InnoDB temporary files and temporary tables encryption
InnoDB is using temporary files for merge sort for online alter table.
It also creates temporary tables for online alter.
When destination table for online alter operation is encrypted merge
file will also be encrypted. InnoDB writing and reading merge files in
blocks. Each block encrypted with tablespace key of target tablespace.
Key version used to encrypt this block prepended to each block. Since
Percona Server does not support key rotation currently, key version is
always 0. Block encrypted with AES256 in CBC mode with IV consisting of
space_id+offset. IV is encrypted to make it non-predictable. Since CBC
can only encrypt data in multiples of block size, remainder of the
buffer is XOR'ed with encrypted IV.
When InnoDB needs to create temporary table for online alter operation
on encrypted table, temp table will be encrypted as well.
Things to consider:
- only encrypt temp files when `innodb-
Blueprint information
- Status:
- Started
- Approver:
- None
- Priority:
- High
- Drafter:
- Sergei Glushchenko
- Direction:
- Approved
- Assignee:
- Sergei Glushchenko
- Definition:
- Review
- Series goal:
- Accepted for 5.7
- Implementation:
- Needs Code Review
- Milestone target:
- None
- Started by
- Laurynas Biveinis
- Completed by