Enabling InnoDB Tablespace Encryption on Percona XtraDB Cluster 5.7

InnoDB Tablespace EncryptionSecurity is one of the hottest topics lately, and in this blog post, I will walk you through what needs to be configured to have a working three-node Percona XtraDB Cluster running with InnoDB Tablespace Encryption enabled.

This article will not cover the basics of setting up a cluster nor will it cover how to create SSL certs and keys since both of these topics have been well explained here and here.

Just to give you a brief history, InnoDB tablespace encryption was introduced in MySQL 5.7.11, and starting from Percona XtraDB Cluster 5.7.16 this feature was fully supported if coupled with SSL-based encryption of SST traffic. However, for this blog post I recommend using the latest Percona XtraDB Cluster 5.7.20-19 release. It has the recent fix that affects incremental state transfer when keyring-file-data is set.

What do you need to enable InnoDB tablespace encryption? If you are an avid reader of this blog, then you might have read this awesome article from Manjot Singh and Matthew Boehm about MySQL Encryption at rest – Part 2. The two important configuration options are:

This alone lets you use the keyring_file.so plugin to encrypt InnoDB tablespaces, given that InnoDB file per table is enabled. But to get state transfer (SST/IST) to work between cluster nodes you should also configure the SSL-related configuration in the [mysqld] and [sst] sections of your configuration file.

Doing It the Easy Way

To make life easier and less complicated, we’ve added an option to take care of the job for you through the automatic configuration of SSL encryption with one variable: pxc-encrypt-cluster-traffic=ON. This is the recommended option. Once set, it will look for the SSL keys and certificate files in the ssl-ca, ssl-cert and ssl-key options under [mysqld]. If you don’t set these, it then looks for the necessary SSL keys and certificate files in the data directory.

The next step is to create the SSL certs and keys by following the instructions in the manual. Note that for some distributions, like RPM packages, the SSL keys and certificate file are automatically created upon data directory initialization by invoking mysql_ssl_rsa_setup.

You only need to securely transfer the SSL files from one node to another. This doesn’t include the keyring file, which the wsrep_sst_xtrabackup-v2 script handles.

We recommend using wsrep_sst_method=xtrabackup-v2, so we need to declare the keyring-file-data option under the [xtrabackup] section of the configuration file.

Taking everything into consideration, we should have something like this as a working configuration file:

Doing It The Hard Way

If you prefer to keep your SSL keys and certificate files in a separate directory outside of the data directory, then you should declare the SSL-related variables under the [mysqld] section like this:

Lastly, if you prefer not to use the pxc-encrypt-cluster-traffic variable, you will need to declare the same SSL-related variables under the [sst] section like this:

And here is sample content from the log in the JOINER node

And from the DONOR node, we will see this from the log file:

It’s easy setting up Percona XtraDB Cluster with InnoDB tablespace encryption. We just need to make sure to declare the above configuration on all nodes for state transfer to work.

Share this post

Leave a Reply