#------------------------------------------------------------------------------ # InnoDB transparent tablespace data encryption for general tablespace # # This test create tables in encrypted/non-encrypted genral tablespace and # try to access them after restarting with different combinitions such as # - restart with same server option (acccess all tables) # - restart without keyring options(encrypt table not accessible , rest are) # - restart without keyring option but explicilty load plugin (access all) # - restart with keyring option but using new key_file_data # (old encrypt table not accessible , rest are. New encrypt # table creation possible) # ############################################################################ --source include/no_valgrind_without_big.inc # Waiting time when (re)starting the server --let $explicit_default_wait_counter=10000; # Suppress warnings -- disable_query_log call mtr.add_suppression("\\[ERROR\\].*ibd can't be decrypted, please confirm the keyfile is match and keyring plugin is loaded"); call mtr.add_suppression("\\[ERROR\\].*Plugin keyring_file reported: 'keyring_file initialization failure."); call mtr.add_suppression("\\[ERROR\\].*Plugin keyring_file reported: 'File .*keyring' not found .*"); call mtr.add_suppression("\\[ERROR\\] \\[[^]]*\\] \\[[^]]*\\] Encryption can't find master key, please check the keyring plugin is loaded."); call mtr.add_suppression("\\[ERROR\\] \\[[^]]*\\] \\[[^]]*\\] Check keyring plugin fail, please check the keyring plugin is loaded."); -- enable_query_log --echo ######################################################################### --echo # RESTART 1 : WITH KEYRING PLUGIN --echo ######################################################################### let $restart_parameters = restart: --early-plugin-load="keyring_file=$KEYRING_PLUGIN" --loose-keyring_file_data=$MYSQL_TMP_DIR/mysecret_keyring $KEYRING_PLUGIN_OPT; --replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR $KEYRING_PLUGIN_OPT --plugin-dir=KEYRING_PLUGIN_PATH $KEYRING_PLUGIN keyring_file.so --replace_regex /\.dll/.so/ --source include/restart_mysqld.inc --echo ######### --echo # SETUP # --echo ######### --disable_warnings CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' ENCRYPTION ='Y' ENGINE=InnoDB; CREATE TABLESPACE encrypt_ts1 ADD DATAFILE 'encrypt_ts1.ibd' ENCRYPTION ='N' ENGINE=InnoDB; DROP DATABASE IF EXISTS tde_db; DROP TABLE IF EXISTS tde_db. t_encrypt; CREATE DATABASE tde_db; USE tde_db; --enable_warnings DELIMITER |; CREATE PROCEDURE tde_db.init_setup() begin /* Create table in encrypted tablespace */ CREATE TABLE tde_db.t_encrypt(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, c3 CHAR(255) Default 'No text', c4 JSON , c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, c7 POINT NOT NULL SRID 0, spatial INDEX idx2 (c7) ) TABLESPACE=encrypt_ts ENCRYPTION='Y' ENGINE = InnoDB; /* Create table in non-encrypted tablesapce */ CREATE TABLE tde_db.t_non_encrypt(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, c3 CHAR(255) Default 'No text', c4 JSON , c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, c7 POINT NOT NULL SRID 0, spatial INDEX idx2 (c7) ) TABLESPACE=encrypt_ts1 ENGINE = InnoDB; /* insert into encrypted table */ INSERT INTO tde_db.t_encrypt(c3,c4,c7) VALUES(CONCAT(REPEAT('a',200),LPAD(CAST(1 AS CHAR),4,'0')),'{ "key_a": 1, "key_b": 2, "key_c": 3 }',ST_GeomFromText('POINT(383293632 1754448)')); INSERT INTO tde_db.t_encrypt(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; INSERT INTO tde_db.t_encrypt(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; INSERT INTO tde_db.t_encrypt(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; INSERT INTO tde_db.t_encrypt(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; INSERT INTO tde_db.t_encrypt(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; INSERT INTO tde_db.t_encrypt(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; SELECT '/* select tde_db.t_encrypt */'; SELECT COUNT(*) FROM