Encrypting the Redo Log files

MySQL uses the redo log files to apply changes during data recovery.

Encrypt the redo log files by enabling the innodb_redo_log_encrypt variable. The default value for the variable is OFF.

The Redo log files uses the tablespace encryption key.

variable innodb_redo_log_encrypt
Command Line:--innodb-redo-log-encrypt
Dynamic:Yes
Scope:Global
Variable Type:Text
Default Value:OFF

Determines the encryption for redo log data for tables.

When you enable innodb_redo_log_encrypt any existing redo log pages stay unencrypted, and new pages are encrypted when they are written to disk. If you disable innodb_redo_log_encrypt after enabling the variable, any encrypted pages remain encrypted, but the new pages are unencrypted.

As implemented in 8.0.16-7, the supported values for innodb_redo_log_encrypt are the following:

  • ON
  • OFF
  • master_key
  • keyring_key

The keyring_key value is in tech preview.

See also

For more information on the keyring_key - Working with Advanced Encryption Key Rotation

Note

For innodb_redo_log_encrypt, the “ON” value is a compatibility alias for master_key.

After starting the server, an attempt to encrypt the redo log files fails if you have the following conditions:

  • Server started with no keyring specified
  • Server started with a keyring, but you specified a redo log encryption method that is different then previously used method on the server.

Contact Us

For free technical help, visit the Percona Community Forum.
To report bugs or submit feature requests, open a JIRA ticket.
For paid support and managed or professional services, contact Percona Sales.