Iwo Panowicz - Percona & Bart Oles - Severalnines AB
The purpose of the talk is to present data-at-rest encryption implementation in Percona Server for MySQL.
Differences between Oracle's MySQL and MariaDB implementation.
- How it is implemented?
- What is encrypted:
- Tablespaces?
- General tablespace?
- Double write buffer/parallel double write buffer?
- Temporary tablespaces? (KEY BLOCKS)
- Binlogs?
- Slow/general/error logs?
- MyISAM? MyRocks? X?
- Performance overhead.
- Backups?
- Transportable tablespaces. Transfer key.
- Plugins
- Keyrings in general
- Key rotation?
- General-Purpose Keyring Key-Management Functions
- Keyring_file
- Is useful? How to make it profitable?
- Keyring Vault
- How does it work?
- How to make a transition from keyring_file
3. Copyright 2017 Severalnines AB
Free to download
Initial 30 days Enterprise trial
Converts into free Community Edition
Enterprise / paid versions available
7. Copyright 2017 Severalnines ABCopyright 2017 Severalnines AB
● Encryption of data at rest (under development)
○ Transparent Data Encryption (TDE) for MySQL and MariaDB
○ Encryption of backups
● Encryption of data in transit (SSL)
○ Intra-cluster replication traffic
○ Client-server connections
● Role-based Access Control
○ Granular control of who can do what, from management perspective
● Audit Logs
○ Enable auditing on database nodes
● LDAP-based authentication
○ Authenticate against an LDAP v3 compliant directory server
○ Map ClusterControl roles/users onto existing user profiles/groups stored in LDAP
● DB infrastructure audit
○ Report on the number of db servers, software package versions running, whether they fulfill security
requirements, whether they are backed up
Security & Compliance
8. Agenda
- How it is implemented?
- What is encrypted:
- Tablespaces?
- General tablespace?
- Parallel double write buffer?
- Temporary tablespaces?
- Binlogs?
- Slow/general/error logs?
- MyISAM? MyRocks? X?
- Performance overhead.
- Transportable tablespaces.
- Plugins
- Keyrings in general
- Key rotation?
- Keyring_file
- Is useful? How to make it profitable?
- Keyring Vault
- How does it work?
- How to make a transition from
keyring_file
9. Copyright 2018 Severalnines AB; Percona
● Data at rest
○ All `inactive` data stored on hard drives.
○ Inactive in terms of the database means all data not currently loaded
into memory.
● Data in transit
○ All data transferred between clients and database instances; and
○ All replication data between MySQL instances.
● Data in use
○ All the data loaded into a memory.
3 states of data
10. Copyright 2018 Severalnines AB; Percona
Three major ways to solve data-at-rest encryption in MySQL
○ Full disk encryption
○ Application level encryption
■ Data is encrypted before being inserted into a table
○ Database-level (table) encryption.
Data At Rest
11. Copyright 2018 Severalnines AB; Percona
● The current state of affairs of data-at-rest encryption in Percona Server:
○ Percona Server >= 5.7.11, InnoDB
○ 2 keyring plugins available
■ File
■ Hashicorp Vault
○ AES is the only supported algorithm
■ EBC used for tablespace key encryption
■ CBC used for data encryption
Data At Rest
12. Copyright 2018 Severalnines AB; Percona
● Keyring stored locally.
● Not intended as a regulatory compliance solution.
● Requires secure mount point for keyrings (network-attached); not useful
otherwise.
● Developed to easily enable Transparent Data At Rest Encryption without having
to configure any third-party software.
Keyring file
13. Copyright 2018 Severalnines AB; Percona
● Transition to other keyring plugins is possible (and recommended).
● Sample configuration:
● A
● A
● A
Keyring file
[mysqld]
…
early-plugin-load=keyring_file.so
keyring_file_data=/var/lib/mysql-keyring/keyring
16. Copyright 2018 Severalnines AB; Percona
● Encryption keys are stored inside Hashicorp Vault server.
● Requires additional configuration file pointed to by
Keyring_vault_config.
● After successful initialization the plugin retrieves key signatures and stores them
inside an in-memory hash map.
● MySQL instances can use the same or separate Vault instances.
● Data and keys are separated in a clean way.
Keyring Vault
18. Copyright 2018 Severalnines AB; Percona
● Each individual tablespace has its own encryption key
● Each tablespace key is encrypted by the Global Master Key
● Each time a tablespace is moved a new key is generated. This is called
a transfer key.
Data At Rest
20. Copyright 2018 Severalnines AB; Percona
● Implemented on a low-level, close to the disk layer:
○ Encryption and decryption are performed just before IO read/write
○ data stored in memory are not encrypted
● the performance overhead varies and depends on the workload.
● The more IO operation needed, the higher the overhead.
● For reads, if data is in the buffer pool, there’s no performance loss.
○ Monitor innodb_buffer_pool_reads
● For writes, a page could be modified many times in the buffer and then get
flushed.
