# InnoDB transparent tablespace data encryption # This test case will test basic encryption support features. --source include/no_valgrind_without_big.inc #Suppress following messages from myslqd log --disable_query_log call mtr.add_suppression("keyring_file initialization failure. Please check if the keyring_file_data points to readable keyring file or keyring file can be created in the specified location. The keyring_file will stay unusable until correct path to the keyring file gets provided"); call mtr.add_suppression("\\[Error\\] .*MY-\\d+.* Can't generate new master key for tablespace encryption, please check the keyring plugin is loaded."); call mtr.add_suppression("\\[Error\\] .*MY-\\d+.* Encryption can't find master key, please check the keyring plugin is loaded."); call mtr.add_suppression("\\[ERROR\\] .*MY-\\d+.* Function 'keyring_file' already exists"); call mtr.add_suppression("\\[ERROR\\] .*MY-\\d+.* Couldn't load plugin named 'keyring_file' with soname 'keyring_file.*'."); call mtr.add_suppression("Plugin keyring_file reported"); call mtr.add_suppression("\\[ERROR\\] .*MY-\\d+.* Can't set redo log tablespace to be encrypted."); call mtr.add_suppression("You need to use --log-bin to make --binlog-format work"); --enable_query_log SHOW VARIABLES LIKE "%innodb_redo_log_encrypt%"; CREATE TABLE t1(c1 int) ENGINE=InnoDB ENCRYPTION="Y"; DROP TABLE t1; # Restart the server with keyring loaded --exec echo "wait" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect -- send_shutdown -- source include/wait_until_disconnected.inc --exec echo "restart:--early-plugin-load="keyring_file=$KEYRING_PLUGIN" --loose-keyring_file_data=$MYSQL_TMP_DIR/mysecret_keyring2 $KEYRING_PLUGIN_OPT --innodb_redo_log_encrypt=ON" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect --enable_reconnect --source include/wait_until_connected_again.inc --disable_reconnect SHOW VARIABLES LIKE "%innodb_redo_log_encrypt%"; --disable_warnings DROP TABLE IF EXISTS t1; --enable_warnings let $innodb_file_per_table = `SELECT @@innodb_file_per_table`; SET GLOBAL innodb_file_per_table = 1; SELECT @@innodb_file_per_table; # Create a table with encryption CREATE TABLE t1(c1 INT, c2 char(20)) ENCRYPTION="Y" ENGINE = InnoDB; SHOW CREATE TABLE t1; INSERT INTO t1 VALUES(0, "aaaaa"); INSERT INTO t1 VALUES(1, "bbbbb"); INSERT INTO t1 VALUES(2, "ccccc"); INSERT INTO t1 VALUES(3, "ddddd"); INSERT INTO t1 VALUES(4, "eeeee"); INSERT INTO t1 VALUES(5, "fffff"); INSERT INTO t1 VALUES(6, "ggggg"); INSERT INTO t1 VALUES(7, "hhhhh"); INSERT INTO t1 VALUES(8, "iiiii"); INSERT INTO t1 VALUES(9, "jjjjj"); INSERT INTO t1 select * from t1; INSERT INTO t1 select * from t1; INSERT INTO t1 select * from t1; INSERT INTO t1 select * from t1; INSERT INTO t1 select * from t1; INSERT INTO t1 select * from t1; SELECT * FROM t1 LIMIT 10; # Restart to confirm the encryption info can be retrieved properly. --exec echo "wait" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect -- send_shutdown -- source include/wait_until_disconnected.inc --exec echo "restart:--early-plugin-load="keyring_file=$KEYRING_PLUGIN" --loose-keyring_file_data=$MYSQL_TMP_DIR/mysecret_keyring2 $KEYRING_PLUGIN_OPT --innodb_redo_log_encrypt=ON" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect --enable_reconnect --source include/wait_until_connected_again.inc --disable_reconnect SHOW VARIABLES LIKE "%innodb_redo_log_encrypt%"; SELECT * FROM t1 LIMIT 10; # Key rotation. ALTER INSTANCE ROTATE INNODB MASTER KEY; DROP TABLE t1; # Crash/recovery test. CREATE TABLE t1(c1 INT, c2 char(20)) ENCRYPTION="Y" ENGINE = InnoDB; INSERT INTO t1 VALUES(0, "aaaaa"); INSERT INTO t1 VALUES(1, "bbbbb"); INSERT INTO t1 VALUES(2, "ccccc"); INSERT INTO t1 VALUES(3, "ddddd"); INSERT INTO t1 VALUES(4, "eeeee"); INSERT INTO t1 VALUES(5, "fffff"); INSERT INTO t1 VALUES(6, "ggggg"); INSERT INTO t1 VALUES(7, "hhhhh"); INSERT INTO t1 VALUES(8, "iiiii"); INSERT INTO t1 VALUES(9, "jjjjj"); # Restart to confirm the encryption info can be retrieved properly. --source include/kill_mysqld.inc --exec echo "restart:--early-plugin-load="keyring_file=$KEYRING_PLUGIN" --loose-keyring_file_data=$MYSQL_TMP_DIR/mysecret_keyring2 $KEYRING_PLUGIN_OPT --innodb_redo_log_encrypt=ON" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect --enable_reconnect --source include/wait_until_connected_again.inc --disable_reconnect SHOW VARIABLES LIKE "%innodb_redo_log_encrypt%"; SELECT * FROM t1 LIMIT 10; DROP TABLE t1; let $restart_parameters = restart: --early-plugin-load="keyring_file=$KEYRING_PLUGIN" --loose-keyring_file_data=$MYSQL_TMP_DIR/mysecret_keyring2 --general-log --log-output=FILE --general_log_file=$MYSQL_TMP_DIR/keyring_query_log $KEYRING_PLUGIN_OPT --innodb_redo_log_encrypt=ON; --replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR $KEYRING_PLUGIN_OPT --plugin-dir=KEYRING_PLUGIN_PATH --replace_regex /\.dll/.so/ --source include/restart_mysqld.inc SHOW VARIABLES LIKE "%innodb_redo_log_encrypt%"; # # Check no effect of block_encryption_mode = 'aes-256-cbc' variable on table encryption SET block_encryption_mode = 'aes-256-cbc'; # Test encryption . --disable_warnings DROP DATABASE IF EXISTS tde_db; CREATE DATABASE tde_db; CREATE TABLE tde_db.t1(c1 INT PRIMARY KEY, c2 char(50)) ENCRYPTION = 'Y' ENGINE = InnoDB; --enable_warnings # INSERT INTO tde_db.t1 VALUES(0, 'abc'); INSERT INTO tde_db.t1 VALUES(1, 'xyz'); INSERT INTO tde_db.t1 VALUES(2, null); INSERT INTO tde_db.t1 VALUES(3, null); SELECT * FROM tde_db.t1 LIMIT 10; ALTER INSTANCE ROTATE INNODB MASTER KEY; SELECT * FROM tde_db.t1 LIMIT 10; --echo # Mysqldump output --exec $MYSQL_DUMP --compact --skip-comments --databases tde_db --echo # Redirecting mysqlpump output to MYSQL_TMP_DIR/mysqlpump_encrypt.sql --exec $MYSQL_PUMP --default-parallelism=1 --databases tde_db > $MYSQL_TMP_DIR/mysqlpump_encrypt.sql DROP DATABASE tde_db; --let SEARCH_FILE=$MYSQL_TMP_DIR/keyring_query_log let SEARCH_PATTERN= ALTER INSTANCE ROTATE INNODB MASTER KEY; --source include/search_pattern.inc --echo # Loading tables from mysqlpump_encrypt.sql --exec $MYSQL --skip-comments < $MYSQL_TMP_DIR/mysqlpump_encrypt.sql SELECT * FROM tde_db.t1 LIMIT 10; INSERT INTO tde_db.t1 VALUES(4, null); SELECT * FROM tde_db.t1 LIMIT 10; DROP DATABASE tde_db; # # Cleanup --remove_file $MYSQL_TMP_DIR/keyring_query_log --remove_file $MYSQL_TMP_DIR/mysecret_keyring2 --remove_file $MYSQL_TMP_DIR/mysqlpump_encrypt.sql eval SET GLOBAL innodb_file_per_table=$innodb_file_per_table;