Table and tablespace encryption on MariaDB 10.1.3

Note that this post is now outdated. See Table and tablespace encryption on MariaDB 10.1

Introduction

For the moment, the only engines that fully support encryption are XtraDB and InnoDB. The Aria storage engine also supports encryption, but only for temporary tables.

MariaDB supports 2 different way to encrypt data in InnoDB/XtraDB:

  1. Specified table encryption: Only tables which you create with PAGE_ENCRYPTION=1 are encrypted. This feature was created by eperi.
  2. Tablespace encryption: Everything is encrypted (including log files). This feature was created by Google and is based on their MySQL branch.

InnoDB Specified Table Encryption

Specified Table encryption means that you choose which tables to encrypt. This allows you to balance security with speed. To use table encryption, you have to:

  • Set the value of encryption-algorithm to the algorithm of your choice.
  • Load the file-key-management-plugin (or similar)
  • Define the location of key file
  • Create keys

Example:

# Table level encryption configuration
plugin-load-add=file_key_management_plugin.so
file-key-management-plugin
file-key-management-plugin-filename=/mnt/dfs/keys.txt
encryption-algorithm=aes_ctr

Keys can be generated using OpenSSL with following command

shell>openssl enc -aes-256-ctr -k mypass -P -md sha1
salt=BFA606C6079DAD33
key=3DB1F43A606DA6ADF4AEB25B44A5E5FE2126EDEACF5AF8DF7B982D8143191936
iv =21C4592A16C870DD47B162F8959E562F

The key file is a text file containing an key id, the hex-encoded iv and the hex-encoded key. Example keys.txt using above generated key:

1;21C4592A16C870DD47B162F8959E562F;3DB1F43A606DA6ADF4AEB25B44A5E5FE2126EDEACF5AF8DF7B982D8143191936

After this is it up to database designer to select tables that contain sensitive data for encryption. Encryption can be enabled to table in table creation time or using ALTER TABLE. As an example:

CREATE TABLE customer(CUSTOMER_ID BIGINT NOT NULL PRIMARY KEY, CUSTOMER_NAME VARCHAR(80), CUSTOMER_CREDITCARD VARCHAR(20)) ENGINE=InnoDB page_encryption=1 page_encryption_key=1;
ALTER TABLE sales page_encryption=1 page_encryption_key=1;

In table encryption currently keys can’t be changed but used key can be changed using ALTER TABLE. If no key identifier is provided a default key is used. Default key can be set either on my.cnf with

innodb_default_page_encryption_key=4

or dynamically using global setting:

set global innodb_default_page_encryption_key=4;

Default key is used e.g.

create table t1(a int not null primary key) engine=innodb page_encryption=1;

InnoDB Tablespace Encryption

In tablespace encryption all InnoDB tables are encrypted. Additionally, you may encrypt InnoDB log files, Aria tables (ROW_FORMAT=PAGE) and Aria temporary tables. To use tablespace encryption, you have to:

  •  Set the value of encryption-algorithm to the algorithm of your choice.
  • Load the example-key-management-plugin (or similar)

Example:

# Tablespace encryption configuration
encryption-algorithm=aes_ctr
innodb-encrypt-tables
plugin-load-add=example_key_management_plugin.so
example_key_management_plugin
# encrypt Aria tables
aria
aria-encrypt-tables
# encrypt tmp tables
encrypt-tmp-disk-tables
# encrypt InnoDB log files
innodb-encrypt-log
# key rotation
innodb-encryption-threads=4
innodb-encryption-rotate-key-age=1800

In tablespace encryption keys are not static. Instead so called key rotation is used. In key rotation used encryption key is changed if key used on a page is older than innodb-encryption-rotate-key-age seconds.

InnoDB Tablespace Scrubbing

Scrubbing means that there is a background process that regularly scans through all tables and upgrades the encryption keys for the pages. This happens either as part of purge (non compressed) or scrubbing by scanning whole tablespaces (added into key rotation threads). Purge is a a type of garbage collection that InnoDB internally runs to improve performance. Configuration for this feature might look as follows:

# InnoDB Tablespace scrubbing 
innodb-immediate_scrub_data_uncompressed
innodb-background-scrub-data-uncompressed
innodb-background-scrub-data-compressed
# check if spaces needs scrubbing every 500 seconds
innodb_background_scrub_data_check_interval=500
# scrub spaces that were last scrubbed longer than 1800 seconds
innodb_background_scrub_data_interval=1800

Performance Impact

Encrypting the tables or tablespaces naturally have some effect on overall performance of the system. Naturally, the amount of performance effect encryption has is dependent on used hardware, workload and used encryption method. Goal of this section is to give some indication how much effect on performance there is when table encryption is used or when tablespace encryption is used when compared to setup where no encryption is used.

All experiments where conducted on Intel Xeon E5-2690 @ 2.9GHz CPU containing 2 sockets with 8 cores each using hyper threading, thus 32 total cores and Linux 3.4.12 with 132G main memory. The database is stored on a Fusion-io ioDrive2 Duo 2.41TB Firmware v7.2.5, rev 110646, Driver 3.3.4 build 5833069. The database filesystem is using NVMFS and all test logs and outputs are stored on second ioDrive using EXT4. We use On-Line Transaction Processing (OLTP) benchmark from Percona https://code.launchpad.net/~percona-dev/perconatools/tpcc-mysql. This TPC-C like workload involves a mix of five concurrent transaction types executed on-line or queued for deferred execution. The database is comprised of nine tables with a wide range of record and population sizes. Results are measured in terms of transactions per minute (tpmC). We will use 1000 warehouses producing ~100G database and buffer pool size 50G, so that full database does not fit to buffer pool. Additionally, we will use only InnoDB plugin as a storage engine. Finally, we use 3 hour measure time.

In the first graph we compare the resulting tpmC results on normal InnoDB tables (unencrypted tables), page encrypted tables, using passive key rotation and scrubbing (setting both intervals bigger than test time) and tablespace encryption (google full encrypted on graph).

encryption_tpcc2

Conclusions

MariaDB Corporation would like to thank eperi and Google for their contributions to MariaDB.