● In general, a single percentage point (<10%) is expected.
Data At Rest
23. Copyright 2018 Severalnines AB; Percona
● InnoDB tablespaces
● InnoDB system tablespace
● Parallel double write buffer
● Temporary tablespaces
● Temporary files
● Binlogs
● Slow/general/error logs?
● MyISAM? MyRocks?
● Data in transit security?
● Backups
What can be encrypted?
24. Copyright 2018 Severalnines AB; Percona
● innodb_sys_tablespace_encrypt
● Available since 5.7.23-23
● The feature is considered alpha quality.
● Provides an encryption for:
○ the change buffer
○ The undo logs (if they have not been configured to be stored in separate
undo tablespaces)
○ Data from any tables that exist in main tablespace
(innodb_file_per_table=0)
InnoDB system tablespace
25. Copyright 2018 Severalnines AB; Percona
● Why do I need this?
● How do you turn it on?
● How does this work ?
CREATE TABLESPACE …. ENCRYPTION='Y/N'
General tablespaces
26. Copyright 2018 Severalnines AB; Percona
● Why do I need this?
● How do you turn it on?
● How does it work ?
Table encryption
mysql> CREATE TABLE test ( id INT PRIMARY KEY, col1 TEXT) ENCRYPTION=’Y’;
27. Copyright 2018 Severalnines AB; Percona
● Why do I need this?
● How do you turn it on?
● How does this work ?
This feature is considered BETA quality.
[mysqld]
encrypt-tmp-files=ON
Temporary files
28. Copyright 2018 Severalnines AB; Percona
● encrypt-tmp-files
● Can be enabled on runtime.
● Available since 5.7.22-22
● The feature is considered beta quality.
● Encrypts:
○ filesort (for example, SELECT statements with SQL_BIG_RESULT hints),
○ binary log transactional caches,
○ Group Replication caches.
● For each temporary file, an encryption key is generated locally, only kept in
memory for the lifetime of the temporary file, and discarded afterwards.
Temporary files encryption
29. Copyright 2018 Severalnines AB; Percona
● innodb_temp_tablespace_encrypt
● Available since 5.7.21-21
● The feature is considered beta quality.
● Provides an encryption for:
○ temporary tablespaces
○ does not force encryption of temporary tables which are currently opened,
and it doesn’t rebuild system temporary tablespace to encrypt data which
are already written
InnoDB temporary tablespace
30. Copyright 2018 Severalnines AB; Percona
● Why do I need this?
● How do you turn it on?
● How does this work ?
[mysqld]
innodb_parallel_dblwr_encrypt=1
Parallel doublewrite buffer
○ data for an encrypted tablespace is also only written in an encrypted form in
the parallel doublewrite buffer
○ unencrypted tablespace data remains in plaintext
31. Copyright 2018 Severalnines AB; Percona
● Requires MySQL configured keyring plugins.
● Master server encrypts each event before writing it out to the binary log.
● When a slave connects to the master and asks for events, the master decrypts
the events from a binary logs and sends them over to slave.
● To prevent data leakage connections between master and slave require secure
channel (TLS).
● The slave stores encrypted events in the relay log, and decrypts them before
applying.
Binlog encryption
32. Copyright 2018 Severalnines AB; Percona
● Master:
○ Requires encrypt-binlog to encrypt binary logs
● Slave
○ Requires encrypt-binlog to encrypt relay logs
● The connection between master and slave needs to be secure (TLS).
● The master and slave don’t know if the data on the other server are encrypted,
or not.
● To be sure encrypted data wasn’t modified/compromised both
○ master_verify_checksum, and
○ binlog_checksum need to be turned on.
Binlog encryption
33. Copyright 2018 Severalnines AB; Percona
● Logical backup
○ mysqldump
○ mysqlpump
○ mydumper
○ basically, any logical backup
● PXB
○ Works just fine.
○ Supports both keyring_file and keyring_vault.
○ You will need >= 2.4.12 (released: June 22, 2018).
Backup
34. Copyright 2018 Severalnines AB; Percona
● Why do I need this?
● How do you turn it on?
● How does this work ?
innobackupex --encrypt=AES256 --encrypt-
key="RRSFxrDFVx6UAsRb88uLVbAVWbK+FRgp" /data/backups
Backups
35. Copyright 2018 Severalnines AB; Percona
● Why do I need this?
● How do you turn it on?
● How does this work ?
Slow/general/error logs
36. Copyright 2018 Severalnines AB; Percona
Why do I need this?
How do you turn it on?
How does this work ?
MyISAM MyRocks
37. Copyright 2018 Severalnines AB; Percona
● Why do I need this?
● How do you turn it on?
● How does this work ?
Data in transit security
39. Copyright 2018 Severalnines AB; Percona
● With Tyler Duzan, Michael Coburn, and Alexander Rubin
● Share feedback
● Get to see the product roadmaps
Wednesday @ the reserved area in back of Gaia Restaurant
Join the Percona Product Managers for Lunch!