Downloads
Blog
Contact Us

Encryption of the InnoDB System Tablespace and Parallel Doublewrite Buffer

September 14, 2018
Author
Ceri Williams
Share this Post:

encryption of InnoDB tablespace parallel doublewrite bufferIn my last post I compared data at-rest encryption features available for MySQL and MariaDB. As noted at the time, some of the features available for Percona Server for MySQL were in development, and the latest version (5.7.23) sees two of them released as ALPHA quality.

Encrypting the InnoDB system tablespace

The first of the new features is InnoDB system tablespace encryption via innodb_sys_tablespace_encrypt, which would provide encryption of the following data:

  • the change buffer, which caches changes to secondary index pages as a result of DML operations for pages that are not in the InnoDB buffer pool

  • The undo logs if they have not been configured to be stored in separate undo tablespaces

  • data from any tables that exist in the main tablespace, which occurs when innodb_file_per_table is disabled

There are some related changes on the horizon that would allow this to be applied to an existing instance. However, for now this is only available for new instances as it can only be applied during bootstrap. This means that it would require a logical restore of your data to use it with an existing cluster–I should restate that this is an ALPHA feature and not production-ready.

There are some extra points to note about this new variable:

  • an instance with an encrypted tablespace cannot be downgraded to use a version prior to 5.7.23, due to the inability to read the tablespace

  • as noted, it is not currently possible to convert the tablespace between encrypted and unencrypted states, or vice versa

  • the key for the system tablespace can be manually rotated using ALTER INSTANCE ROTATE INNODB MASTER KEY as per any other tablespace

Encrypting the parallel doublewrite buffer

To complement the encryption of the system tablespace, it is also possible to encrypt the parallel doublewrite buffer using innodb_parallel_dblwr_encrypt, a feature unique to Percona Server for MySQL.  This means that any data for an encrypted tablespace is also only written in an encrypted form in the parallel doublewrite buffer; unencrypted tablespace data remains in plaintext. Unlike innodb_sys_tablespace_encrypt, you are able to set innodb_parallel_dblwr_encrypt dynamically on an existing instance.

There are more encryption features planned–or already in development–for Percona Server for MySQL so watch this space!

Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments

Resources

RELATED POSTS

Far
Enough.

Said no pioneer ever.
Get Started
Open source database software from experts who stand with you in production. Forever free from lock-in and other corporate BS.
Connect
© 2026 Percona All Rights Reserved
Database Technology
PostgreSQL MySQL MariaDB MongoDB Valkey / Redis Databases on Kubernetes Monitoring & Management (PMM) Percona Toolkit
Services
Expert Support ExpertOps Expert Consulting Training Solution Bundles
Use Cases
Cost Optimization Performance and Reliability Sovereignty, Securty, and Compliance AI and Future Readiness
Company
About Percona Partners Careers Events Press Releases News
Terms of Use
|
Privacy
|
Copyright
|
Legal
|
Security Center
MySQL, PostgreSQL, InnoDB, MariaDB, MongoDB and Kubernetes are trademarks for their respective owners.
© 2026 Percona All Rights Reserved