Rotating binary log master key online

Starting on version 8.0.16, MySQL server introduces a new command that allows
for the binary log master key rotation, online!

When binary log encryption is enabled, the binary log master key can be rotated online by using the following new command:

This new command can be used to rotate the binary log master key periodically or whenever you suspect that a key might have been compromised.

Executing the command generates a new binary log master key, used to
encrypt file passwords for the new binary and relay log files created after this command and to re-encrypt file passwords for existent encrypted binary and relay log files by overwriting the encrypted file header . The command also takes care of cleaning up the keyring, removing previously generated binary log encryption keys that aren’t used by the server, anymore. The command is not written to the binary log, so it is not replicated to a slave.

Inspecting the binary log master key

MySQL has no built in interface to show the binary log encryption keys in binary or relay log files. But the script inspect_encryption_key.sh can show the binary log encryption key ids in keyring from binary or relay log files. See below.

Executing this script against a mix of encrypted and non-encrypted
binary logs, yields the following output:

Some Use Cases for Rotating Binary Log Keys

Now that we have a script that can help us look into the binary
log files and extract the key id, lets see what happens to the
files whenever we rotate the master key.

Example 1: binary log files master key rotation

Given a master that has some non-encrypted and encrypted binary logs as below.

Executing ALTER INSTANCE ROTATE BINLOG MASTER KEY changes:
1) the key used to encrypt file passwords for new master-bin.000005
2) re-encrypts file passwords of previous existent encrypted master-bin.000002
and master-bin.000004 with the new binary log master key.

Example 2: relay and binary log files master key rotation

Given a slave that has some non-encrypted and encrypted relay and binary logs as below.

Executing ALTER INSTANCE ROTATE BINLOG MASTER KEY changes:
1) the key used to encrypt file passwords for new slave-relay-bin.000004 and
slave-bin.000004
2) re-encrypts file passwords of previous existent encrypted slave-relay-bin.000002, slave-relay-bin.000003, slave-bin.000002 and slave-bin.000003 with the new binary log master key.

Example 3: binary and relay log files master key rotation when provisioning new slave

Given a server that was “copied” to become a slave with UUID2, which has some non-encrypted and encrypted binary logs with the source server UUID1 as below.

Executing ALTER INSTANCE ROTATE BINLOG MASTER KEY changes:
1) the key used to encrypt file passwords for new slave-relay-bin.000001 and
master-bin.000004
2) re-encrypts file passwords of previous existent encrypted master-bin.000002
and master-bin.000003 with the new binary log master key as below.

Summary

This feature introduces a new command, ‘ALTER INSTANCE ROTATE BINLOG MASTER KEY’, that allows the online rotation of the binary log master key. For design details, please see WL#12080. This command is available from MySQL 8.0.16 release onwards, check our download page.

We look forward to hearing from you, leave us your feedback!

932 total views, 152 views today

Setup MySQL High Availability Cluster using Contact us to find out our latest offers!

Comments are closed.

>