tde_db.t_encrypt; SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; /* insert into non encrypted table */ INSERT INTO tde_db.t_non_encrypt(c2,c3,c4,c7) SELECT c2,c3,c4,c7 FROM tde_db.t_encrypt; SELECT '/* select tde_db.t_non_encrypt */'; SELECT COUNT(*) FROM tde_db.t_non_encrypt; SELECT c2 ,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_non_encrypt LIMIT 10; ALTER INSTANCE ROTATE INNODB MASTER KEY; CREATE TABLE tde_db.t_encrypt_2(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, c3 CHAR(255) Default 'No text', c4 JSON , c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, c7 POINT NOT NULL SRID 0, spatial INDEX idx2 (c7) ) TABLESPACE=encrypt_ts ENCRYPTION='Y' ENGINE = InnoDB; CREATE TABLE tde_db.t_non_encrypt_2(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, c3 CHAR(255) Default 'No text', c4 JSON , c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, c7 POINT NOT NULL SRID 0, spatial INDEX idx2 (c7) ) TABLESPACE=encrypt_ts1 ENGINE = InnoDB; /* insert into encrypted table 2 */ INSERT INTO tde_db.t_encrypt_2(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; SELECT '/* select tde_db.t_encrypt_2 */'; SELECT COUNT(*) FROM tde_db.t_encrypt_2; SELECT c2 ,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt_2 LIMIT 10; /* insert into NON encrypted table 2 */ INSERT INTO tde_db.t_non_encrypt_2(c2,c3,c4,c7) SELECT c2,c3,c4,c7 FROM tde_db.t_encrypt; SELECT '/* select tde_db.t_non_encrypt_2 */'; SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; SELECT c2 ,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_non_encrypt_2 LIMIT 10; end| DELIMITER ;| --echo #----------------------------------------------------------------------- --echo # Initialize tables call tde_db.init_setup(); --echo # plugin already installed error --replace_regex /\.dll/.so/ --error ER_UDF_EXISTS eval INSTALL PLUGIN keyring_file SONAME '$KEYRING_PLUGIN'; --replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR SELECT @@global.keyring_file_data; --echo # Uninstall is possible when server started with --early-plugin-load UNINSTALL PLUGIN keyring_file; --echo # variable not accessible after uninstall --error ER_UNKNOWN_SYSTEM_VARIABLE SELECT @@global.keyring_file_data; --echo # Select non encrypted tables : Pass SELECT COUNT(*) FROM tde_db.t_non_encrypt; SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; --echo # Select encrypted tables : No Error (after uninstall plugin -master key is cached) SELECT c2 ,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; SELECT c2 ,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt_2 LIMIT 10; SELECT COUNT(*) FROM tde_db.t_encrypt; SELECT COUNT(*) FROM tde_db.t_encrypt_2; --echo # Error on "ALTER INSTANCE ..." after UNINSTALL PLUGIN --error ER_CANNOT_FIND_KEY_IN_KEYRING ALTER INSTANCE ROTATE INNODB MASTER KEY; --echo # new table creation in encrypted tablespace is allowed after uninstall CREATE TABLE tde_db.t_encrypt_3(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, c3 CHAR(255) Default 'No text', c4 JSON , c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, c7 POINT NOT NULL SRID 0, spatial INDEX idx2 (c7) ) TABLESPACE=encrypt_ts ENCRYPTION='Y' ENGINE = InnoDB; --echo # new table in non-encrypted tablespace is allowed after uninstall CREATE TABLE tde_db.t_non_encrypt_3(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, c3 CHAR(255) Default 'No text', c4 JSON , c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, c7 POINT NOT NULL SRID 0, spatial INDEX idx2 (c7) ) TABLESPACE=encrypt_ts1 ENGINE = InnoDB; DROP TABLE tde_db.t_encrypt , tde_db.t_encrypt_2 , tde_db.t_encrypt_3 ; DROP TABLE tde_db.t_non_encrypt , tde_db.t_non_encrypt_2 , tde_db.t_non_encrypt_3; SELECT PLUGIN_NAME,PLUGIN_VERSION,PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE plugin_name='keyring_file'; --echo ######################################################################### --echo # Test 1 : Restart with same keyring plugin option --echo # - all tables accessible --echo ######################################################################### let $restart_parameters = restart: --early-plugin-load="keyring_file=$KEYRING_PLUGIN" --loose-keyring_file_data=$MYSQL_TMP_DIR/mysecret_keyring $KEYRING_PLUGIN_OPT; --replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR $KEYRING_PLUGIN_OPT --plugin-dir=KEYRING_PLUGIN_PATH $KEYRING_PLUGIN keyring_file.so --source include/restart_mysqld.inc SELECT PLUGIN_NAME,PLUGIN_VERSION,PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE plugin_name='keyring_file'; --echo # Initialize tables call tde_db.init_setup(); --echo # restart with same --early-plugin-load and keyring_file_data option let $restart_parameters = restart: --early-plugin-load="keyring_file=$KEYRING_PLUGIN" --loose-keyring_file_data=$MYSQL_TMP_DIR/mysecret_keyring $KEYRING_PLUGIN_OPT; --replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR $KEYRING_PLUGIN_OPT --plugin-dir=KEYRING_PLUGIN_PATH $KEYRING_PLUGIN keyring_file.so --source include/restart_mysqld.inc --echo # All tables must be accessible SELECT COUNT(*) FROM tde_db.t_encrypt; SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; SELECT COUNT(*) FROM tde_db.t_non_encrypt; SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_non_encrypt LIMIT 10; SELECT COUNT(*) FROM tde_db.t_encrypt_2; SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt_2 LIMIT 10; SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_non_encrypt_2 LIMIT 10; --echo # Insert into old encrypted tables SELECT COUNT(*) FROM tde_db.t_encrypt_2; INSERT INTO tde_db.t_encrypt_2(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; SELECT COUNT(*) FROM tde_db.t_encrypt_2; --echo # Insert into old non encrypted tables SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; INSERT INTO tde_db.t_non_encrypt_2(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; --echo # Update into old encrypted tables UPDATE tde_db.t_encrypt_2 SET c2 = 1000 WHERE c2 = 1; SELECT COUNT(*) FROM tde_db.t_encrypt_2 WHERE c2 = 1000 ; --echo # Update into old non encrypted tables UPDATE tde_db.t_non_encrypt_2 SET c2 = 1000 WHERE c2 = 1; SELECT COUNT(*) FROM tde_db.t_non_encrypt_2 WHERE c2 = 1000 ; --echo # Delete from old encrypted tables DELETE FROM tde_db.t_encrypt_2 WHERE c2 = 1000 ; SELECT COUNT(*) FROM tde_db.t_encrypt_2 WHERE c2 = 1000 ; --echo # Delete from old non encrypted tables DELETE FROM tde_db.t_non_encrypt_2 WHERE c2 = 1000 ; SELECT COUNT(*) FROM tde_db.t_non_encrypt_2 WHERE c2 = 1000 ; --echo # Create new tables CREATE TABLE tde_db.t_encrypt_4(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, c3 CHAR(255) Default 'No text', c4 JSON , c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, c7 POINT NOT NULL SRID 0, spatial INDEX idx2 (c7) ) TABLESPACE=encrypt_ts ENCRYPTION='Y' ENGINE = InnoDB; CREATE TABLE tde_db.t_non_encrypt_4(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, c3 CHAR(255) Default 'No text', c4 JSON , c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, c7 POINT NOT NULL SRID 0, spatial INDEX idx2 (c7) ) TABLESPACE=encrypt_ts1 ENGINE = InnoDB; INSERT INTO tde_db.t_encrypt_4(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; INSERT INTO tde_db.t_non_encrypt_4(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; SELECT COUNT(*) FROM tde_db.t_encrypt_4; SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt_4 LIMIT 10; SELECT COUNT(*) FROM tde_db.t_non_encrypt_4; SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_non_encrypt_4 LIMIT 10; ALTER INSTANCE ROTATE INNODB MASTER KEY; SELECT COUNT(*) FROM tde_db.t_encrypt; SELECT COUNT(*) FROM tde_db.t_non_encrypt; SELECT COUNT(*) FROM tde_db.t_encrypt_2; SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; SELECT COUNT(*) FROM tde_db.t_encrypt_4; SELECT COUNT(*) FROM tde_db.t_non_encrypt_4; DROP TABLE tde_db.t_encrypt , tde_db.t_encrypt_2 , tde_db.t_encrypt_4; DROP TABLE tde_db.t_non_encrypt , tde_db.t_non_encrypt_2 , tde_db.t_non_encrypt_4; --echo ######################################################################### --echo # Test 2 : Restart without keyring option --echo # - old encrypted