In Percona Server for MySQL 8.0.41 / 8.4.4, we introduced several improvements in Encryption User-Defined Functions. Added support for RSAES-OAEP (OAEP) padding for RSA encrypt / decrypt operations. Added support for RSASSA-PSS (PSS) padding for RSA sign / verify operations. Added new encryption_udf.legacy_padding_scheme component system variable. Normalized character set support for all Encryption UDFs. PKCS1 […]
Apr
09
2025
Jan
04
2024
Managing storage and performance efficiently in your MySQL database is crucial, and general tablespaces offer flexibility in achieving this. This blog discusses general tablespaces and explores their functionalities, benefits, and practical usage, along with illustrative examples.What are MySQL general tablespaces?In contrast to the single system tablespace that holds system tables by default, general tablespaces are […]
Apr
21
2023
MySQL has InnoDB data encryption, and Galera Cluster has supported it since it appeared in the main server. The one thing that was not covered was the encryption of the Galera Cache (the galera.cache file).
Here is a simple extract from the binlog.000001 files.
strings binlog.* |grep Custom |wc -l 10000 strings galera.cache |grep Custom |wc -l 10000
strings galera.cache|tail -10 Customer9100 Customer9099 Customer9098 Customer9097 Customer9096 Customer9095 Customer9094 Customer9093 Customer9092 Customer9091
You need to edit your /etc/my.cnf to include:
early-plugin-load=keyring_file.so keyring_file_data=/var/lib/mysql-keyring/keyring
Note that in this example we are using the keyring_file plugin, which stores keyring data in a file on the local server host. This is not intended for regulatory compliance. You need to use a key management server that protects encryption keys in key vaults or hardware …
[Read more]
Sep
20
2022
In a post written earlier this year – Percona Server for MySQL Encryption Options and Choices – I discussed some of the options around encryption in MySQL. Being such a complex topic, that post was meant to clarify and highlight various aspects of “encryption” at different levels. I recently had this topic come up again, but specifically around column-level encryption and various options so I wanted to touch on this in more detail.
As of the current release of Percona Server for MySQL, there is no built-in way to define a single column as encrypted. Ideally, there could be some metadata passed in a create statement and this would just automatically happen, such as this:
CREATE TABLE pii_data ( …
[Read more]
Jun
10
2021
In this blog, we will discuss about how to setup MySQL NDB
Cluster replication in a more secure way with the help of binary
log and relay log encryption and a secure connection. These
measures protect binary log dat in transit and at rest.
Let’s create two MySQL NDB Clusters with the following
environment, Here, one will be termed as ‘source’ cluster and the
other one will be termed as ‘replica’ cluster.
- MySQL NDB Cluster version (Latest GA version)
- 1 Management node
- 4 Data nodes
- 1 MySQLDs
- Configuration slots for up to 4 additional API nodes
Step 1: Start both of the Clusters
Let’s start both the source cluster and replica cluster but do
not start the MySQLD servers from both the clusters as we want to
modify their configuration first.
…
Feb
22
2019
As I discussed in some of my recent talks at conferences (at the
DOAG for example), MySQL 8 came out with new
features which bring lots of improvements in terms of
security.
“At-Rest” encryption has been existing from some releases by
now:
– InnoDB Tablespace Encryption: by 5.7.11
– Redo and Undo Log Data Encryption: by 8.0.1
Now starting from version 8.0.14, you can also encrypt binary and
relay log files. In this blog post we will see how to configure
that and we will do some tests.
Case 1: Binary log files are not encrypted
Binary log files encryption is disables by default:
mysql> show variables like 'binlog_encryption'; +-------------------+-------+ | Variable_name | Value | +-------------------+-------+ | binlog_encryption | OFF | …[Read more]
Feb
22
2019
As I discussed in some of my recent talks at conferences (at the
DOAG for example), MySQL 8 came out with new
features which bring lots of improvements in terms of
security.
“At-Rest” encryption has been existing from some releases by
now:
– InnoDB Tablespace Encryption: by 5.7.11
– Redo and Undo Log Data Encryption: by 8.0.1
Now starting from version 8.0.14, you can also encrypt binary and
relay log files. In this blog post we will see how to configure
that and we will do some tests.
Case 1: Binary log files are not encrypted
Binary log files encryption is disables by default:
mysql> show variables like 'binlog_encryption'; +-------------------+-------+ | Variable_name | Value | +-------------------+-------+ | binlog_encryption | OFF | …[Read more]
Feb
22
2019
Percona Server for MySQL 8.0 comes with enterprise grade total data encryption features. However, there is always the question of how much overhead – or performance penalty – comes with the data decryption. As we saw in my networking performance post, SSL under high concurrency might be problematic. Is this the case for data decryption?
To measure any overhead, I will start with a simplified read-only workload, where data gets decrypted during read IO.
During query execution, the data in memory is already decrypted so there is no additional processing time. The decryption happens only for blocks that require a read from storage.
For the benchmark I will use the following workload:
sysbench …[Read more]
Feb
18
2019
Ahead of the PCI move to deprecate the use of ‘early TLS’, we’ve previously taken steps to disable TLSv1.0.
Unfortunately at that time we encountered some issues which led us to rollback these changes. This was to allow users of operating systems that did not – yet – support TLSv1.1 or higher to download Percona packages over TLSv1.0.
Since then, we have been tracking our usage statistics for older operating systems that don’t support TLSv1.1 or higher at https://repo.percona.com. We now receive very few legitimate requests for these downloads.
Consequently, we are ending support for TLSv1.0 on all Percona web properties.
…[Read more]
Jan
28
2019
One of the new features in MySQL 8.0.14 is support for encrypting
the binary logs. While encryption makes the data more secure
(provided the key is secret of course), it can make life a bit
more difficult in terms of how easy it is to do tasks such as
point-in-time recoveries. This blog shows how you can use the
binlog_decrypt.py Python script to decrypt the
binary logs as long as you have the keyring that was used to
encrypt it.
Introduction and Background
João Gramacho wrote a nice blog how you can use standard Linux programs to decrypt the binary logs. This inspired me to consider implementing …
[Read more]