Advanced MySql Data-at-Rest Encryption in Percona Server

Percona Live
November 2018
Advanced MySQL Data at Rest
Encryption in Percona Server
Bartłomiej Oleś, Iwo Panowicz
Severalnines Percona
Presenters

Free to download
Initial 30 days Enterprise trial
Converts into free Community Edition
Enterprise / paid versions available

Automation & Management
Deployment (Free Community)
● Deploy a Cluster in Minutes
○ On-Prem
○ Cloud (AWS/Azure/Google) - paid
Monitoring (Free Community)
● Systems View with 1 sec Resolution
● DB / OS stats & Performance Advisors
● Configurable Dashboards
● Query Analyzer
● Real-time / historical
Management (Paid Features)
● Backup Management
● Upgrades & Patching
● Security & Compliance
● Operational Reports
● Automatic Recovery & Repair
● Performance Management
● Automatic Performance Advisors

Supported Databases

Our Customers

Copyright 2017 Severalnines ABCopyright 2017 Severalnines AB
● Encryption of data at rest (under development)
○ Transparent Data Encryption (TDE) for MySQL and MariaDB
○ Encryption of backups
● Encryption of data in transit (SSL)
○ Intra-cluster replication traffic
○ Client-server connections
● Role-based Access Control
○ Granular control of who can do what, from management perspective
● Audit Logs
○ Enable auditing on database nodes
● LDAP-based authentication
○ Authenticate against an LDAP v3 compliant directory server
○ Map ClusterControl roles/users onto existing user profiles/groups stored in LDAP
● DB infrastructure audit
○ Report on the number of db servers, software package versions running, whether they fulfill security
requirements, whether they are backed up
Security & Compliance

Agenda
- How it is implemented?
- What is encrypted:
- Tablespaces?
- General tablespace?
- Parallel double write buffer?
- Temporary tablespaces?
- Binlogs?
- Slow/general/error logs?
- MyISAM? MyRocks? X?
- Performance overhead.
- Transportable tablespaces.
- Plugins
- Keyrings in general
- Key rotation?
- Keyring_file
- Is useful? How to make it profitable?
- Keyring Vault
- How does it work?
- How to make a transition from
keyring_file

Copyright 2018 Severalnines AB; Percona
● Data at rest
○ All `inactive` data stored on hard drives.
○ Inactive in terms of the database means all data not currently loaded
into memory.
● Data in transit
○ All data transferred between clients and database instances; and
○ All replication data between MySQL instances.
● Data in use
○ All the data loaded into a memory.
3 states of data

Three major ways to solve data-at-rest encryption in MySQL
○ Full disk encryption
○ Application level encryption
■ Data is encrypted before being inserted into a table
○ Database-level (table) encryption.
Data At Rest

● The current state of affairs of data-at-rest encryption in Percona Server:
○ Percona Server >= 5.7.11, InnoDB
○ 2 keyring plugins available
■ File
■ Hashicorp Vault
○ AES is the only supported algorithm
■ EBC used for tablespace key encryption
■ CBC used for data encryption
Data At Rest

● Keyring stored locally.
● Not intended as a regulatory compliance solution.
● Requires secure mount point for keyrings (network-attached); not useful
otherwise.
● Developed to easily enable Transparent Data At Rest Encryption without having
to configure any third-party software.
Keyring file

● Transition to other keyring plugins is possible (and recommended).
● Sample configuration:
● A
● A
● A
Keyring file
[mysqld]
…
early-plugin-load=keyring_file.so
keyring_file_data=/var/lib/mysql-keyring/keyring

Data-At-Rest
# strings users.ibd
infimum
supremum(
user010password
user020password
user030password
user040password
user050password
user060497fe4d674fe37194a6fcb08913e596ef6a307f
# strings strings users_encrypted.ibd
135b28c7-cacd-11e8-bf7b-e4a471aeae61
ZIdGq!
'sRi
{O%3
[!YX
f+<o
`*;$V!Y
'|]5
`2 6
NTy
Rg$O
qFo5

Data-At-Rest
# hd test.frm
00002150 |...id....col1...|
00002160 |.......@........|
00002170 |................|
00002180 |.id.col1..|
# hd test.ibd
0000fe30 |kL....9....Q.^A,|
0000fe40 |.?kGs....-TD.vh.|
0000fe50 |...+...V%...&"q.|
0000fe60 |.....d.f.....*."|

● Encryption keys are stored inside Hashicorp Vault server.
● Requires additional configuration file pointed to by
Keyring_vault_config.
● After successful initialization the plugin retrieves key signatures and stores them
inside an in-memory hash map.
● MySQL instances can use the same or separate Vault instances.
● Data and keys are separated in a clean way.
Keyring Vault

● Sample configuration:
● A
● A
● A
Keyring Vault
[mysqld]
…
early-plugin-load=”keyring_vault=keyring_vault.so”
keyring_vault_config="/etc/mysql/conf.d/vault.conf"
# cat /etc/mysql/conf.d/vault.conf
vault_url = https://vault-endpoint.internal:8200
secret_mount_point = secret
token = 7M0jQ15gtpYNe4jtZHJkfr5V

● Each individual tablespace has its own encryption key
● Each tablespace key is encrypted by the Global Master Key
● Each time a tablespace is moved a new key is generated. This is called
a transfer key.
Data At Rest

