Hi! Is it possible to manage multiple master keys on the same server and explicitly specify which one should be used to encrypt the tablespace level key for a particular table?
My use case: I have different sets of tables for my clients and I want to provide them with the ability to use the “bring your own key” feature for encrypting their data.
1 Like
Hello @Igor_Karymov,
MySQL does not support multiple master keys nor does it support “bring your own key”.
1 Like
Thank you for your reply. I see. But it looks like it mostly depends not from mysql itself but from key management implementation. For instance MariaDb has such capabilities Encryption Key Management - MariaDB Knowledge Base
So I am wondering how complicated it can be to implement similar functionality for Percona Server for MySQL?
1 Like
Hi @Igor_Karymov , thank you very much for posting to the Percona forums!
I wanted to share several caveats from an engagement I had last year with a Percona Customer exploring the MariaDB implementation of encryption, using version 10.5.12.
- Changing Encryption Keys (adding, removing) requires a server restart
- Using the File method does not provide for any automatic key rotation i.e.
innodb_encryption_rotate_key_ageis ignored - CA Common Name must be different than the Server & Client Common Names
-
ssl_crlpathMUST be blank until you are ready to revoke certificates - an empty directory will lead to ALL Client certificates failing. The first time you want to revoke a Client certificate you will need to restart MariaDB
1 Like
You will also want to verify that any backup tool you use can handle the multiple keys otherwise you won’t be able to do encrypted backups and restore.
1 Like
Does it however allow the Key Management plugin to generate() / get() or pick() a Key for a new TABLESPACE?
If it does, Does it allow to identify the corresponding requesting TABLESPACE from the request’s metadata?
It is not very clear from the documentation if MySQL Key Management plugins manage only the master key or tablespaces keys as well.
Changing Encryption Keys (adding, removing) requires a server restart
Why? The documentation says it is enough to do ALTER INSTANCE ROTATE MASTER KEY. For a TABLESPACE however it is required the full re-encryption for the key to be changed - switch to encryption=N, then to =Y, as it is follows from the doc.