Using TDE with different master keys for different tables

Hi! Is it possible to manage multiple master keys on the same server and explicitly specify which one should be used to encrypt the tablespace level key for a particular table?
My use case: I have different sets of tables for my clients and I want to provide them with the ability to use the “bring your own key” feature for encrypting their data.

1 Like

Hello @Igor_Karymov,
MySQL does not support multiple master keys nor does it support “bring your own key”.

1 Like

Thank you for your reply. I see. But it looks like it mostly depends not from mysql itself but from key management implementation. For instance MariaDb has such capabilities Encryption Key Management - MariaDB Knowledge Base
So I am wondering how complicated it can be to implement similar functionality for Percona Server for MySQL?

1 Like

Hi @Igor_Karymov , thank you very much for posting to the Percona forums!

I wanted to share several caveats from an engagement I had last year with a Percona Customer exploring the MariaDB implementation of encryption, using version 10.5.12.

  1. Changing Encryption Keys (adding, removing) requires a server restart
  2. Using the File method does not provide for any automatic key rotation i.e. innodb_encryption_rotate_key_age is ignored
  3. CA Common Name must be different than the Server & Client Common Names
  4. ssl_crlpath MUST be blank until you are ready to revoke certificates - an empty directory will lead to ALL Client certificates failing. The first time you want to revoke a Client certificate you will need to restart MariaDB
1 Like

You will also want to verify that any backup tool you use can handle the multiple keys otherwise you won’t be able to do encrypted backups and restore.

1 Like