Data At Rest

● Implemented on a low-level, close to the disk layer:
○ Encryption and decryption are performed just before IO read/write
○ data stored in memory are not encrypted
● the performance overhead varies and depends on the workload.
● The more IO operation needed, the higher the overhead.
● For reads, if data is in the buffer pool, there’s no performance loss.
○ Monitor innodb_buffer_pool_reads
● For writes, a page could be modified many times in the buffer and then get
flushed.
● In general, a single percentage point (<10%) is expected.
Data At Rest

● Implementation details
○ https://bit.ly/2AFHJSo
○ os0file.cc:
$ grep ^Encryption os0file.cc
Encryption::to_string(Type type)
Encryption::create_master_key(byte** master_key)
Encryption::get_master_key(ulint master_key_id,
Encryption::get_master_key(ulint* master_key_id,
Encryption::is_encrypted_page(const byte* page)
Encryption::encrypt(
Encryption::decrypt(
Data At Rest

● InnoDB tablespaces
● InnoDB system tablespace
● Parallel double write buffer
● Temporary tablespaces
● Temporary files
● Binlogs
● Slow/general/error logs?
● MyISAM? MyRocks?
● Data in transit security?
● Backups
What can be encrypted?

● innodb_sys_tablespace_encrypt
● Available since 5.7.23-23
● The feature is considered alpha quality.
● Provides an encryption for:
○ the change buffer
○ The undo logs (if they have not been configured to be stored in separate
undo tablespaces)
○ Data from any tables that exist in main tablespace
(innodb_file_per_table=0)
InnoDB system tablespace

● Why do I need this?
● How do you turn it on?
● How does this work ?
CREATE TABLESPACE …. ENCRYPTION='Y/N'
General tablespaces

● How does it work ?
Table encryption
mysql> CREATE TABLE test ( id INT PRIMARY KEY, col1 TEXT) ENCRYPTION=’Y’;

This feature is considered BETA quality.
[mysqld]
encrypt-tmp-files=ON
Temporary files

● encrypt-tmp-files
● Can be enabled on runtime.
● The feature is considered beta quality.
● Encrypts:
○ filesort (for example, SELECT statements with SQL_BIG_RESULT hints),
○ binary log transactional caches,
○ Group Replication caches.
● For each temporary file, an encryption key is generated locally, only kept in
memory for the lifetime of the temporary file, and discarded afterwards.
Temporary files encryption

● innodb_temp_tablespace_encrypt
● The feature is considered beta quality.
● Provides an encryption for:
○ temporary tablespaces
○ does not force encryption of temporary tables which are currently opened,
and it doesn’t rebuild system temporary tablespace to encrypt data which
are already written
InnoDB temporary tablespace

[mysqld]
innodb_parallel_dblwr_encrypt=1
Parallel doublewrite buffer
○ data for an encrypted tablespace is also only written in an encrypted form in
the parallel doublewrite buffer
○ unencrypted tablespace data remains in plaintext

● Requires MySQL configured keyring plugins.
● Master server encrypts each event before writing it out to the binary log.
● When a slave connects to the master and asks for events, the master decrypts
the events from a binary logs and sends them over to slave.
● To prevent data leakage connections between master and slave require secure
channel (TLS).
● The slave stores encrypted events in the relay log, and decrypts them before
applying.
Binlog encryption

● Master:
○ Requires encrypt-binlog to encrypt binary logs
● Slave
○ Requires encrypt-binlog to encrypt relay logs
● The connection between master and slave needs to be secure (TLS).
● The master and slave don’t know if the data on the other server are encrypted,
or not.
● To be sure encrypted data wasn’t modified/compromised both
○ master_verify_checksum, and
○ binlog_checksum need to be turned on.
Binlog encryption

● Logical backup
○ mysqldump
○ mysqlpump
○ mydumper
○ basically, any logical backup
● PXB
○ Works just fine.
○ Supports both keyring_file and keyring_vault.
○ You will need >= 2.4.12 (released: June 22, 2018).
Backup

innobackupex --encrypt=AES256 --encrypt-
key="RRSFxrDFVx6UAsRb88uLVbAVWbK+FRgp" /data/backups
Backups

Slow/general/error logs

Why do I need this?
How do you turn it on?
How does this work ?
MyISAM MyRocks

Data in transit security

[mysqld]
early-plugin-load=keyring_file.so
keyring_file_data=/u01/keyring_file.key
innodb_sys_tablespace_encrypt=ON
innodb_temp_tablespace_encrypt=ON
innodb_parallel_dblwr_encrypt=ON
innodb_encrypt_online_alter_logs=ON
innodb_encrypt_online_alter_logs=FORCE
encrypt_binlog=ON
encrypt_tmp_files=ON
Maximum encryption

● With Tyler Duzan, Michael Coburn, and Alexander Rubin
● Share feedback
● Get to see the product roadmaps
Wednesday @ the reserved area in back of Gaia Restaurant
Join the Percona Product Managers for Lunch!

Q & A

Advanced MySql Data-at-Rest Encryption in Percona Server

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Advanced MySql Data-at-Rest Encryption in Percona Server

Similar to Advanced MySql Data-at-Rest Encryption in Percona Server (20)

More from Severalnines

More from Severalnines (20)

Recently uploaded

Recently uploaded (20)

Advanced MySql Data-at-Rest Encryption in Percona Server