Comments on: MySQL Encryption at Rest – Part 2 (InnoDB) https://www.percona.com/blog/mysql-encryption-rest-part-2-innodb/ Fri, 01 Sep 2017 14:07:10 +0000 hourly 1 https://wordpress.org/?v=6.5.2 By: Matthew Boehm https://www.percona.com/blog/mysql-encryption-rest-part-2-innodb/#comment-10968411 Fri, 01 Sep 2017 14:07:10 +0000 https://www.percona.com/blog/?p=43117#comment-10968411 @Manuel. Yes, you will need the same keyring on all nodes. You may need to pass additional parameters to the xtrabackup_v2 SST script. I am unaware at this time if it can handle encrypted tablespaces by default.

]]> By: Manuel https://www.percona.com/blog/mysql-encryption-rest-part-2-innodb/#comment-10968408 Thu, 31 Aug 2017 19:47:10 +0000 https://www.percona.com/blog/?p=43117#comment-10968408 I am using Galera, do I have same keyring for all nodes, the subsequent nodes are unable to join via SST?

]]> By: utdrmac https://www.percona.com/blog/mysql-encryption-rest-part-2-innodb/#comment-10968263 Mon, 10 Jul 2017 14:57:04 +0000 https://www.percona.com/blog/?p=43117#comment-10968263 Hello @Srinivas. You can export encrypted tablespaces. Here is more info from the manual, https://dev.mysql.com/doc/refman/5.7/en/innodb-tablespace-encryption.html#innodb-tablespace-encryption-exporting

Yes, rotating the master key changes the encryption key inside the keyring.

]]> By: Srinivas Mitta https://www.percona.com/blog/mysql-encryption-rest-part-2-innodb/#comment-10968262 Mon, 10 Jul 2017 13:02:06 +0000 https://www.percona.com/blog/?p=43117#comment-10968262 Can you please let us know how to move encrypted tables/or complete database to other servers which are using TDE.
If we change the MAster encrypted key (ALTER INSTANCE ROTATE INNODB MASTER KEY;) does it change the key in
keyring_file_data=/mount/mysql-keyring/keyring

]]> By: icsomu https://www.percona.com/blog/mysql-encryption-rest-part-2-innodb/#comment-10968244 Tue, 04 Jul 2017 06:47:48 +0000 https://www.percona.com/blog/?p=43117#comment-10968244 Thanks

]]> By: utdrmac https://www.percona.com/blog/mysql-encryption-rest-part-2-innodb/#comment-10968230 Fri, 30 Jun 2017 15:23:00 +0000 https://www.percona.com/blog/?p=43117#comment-10968230 Hello icsomu,
1. You can do both, but that doesn’t really gain you anything. If everything (tablespace, redo, binlog, etc) is already on 1 partition, you should do LUKS so that you encrypt everything at rest. If you had things split up, like binlogs on partition A, redo/undo on partition B, and tablespace on partition C, then you could do a combo of LUKS on A, and B, and use InnoDB TE for the tables.
2. The performance impact is minimal if your CPU has AES hardware acceleration. You can compile this test suite, written in assembly, to determine if your CPU supports the AES. https://github.com/kmcallister/aesni-examples

]]> By: icsomu https://www.percona.com/blog/mysql-encryption-rest-part-2-innodb/#comment-10968226 Fri, 30 Jun 2017 05:56:45 +0000 https://www.percona.com/blog/?p=43117#comment-10968226 Nice blog.

Couple of questions:
1. Is the recommendation to use block level encryption with table space encryption (Keep in mind the downsides of using only TE) ?
2. What was the performance impact between both?

]]>