tables accessible --echo # - unencryption tables are accessible --echo ######################################################################### let $restart_parameters = restart: --early-plugin-load="keyring_file=$KEYRING_PLUGIN" --loose-keyring_file_data=$MYSQL_TMP_DIR/mysecret_keyring $KEYRING_PLUGIN_OPT; --replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR $KEYRING_PLUGIN_OPT --plugin-dir=KEYRING_PLUGIN_PATH $KEYRING_PLUGIN keyring_file.so --source include/restart_mysqld.inc SELECT PLUGIN_NAME,PLUGIN_VERSION,PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE plugin_name='keyring_file'; --echo # Initialize tables call tde_db.init_setup(); --echo # restart without --early-plugin-load and keyring_file_data let $restart_parameters = restart: ; --replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR $KEYRING_PLUGIN_OPT --plugin-dir=KEYRING_PLUGIN_PATH $KEYRING_PLUGIN keyring_file.so --source include/restart_mysqld.inc --echo # Encrypted tables must not be accessible --error ER_CANNOT_FIND_KEY_IN_KEYRING SELECT COUNT(*) FROM tde_db.t_encrypt; --error ER_CANNOT_FIND_KEY_IN_KEYRING SELECT COUNT(*) FROM tde_db.t_encrypt_2; --echo # Unencrypted tables must be accessible SELECT COUNT(*) FROM tde_db.t_non_encrypt; SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; --echo # Creating table in encrypted tablespace must not be possible as tablespace --echo # would be missing --error ER_TABLESPACE_MISSING CREATE TABLE tde_db.t_encrypt_4(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, c3 CHAR(255) Default 'No text', c4 JSON , c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, c7 POINT NOT NULL SRID 0, spatial INDEX idx2 (c7) ) TABLESPACE=encrypt_ts ENCRYPTION='Y' ENGINE = InnoDB; --echo # Creating table in unencrypted tablespace must be possible CREATE TABLE tde_db.t_non_encrypt_4(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, c3 CHAR(255) Default 'No text', c4 JSON , c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, c7 POINT NOT NULL SRID 0, spatial INDEX idx2 (c7) ) TABLESPACE=encrypt_ts1 ENGINE = InnoDB; INSERT INTO tde_db.t_non_encrypt_4(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_non_encrypt; SELECT COUNT(*) FROM tde_db.t_non_encrypt_4; --error ER_CANNOT_FIND_KEY_IN_KEYRING ALTER INSTANCE ROTATE INNODB MASTER KEY; --echo # Encrypted tables must not be accessible --error ER_CANNOT_FIND_KEY_IN_KEYRING SELECT COUNT(*) FROM tde_db.t_encrypt; --error ER_CANNOT_FIND_KEY_IN_KEYRING SELECT COUNT(*) FROM tde_db.t_encrypt_2; DROP TABLE tde_db.t_encrypt , tde_db.t_encrypt_2; DROP TABLE tde_db.t_non_encrypt , tde_db.t_non_encrypt_2 ,tde_db.t_non_encrypt_4; --echo ######################################################################### --echo # Test 3 : Restart, Uninstall and re-load plugin using command --echo # - All tables must be accessible --echo ######################################################################### let $restart_parameters = restart: --early-plugin-load="keyring_file=$KEYRING_PLUGIN" --loose-keyring_file_data=$MYSQL_TMP_DIR/mysecret_keyring $KEYRING_PLUGIN_OPT; --replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR $KEYRING_PLUGIN_OPT --plugin-dir=KEYRING_PLUGIN_PATH $KEYRING_PLUGIN keyring_file.so --source include/restart_mysqld_no_echo.inc SELECT PLUGIN_NAME,PLUGIN_VERSION,PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE plugin_name='keyring_file'; --echo # Initalize tables call tde_db.init_setup(); --echo # restart without --early-plugin-load (still need to provide with --echo # keyring_file_data otherwise it would point to default location which might be --echo # non-writable to mtr). Instead explicitly install plugin to access old table let $restart_parameters = restart: --loose-keyring_file_data=$MYSQL_TMP_DIR/mydummy_keyring; --replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR $KEYRING_PLUGIN_OPT --plugin-dir=KEYRING_PLUGIN_PATH $KEYRING_PLUGIN keyring_file.so --source include/restart_mysqld.inc --echo # Install keyring plugin --replace_regex /\.dll/.so/ --disable_warnings eval INSTALL PLUGIN keyring_file SONAME '$KEYRING_PLUGIN'; --enable_warnings --echo # Set keyring_file_data as old file so as to access old tables --replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR eval SET @@global.keyring_file_data='$MYSQL_TMP_DIR/mysecret_keyring'; --replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR SELECT @@global.keyring_file_data; --echo # All tables must be accessible SELECT COUNT(*) FROM tde_db.t_encrypt; SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; SELECT COUNT(*) FROM tde_db.t_non_encrypt; SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_non_encrypt LIMIT 10; SELECT COUNT(*) FROM tde_db.t_encrypt_2; SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt_2 LIMIT 10; SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_non_encrypt_2 LIMIT 10; --echo # Insert into old encrypted tables SELECT COUNT(*) FROM tde_db.t_encrypt_2; INSERT INTO tde_db.t_encrypt_2(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; SELECT COUNT(*) FROM tde_db.t_encrypt_2; --echo # Insert into old non encrypted tables SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; INSERT INTO tde_db.t_non_encrypt_2(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; --echo # Update into old encrypted tables UPDATE tde_db.t_encrypt_2 SET c2 = 1000 WHERE c2 = 1; SELECT COUNT(*) FROM tde_db.t_encrypt_2 WHERE c2 = 1000 ; --echo # Update into old non encrypted tables UPDATE tde_db.t_non_encrypt_2 SET c2 = 1000 WHERE c2 = 1; SELECT COUNT(*) FROM tde_db.t_non_encrypt_2 WHERE c2 = 1000 ; --echo # Delete from old encrypted tables DELETE FROM tde_db.t_encrypt_2 WHERE c2 = 1000 ; SELECT COUNT(*) FROM tde_db.t_encrypt_2 WHERE c2 = 1000 ; --echo # Delete from old non encrypted tables DELETE FROM tde_db.t_non_encrypt_2 WHERE c2 = 1000 ; SELECT COUNT(*) FROM tde_db.t_non_encrypt_2 WHERE c2 = 1000 ; --echo # Create new tables CREATE TABLE tde_db.t_encrypt_4(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, c3 CHAR(255) Default 'No text', c4 JSON , c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, c7 POINT NOT NULL SRID 0, spatial INDEX idx2 (c7) ) TABLESPACE=encrypt_ts ENCRYPTION='Y' ENGINE = InnoDB; CREATE TABLE tde_db.t_non_encrypt_4(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, c3 CHAR(255) Default 'No text', c4 JSON , c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, c7 POINT NOT NULL SRID 0, spatial INDEX idx2 (c7) ) TABLESPACE=encrypt_ts1 ENGINE = InnoDB; INSERT INTO tde_db.t_encrypt_4(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; INSERT INTO tde_db.t_non_encrypt_4(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; SELECT COUNT(*) FROM tde_db.t_encrypt_4; SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt_4 LIMIT 10; SELECT COUNT(*) FROM tde_db.t_non_encrypt_4; SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_non_encrypt_4 LIMIT 10; ALTER INSTANCE ROTATE INNODB MASTER KEY; SELECT COUNT(*) FROM tde_db.t_encrypt; SELECT COUNT(*) FROM tde_db.t_non_encrypt; SELECT COUNT(*) FROM tde_db.t_encrypt_2; SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; SELECT COUNT(*) FROM tde_db.t_encrypt_4; SELECT COUNT(*) FROM tde_db.t_non_encrypt_4; DROP TABLE tde_db.t_encrypt , tde_db.t_encrypt_2 , tde_db.t_encrypt_4; DROP TABLE tde_db.t_non_encrypt , tde_db.t_non_encrypt_2 , tde_db.t_non_encrypt_4; UNINSTALL PLUGIN keyring_file; #Once keyring plugin is uninstalled, we should still be able to use existing #tables in encrypted tablespaces as their keys are cached. That's why, even after #keyring plugin is uninstalled, we can do DMLs on encrypted tables and create #tables in encrypted tablespaces. CREATE TABLE tde_db.t_encrypt_4(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, c3 CHAR(255) Default 'No text', c4 JSON , c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, c7 POINT NOT NULL SRID 0, spatial INDEX idx2 (c7) ) TABLESPACE=encrypt_ts ENCRYPTION='Y' ENGINE = InnoDB; --error ER_CANNOT_FIND_KEY_IN_KEYRING ALTER INSTANCE ROTATE INNODB MASTER KEY; DROP TABLE tde_db.t_encrypt_4; --echo ######################################################################### --echo # Test 4 : Restart with new keyring_data_file --echo # - Old encrypted tables not accessible --echo # - Non encrypted tables accessible --echo # - Creation of new tables in encrypted/unencrypted tablespace --echo # is also posible --echo ######################################################################### --echo # restart with --early-plugin-load to load initial data let $restart_parameters = restart: --early-plugin-load="keyring_file=$KEYRING_PLUGIN" --loose-keyring_file_data=$MYSQL_TMP_DIR/mysecret_keyring $KEYRING_PLUGIN_OPT; --replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR $KEYRING_PLUGIN_OPT --plugin-dir=KEYRING_PLUGIN_PATH $KEYRING_PLUGIN keyring_file.so --source include/restart_mysqld.inc SELECT PLUGIN_NAME,PLUGIN_VERSION,PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE plugin_name='keyring_file'; --echo # init tables call tde_db.init_setup(); --echo # restart with with different keyring_file_data file let $restart_parameters = restart: --early-plugin-load="keyring_file=$KEYRING_PLUGIN" --loose-keyring_file_data=$MYSQL_TMP_DIR/mysecret_keyring_new $KEYRING_PLUGIN_OPT; --replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR $KEYRING_PLUGIN_OPT --plugin-dir=KEYRING_PLUGIN_PATH $KEYRING_PLUGIN keyring_file.so --source include/restart_mysqld.inc --echo # old encrypted tables not accessible --error ER_CANNOT_FIND_KEY_IN_KEYRING SELECT COUNT(*) FROM tde_db.t_encrypt; --error ER_CANNOT_FIND_KEY_IN_KEYRING SELECT COUNT(*) FROM tde_db.t_encrypt_2; --echo # NON encrypted tables accessible SELECT COUNT(*) FROM tde_db.t_non_encrypt; SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; --echo # new encrypted tablespace possible CREATE TABLESPACE encrypt_ts2 ADD DATAFILE 'encrypt_ts2.ibd' ENCRYPTION ='Y' ENGINE=InnoDB; --echo # new table in new encrypted tablespace possible CREATE TABLE tde_db.t_encrypt_4(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, c3 CHAR(255) Default 'No text', c4 JSON , c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, c7 POINT NOT NULL SRID 0, spatial INDEX idx2 (c7) ) TABLESPACE encrypt_ts2 ENCRYPTION='Y' ENGINE = InnoDB; --echo # new table in non encrypted tablespace possible CREATE TABLE tde_db.t_non_encrypt_4(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, c3 CHAR(255) Default 'No text', c4 JSON , c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, c7 POINT NOT NULL SRID 0, spatial INDEX idx2 (c7) ) TABLESPACE=encrypt_ts1 ENGINE = InnoDB; INSERT INTO tde_db.t_encrypt_4(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_non_encrypt; SELECT COUNT(*) FROM tde_db.t_encrypt_4; INSERT INTO tde_db.t_non_encrypt_4(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_non_encrypt; SELECT COUNT(*) FROM tde_db.t_non_encrypt_4; ALTER INSTANCE ROTATE INNODB MASTER KEY; --echo # Old encrypted tables in encrypted tablespace must not be accessible --error ER_CANNOT_FIND_KEY_IN_KEYRING SELECT COUNT(*) FROM tde_db.t_encrypt; --error ER_CANNOT_FIND_KEY_IN_KEYRING SELECT COUNT(*) FROM tde_db.t_encrypt_2; --echo # Old unencrypted table must be accessible SELECT COUNT(*) FROM tde_db.t_non_encrypt; SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; --echo # New encrypted tables must be accessible SELECT COUNT(*) FROM tde_db.t_encrypt_4; --echo # New unencrypted tables must be accessible SELECT COUNT(*) FROM tde_db.t_non_encrypt_4; --echo ########### --echo # CLEANUP # --echo ########### DROP TABLE tde_db.t_encrypt , tde_db.t_encrypt_2 ,tde_db.t_encrypt_4; DROP TABLE tde_db.t_non_encrypt , tde_db.t_non_encrypt_2 ,tde_db.t_non_encrypt_4; DROP DATABASE tde_db; DROP TABLESPACE encrypt_ts; DROP TABLESPACE encrypt_ts1; DROP TABLESPACE encrypt_ts2; remove_file $MYSQL_TMP_DIR/mydummy_keyring; remove_file $MYSQL_TMP_DIR/mysecret_keyring; remove_file $MYSQL_TMP_DIR/mysecret_keyring_new; --echo # Restarting server without keyring to restore server state let $restart_parameters = restart: ; --source include/restart_mysqld.inc