Feb 01, 2020
 FOSDEM 2020
  Robert Golebiowski

How Transparent Data Encryption is built in MySQL and Percona Server ? - keyrings – what are they used for ? What is the difference between using a server back-end (keyringvault) versus file back-end (keyringfile). How it affects server startup and why? Why per server separation is needed in Vault Server? - How Master Key encryption works ? How it is build on page level ? How do we know which key we should fetch to decrypt a table ? How do we know that used key is the correct one ? How do we make sure that we can decrypt a table when we need it ? - What crypto algorithms are used ? - How Master Key rotation works ? Why is it needed ? - What is KEYRING encryption and what are encryption threads? - How binlog encryption works in 5.7 and how it works in 8.0 ? - How undo log/redo log encryption works ?

How Transparent Data Encryption is Built in MySQL and Percona Server ?

In this presentation, we'll take a deep dive into the world of transparent data encryption for open source databases. We'll be looking at how transparent data encryption is implemented in MySQL and Percona Server for MySQL: - keyrings – what are they used for ? What is the difference between using a server back-end (keyringvault) versus file back-end (keyringfile). How it affects server startup and why? Why per server separation is needed in Vault Server? - How Master Key encryption works ? How it is build on page level ? How do we know which key we should fetch to decrypt a table ? How do we know that used key is the correct one ? How do we make sure that we can decrypt a table when we need it ? - How Master Key rotation works ? Why is it needed ? By the end of the talk, you'll have a better understanding of the transparent data encryption and will be aware of things to take into account when interacting with encrypted databases in your applications.

 



About the Author

Robert Golebiowski

Passionate software developer. Working in MySQL ecosystem since 2014 - now with Percona, previously with Oracle. Working mainly on security features.