• Marko Mäkelä's avatar
    MDEV-12041: innodb_encrypt_log key rotation · f6d4f624
    Marko Mäkelä authored
    This will change the InnoDB encrypted redo log format only.
    Unencrypted redo log will keep using the MariaDB 10.3 format.
    In the new encrypted redo log format, 4 additional bytes will
    be reserved in the redo log block trailer for storing the
    encryption key version.
    
    For performance reasons, the encryption key rotation
    (checking if the latest encryption key version is being used)
    is only done at log_checkpoint().
    
    LOG_HEADER_FORMAT_CURRENT: Remove.
    
    LOG_HEADER_FORMAT_ENC_10_4: The encrypted 10.4 format.
    
    LOG_BLOCK_KEY: The encryption key version field.
    
    LOG_BLOCK_TRL_SIZE: Remove.
    
    log_t: Add accessors framing_size(), payload_size(), trailer_offset(),
    to be used instead of referring to LOG_BLOCK_TRL_SIZE.
    
    log_crypt_t: An operation passed to log_crypt().
    
    log_crypt(): Perform decryption, encryption, or encryption with key
    rotation. Return an error if key rotation at decryption fails.
    On encryption, keep using the previous key if the rotation fails.
    At startup, old-format encrypted redo log may be written before
    the redo log is upgraded (rebuilt) to the latest format.
    
    log_write_up_to(): Add the parameter rotate_key=false.
    
    log_checkpoint(): Invoke log_write_up_to() with rotate_key=true.
    f6d4f624
debug_key_management.test 1.53 KB