5.7 and >= 8.0.14 percona_innodb (work in progress) • 2 2

  23. System key rotation Keys versioning Appends version to the key id in keyring: percona_binlog:1 (starts with version 1) SELECT rotate_system_key(“percona_binlog”); percona_binlog:2 (version 2) 2 3

  24. INNODB encryption Keyring encryption

  25. INNODB encryption, keyring encryption Tablespace keys comes directly from keyring. KEYRING ENCRYPTS KEY 1 TABEL A ENCRYPTS TABEL B KEY 2 ENCRYPTS TABEL Z KEY N 2 5

  26. INNODB encryption, keyring encryption CREATE TABLE t1 (a varchar(255)) encryption='KEYRING'; SHOW CREATE TABLE t1; Table>--Create Table t1>-CREATE TABLE `t1` ( `a` varchar(255) DEFAULT NULL ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='KEYRING' ENCRYPTION_KEY_ID=0 innodb_default_encryption_key_id = 0 [Value from session scope ] 2 6

  27. INNODB encryption, keyring encryption CREATE TABLE t1 (a varchar(255)) encryption='KEYRING' ENCRYPTION_KEY_ID=X; ALTER TABLE t1 ENCRYPTION_KEY_ID=Y; How it relates to the actual keyring key ? percona_innodb-Y:<version> percona_innodb-1:1 We can rotate these keys. But what for ? 2 7

  28. INNODB encryption Encryption threads

  29. INNODB encryption, encryption threads Background threads. Number of threads is set by variable innodb_encryption_threads Can : • encrypt/decrypt tables (inndb_encrypt_tables) • re-encrypt tables - with new version of encryption key (key rotation) innodb_encrypt_tables := ONLINE_TO_KEYRING | ONLINE_TO_KEYRING_FORCE | ONLINE_FROM_KEYRING_TO_UNENCRYPTED 2 9

  30. INNODB encryption, encryption threads SET GLOBAL innodb_encrypt_tables = ONLINE_TO_KEYRING; SET GLOBAL innodb_encryption_threads = 4; SET GLOBAL innodb_default_encryption_key_id = 0; CREATE TABLE t1 (a VARCHAR(255)); 3 0

  31. INNODB encryption, encryption threads INNODB_TABLESPACE_ENCRYPTION (selected columns): SPACE NAME ENCRYPTION_ MIN_KEY_ CURRENT_ CURRENT_ SCHEME VERSION KEY_ID KEY_VERSI ON 42949672 mysql 1 1 1 0 94 0 innodb 1 1 1 0 _syste m 4 test/t1 1 1 1 0 3 1

  32. INNODB encryption, encryption threads Re-encryption of a table with key rotation. innodb_encryption_rotate_key_age = 1 - re-encrypt all the tables every time key is rotated = 2 - re-encrypt all the tables every second time key is rotated etc = 0 -disable re-encryption SET GLOBAL rotate_system_key(“percona_innodb - 0”); 3 2

  33. INNODB encryption, encryption threads INNODB_TABLESPACE_ENCRYPTION (selected columns): SPACE NAME ENCRYPTION_ MIN_KEY_ CURRENT_ CURRENT_ SCHEME VERSION KEY_ID KEY_VERSI ON 42949672 mysql 1 2 2 0 94 0 innodb 1 2 2 0 _syste m 4 test/t1 1 2 2 0 3 3

  34. INNODB encryption, encryption threads Being more specific. CREATE TABLE t1 ENCRYPTION=’N’; - t1 stays uencrypted “forever” CREATE TABLE t1 ENCRYPTION_KEY_ID=X; - will get encrypted with key X when encryption threads get to it Of course above work also with ALTER innodb_default_encryption_key_id: - SESSION scope used by ENCRYPTION=’KEYRING” - GLOBAL scope used by encryption threads 3 4

  35. INNODB encryption, encryption threads What about tables already encrypted with Master Key ? They will get re-encrypted with keyring encryption by encryption threads. What about tables already encrypted with keyring encryption ? Nothing, they are already there in INNODB_TABLESPACE_ENCRYPTION. but ... 3 5

  36. INNODB encryption, encryption threads Decryption with encryption threads innodb_encrypt_tables=ONLINE_FROM_KEYRING_TO_UNENCRYPTED Will only decrypt tables that were encrypted by encryption threads. 3 6

  37. Binlog encryption

  38. Binlog encryption, 5.7 --encrypt_binlog --master_verify_checksum New event: Start_encryption_event. After Start_encryption_event rest of the binlog is encrypted. This event is never send over the network. The events between master and slave are not encrypted (use TLS) mysqlbinlog cannot decrypt, however there is --read-from-remote-server 3 8

  39. Binlog encryption, 5.7 binlog encryption key rotation SELECT rotate_system_key(“percona_binlog”); FLUSH BINARY LOGS; 3 9

  40. Binlog encryption, 8.0 compatibility with 5.7 Nothing to worry about. 8.0 can read 5.7 encrypted binlogs. 4 0

  41. Binlog encryption, 8.0 Upstream implementation. Follows Master key encryption rules. bin 000001 ENCRYPTS KEY 1 bin 000002 KEYRING ENCRYPTS REPLICATION KEY 2 MASTER KEY ENCRYPTS bin 000003 KEY N 4 1

  42. Binlog encryption, 8.0 Encrypted binlog header. MAGIC HEADER Replication logs encryption version Replication Encryption Key ID Encrypted file password (The key) IV for encrypting file password Padding 4 2

  43. Undo and redo log encryption

  44. Undo and redo log encryption Undo tablespace encryption: - for MK pages are encrypted/decrypted as innodb_undo_log_encrypt is ON/OFF - for encryption with encryption threads existing undo logs will get encrypted/decrypted - encryption threads can encrypt undo pages in system tablespace Redo log encryption almost the same as binary log encryption. 4 4

  45. System tablespace and double write buffers encryption

Recommend


More recommend