Percona深度服务器/MySQL加密

1)钥匙圈
-一般概念
-当加载keyring插件时会发生什么
-存放钥匙的地方
-故障排除
€“钥匙圈初始化失败 欧元“处理堆芯垃圾”
-钥匙扣保险库
-如何设置keyring_保险库(保险库服务器上的服务器分离)
-服务器上的密钥列表(base64编码)
2)InnoDB主密钥加密内部工作原理:
-存储加密密钥的位置
-主密钥与表空间加密密钥的关系
-钥匙圈合作
-故障排除
-钥匙圈卸载
3)键旋转如何工作
4)表是否可以重新加密?
5)加密线程
-什么是加密线程
-键旋转
6)binlog加密:
-启动加密事件
-主从通信
-校验和
-mysqlbinlog
-键旋转
-MySQL/PS加密(8.0.14)

展开查看详情

1.In-depth Percona Server/MySQL encryption Robert Golebiowski Percona

2.Keyrings

3.Keyrings • General Concept • Plugin installation - always successful - keyrings variables may need correction - keyring_vault_config - keyring_file_data 3

4.Keyrings Keyring file KEY ID KEY TYPE KEY KEY KEY OWNER LENGTH MK 1 AES 32 00101010 1 ... Key 1 AES Robert 16 100111010 ... 4

5.Keyrings Keyring vault KEY ID KEY TYPE KEY KEY KEY OWNER LENGTH MK 1 Key 1 5

6.Keyrings • Writes to keyring_file - backup file keyring.backup (whole content is rewritten) • Writes to keyring_vault - connection lags (only one key is send) 6

7.Keyrings Per server separation of keyrings - why needed ? - “natural” for keyring_file - work needed for keyring_vault 7

8.Keyrings keyring_vault’s configuration file vault_url secret_mount_point token vault_ca OPTIONAL 8

9.Keyrings keyring_vault’s per server separation • separate mount point per each server curl -L -H "X-Vault-Token: TOKEN" –cacert VAULT_CA --data '{"type":"generic"}' --request POST VAULT_URL/v1/sys/mounts/SECRET_MOUNT_POINT • separate *directory* inside mount point per each server config for server1: secret_mount_point= <mount_point>/server1 config for server2: secret_mount_point=<mount_point>/server2 9

10.Keyrings keys inside Vault server are base64 encoded echo NDhfSU5OT0RCS2V5LTc2NGQzODJhLTczMjQtMTFlOS1hZDhmLTljYjZkMGQ1 ZGM5OS0xMF8= | base64 -d 48_INNODBKey-764d382a-7324-11e9-ad8f-9cb6d0d5dc99-10_ 1 0

11.Keyrings, keyring_udf Used for storing user’s secret inside keyrings. Set of UDFs: • keyring_key_generate • keyring_key_fetch • keyring_key_length_fetch • keyring_key_type_fetch • keyring_key_store • keyring_key_remove Keys do not contains server’s UUID 1 1

12.INNODB encryption

13. INNODB encryption Reminder: Tablespace consists of pages. What is Master Key encryption ? TABEL A ENCRYPTS KEY 1 KEYRING TABEL B ENCRYPTS MASTER KEY KEY 2 ENCRYPTS TABEL Z KEY N 1 3

14.INNODB encryption Tablespace’s encryption header. Reside in page 0. Page 0 is never encrypted. ENCRYPTION_KEY_MAGIC (_V1,_V2,_V3) KEY ID UUID ENCRYPTED (TABLESPACE KEY, IV) CRC32 OF (TABLESPACE KEY,IV) INNODBKey-srv_uuid-master_key_id 1 4

15.INNODB encryption • How do we know which Master Key we should fetch keyring to decrypt the table ? • How do we know if the key used is the correct one ? • How do we make sure that we are able to decrypt table when we need it? 1 5

16.INNODB encryption Encrypted tables validation • Read page 0 • Read encryption information from page 0 • Get master key from keyring • Decrypt tablespace key and iv with master key • Make sure crc32 is correct If any failed : Mark tablespace as missing 1 6

17.INNODB encryption What crypto are used ? • AES 256 ECB for tablespace key and iv encryption (hardcoded) • AES 256 CBC for page encryption (hardcoded) (do not confuse with block_encryption_mode variable) IV 256 bit long encryption key 128 bits 128 bits of ⨁ AES of ciphertext plaintext 1 7

18.INNODB encryption Master Key rotation • Generate new Master Key • Go over all encrypted tables. For each table: • Re-encrypt tablespace key and iv with new Master Key • Update the encryption information in tablespace header (page 0) ENCRYPTION_KEY_MAGIC (_V1,_V2,_V3) KEY ID NEW KEY ID UUID NEW UUID ENCRYPTED (TABLESPACE KEY, IV) RE-ENCRYPTED CRC32 OF (TABLESPACE KEY,IV) RE-CALCULATED 1 8

19.INNODB encryption Master Key rotation Why needed ?: • Improves safety • Speeds up the innodb startup in case we have restored tables from different backups 1 9

20.INNODB encryption Core dumps Could contain sensitive information like tablespace encryption keys and Master Key • option core-file • should be generated in encrypted place (core_pattern) No mitigation for leaked tablespace keys ! 2 0

21.System key rotation

22.System key rotation System encryption keys can be rotated (new version of a key is generated) PS 5.7 and < 8.0.14 • percona_binlog • percona_innodb (work in progress) • percona_redo (work in progress) 5.7 and >= 8.0.14 • percona_innodb (work in progress) 2 2

23.System key rotation Keys versioning Appends version to the key id in keyring: percona_binlog:1 (starts with version 1) SELECT rotate_system_key(“percona_binlog”); percona_binlog:2 (version 2) 2 3

24.INNODB encryption Keyring encryption

25.INNODB encryption, keyring encryption Tablespace keys comes directly from keyring. KEYRING ENCRYPTS KEY 1 TABEL A ENCRYPTS KEY 2 TABEL B ENCRYPTS KEY N TABEL Z 2 5

26.INNODB encryption, keyring encryption CREATE TABLE t1 (a varchar(255)) encryption='KEYRING'; SHOW CREATE TABLE t1; Table>--Create Table t1>-CREATE TABLE `t1` ( `a` varchar(255) DEFAULT NULL ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='KEYRING' ENCRYPTION_KEY_ID=0 innodb_default_encryption_key_id = 0 [Value from session scope ] 2 6

27.INNODB encryption, keyring encryption CREATE TABLE t1 (a varchar(255)) encryption='KEYRING' ENCRYPTION_KEY_ID=X; ALTER TABLE t1 ENCRYPTION_KEY_ID=Y; How it relates to the actual keyring key ? percona_innodb-Y:<version> percona_innodb-1:1 We can rotate these keys. But what for ? 2 7

28.INNODB encryption Encryption threads

29.INNODB encryption, encryption threads Background threads. Number of threads is set by variable innodb_encryption_threads Can : • encrypt/decrypt tables (inndb_encrypt_tables) • re-encrypt tables - with new version of encryption key (key rotation) innodb_encrypt_tables := ONLINE_TO_KEYRING | ONLINE_TO_KEYRING_FORCE | ONLINE_FROM_KEYRING_TO_UNENCRYPTED 2 9