Percona深度服务器/MySQL加密

1 .In-depth Percona Server/MySQL encryption Robert Golebiowski Percona 

2 .Keyrings 

3 .Keyrings • General Concept • Plugin installation - always successful - keyrings variables may need correction - keyring_vault_config - keyring_file_data 3 

4 .Keyrings Keyring file KEY ID KEY TYPE KEY KEY KEY OWNER LENGTH MK 1 AES 32 00101010 1 ... Key 1 AES Robert 16 100111010 ... 4 

5 .Keyrings Keyring vault KEY ID KEY TYPE KEY KEY KEY OWNER LENGTH MK 1 Key 1 5 

6 .Keyrings • Writes to keyring_file - backup file keyring.backup (whole content is rewritten) • Writes to keyring_vault - connection lags (only one key is send) 6 

7 .Keyrings Per server separation of keyrings - why needed ? - “natural” for keyring_file - work needed for keyring_vault 7 

8 .Keyrings keyring_vault’s configuration file vault_url secret_mount_point token vault_ca OPTIONAL 8 

9 .Keyrings keyring_vault’s per server separation • separate mount point per each server curl -L -H "X-Vault-Token: TOKEN" –cacert VAULT_CA --data '{"type":"generic"}' --request POST VAULT_URL/v1/sys/mounts/SECRET_MOUNT_POINT • separate *directory* inside mount point per each server config for server1: secret_mount_point= <mount_point>/server1 config for server2: secret_mount_point=<mount_point>/server2 9 

10 .Keyrings keys inside Vault server are base64 encoded echo NDhfSU5OT0RCS2V5LTc2NGQzODJhLTczMjQtMTFlOS1hZDhmLTljYjZkMGQ1 ZGM5OS0xMF8= | base64 -d 48_INNODBKey-764d382a-7324-11e9-ad8f-9cb6d0d5dc99-10_ 1 0 

11 .Keyrings, keyring_udf Used for storing user’s secret inside keyrings. Set of UDFs: • keyring_key_generate • keyring_key_fetch • keyring_key_length_fetch • keyring_key_type_fetch • keyring_key_store • keyring_key_remove Keys do not contains server’s UUID 1 1 

12 .INNODB encryption 

13 . INNODB encryption Reminder: Tablespace consists of pages. What is Master Key encryption ? TABEL A ENCRYPTS KEY 1 KEYRING TABEL B ENCRYPTS MASTER KEY KEY 2 ENCRYPTS TABEL Z KEY N 1 3 

14 .INNODB encryption Tablespace’s encryption header. Reside in page 0. Page 0 is never encrypted. ENCRYPTION_KEY_MAGIC (_V1,_V2,_V3) KEY ID UUID ENCRYPTED (TABLESPACE KEY, IV) CRC32 OF (TABLESPACE KEY,IV) INNODBKey-srv_uuid-master_key_id 1 4 

15 .INNODB encryption • How do we know which Master Key we should fetch keyring to decrypt the table ? • How do we know if the key used is the correct one ? • How do we make sure that we are able to decrypt table when we need it? 1 5 

16 .INNODB encryption Encrypted tables validation • Read page 0 • Read encryption information from page 0 • Get master key from keyring • Decrypt tablespace key and iv with master key • Make sure crc32 is correct If any failed : Mark tablespace as missing 1 6 

17 .INNODB encryption What crypto are used ? • AES 256 ECB for tablespace key and iv encryption (hardcoded) • AES 256 CBC for page encryption (hardcoded) (do not confuse with block_encryption_mode variable) IV 256 bit long encryption key 128 bits 128 bits of ⨁ AES of ciphertext plaintext 1 7 

18 .INNODB encryption Master Key rotation • Generate new Master Key • Go over all encrypted tables. For each table: • Re-encrypt tablespace key and iv with new Master Key • Update the encryption information in tablespace header (page 0) ENCRYPTION_KEY_MAGIC (_V1,_V2,_V3) KEY ID NEW KEY ID UUID NEW UUID ENCRYPTED (TABLESPACE KEY, IV) RE-ENCRYPTED CRC32 OF (TABLESPACE KEY,IV) RE-CALCULATED 1 8 

19 .INNODB encryption Master Key rotation Why needed ?: • Improves safety • Speeds up the innodb startup in case we have restored tables from different backups 1 9 

20 .INNODB encryption Core dumps Could contain sensitive information like tablespace encryption keys and Master Key • option core-file • should be generated in encrypted place (core_pattern) No mitigation for leaked tablespace keys ! 2 0 

21 .System key rotation 

22 .System key rotation System encryption keys can be rotated (new version of a key is generated) PS 5.7 and < 8.0.14 • percona_binlog • percona_innodb (work in progress) • percona_redo (work in progress) 5.7 and >= 8.0.14 • percona_innodb (work in progress) 2 2 

23 .System key rotation Keys versioning Appends version to the key id in keyring: percona_binlog:1 (starts with version 1) SELECT rotate_system_key(“percona_binlog”); percona_binlog:2 (version 2) 2 3 

24 .INNODB encryption Keyring encryption 

25 .INNODB encryption, keyring encryption Tablespace keys comes directly from keyring. KEYRING ENCRYPTS KEY 1 TABEL A ENCRYPTS KEY 2 TABEL B ENCRYPTS KEY N TABEL Z 2 5 

26 .INNODB encryption, keyring encryption CREATE TABLE t1 (a varchar(255)) encryption='KEYRING'; SHOW CREATE TABLE t1; Table>--Create Table t1>-CREATE TABLE `t1` ( `a` varchar(255) DEFAULT NULL ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='KEYRING' ENCRYPTION_KEY_ID=0 innodb_default_encryption_key_id = 0 [Value from session scope ] 2 6 

27 .INNODB encryption, keyring encryption CREATE TABLE t1 (a varchar(255)) encryption='KEYRING' ENCRYPTION_KEY_ID=X; ALTER TABLE t1 ENCRYPTION_KEY_ID=Y; How it relates to the actual keyring key ? percona_innodb-Y:<version> percona_innodb-1:1 We can rotate these keys. But what for ? 2 7 

28 .INNODB encryption Encryption threads 

29 .INNODB encryption, encryption threads Background threads. Number of threads is set by variable innodb_encryption_threads Can : • encrypt/decrypt tables (inndb_encrypt_tables) • re-encrypt tables - with new version of encryption key (key rotation) innodb_encrypt_tables := ONLINE_TO_KEYRING | ONLINE_TO_KEYRING_FORCE | ONLINE_FROM_KEYRING_TO_UNENCRYPTED 2 9