ORACLE NEW PLUGGABLE DATABASE CREATION

I> Login to DB server and sudo to oracle.

                    SQL> ssh pestlinux3
          SQL> sudo su – oracle

I> Go to container datadir path and create pluggable DB directory.

                    SQL> cd /databases/oradata/ORA121
          SQL> mkdir Tertio8Demo

I> Login to DB as sysdba user and make sure it’s a container Database.

                    SQL>  sqlplus / as sysdba
             SQL> show con_name;

I> Execute following command to create a pluggable database Tertio8Demo.

CREATE PLUGGABLE DATABASE Tertio8Demo ADMIN USER tertio8db identified by "tertio8db"

DEFAULT TABLESPACE USERS

DATAFILE '/databases/oradata/ORA121/Tertio8Demo/Tertio8Demo_01.dbf'

SIZE 250M AUTOEXTEND ON;

I> Execute following command to check pluggable database has been created.

                 SQL> select con_id,name,open_mode from v$Pdbs;

I> Alter pluggable database to open mode.

                 SQL> alter pluggable database Tertio8Demo open;

I> Check the status.

                 SQL> select con_id,name,open_mode from v$pdbs;

I> Change the container DB to pluggable Database.

                 SQL> alter session set container=Tertio8Demo;
         SQL> show con_name;

I> Add tns entry in tnsnames.ora file.

Tertio8Demo =

  (DESCRIPTION =

    (ADDRESS_LIST =

      (ADDRESS = (PROTOCOL = TCP)(HOST = pestlinux3)(PORT = 1521))

    )

    (CONNECT_DATA =

      (SERVICE_NAME = Tertio8Demo)

    )

  )

MySQL Upgrade Checklist

Standalone DB Instance Upgrade Checklist :

1) Querying system configuration ( GLOBAL_VARIABLES, SESSION_VATIABLES ) & system status ( GLOBAL_STATUS, SESSION_STATUS ) tables from information_schema has to be changed to performance_schema. 

The INFORMATION_SCHEMA has tables that contain system and status variable information. As of MySQL 5.7.6, the Performance Schema also contains system and status variable tables. The Performance Schema tables are intended to replace theINFORMATION_SCHEMA tables, which are deprecated as of MySQL 5.7.6 and will be removed in a future MySQL release.

Reference : https://dev.mysql.com/doc/refman/5.7/en/performance-schema-variable-table-migration.html

2) As of MySQL 5.7.6, for Linux systems on which MySQL is installed using RPM packages, server startup and shutdown now is managed using systemd rather than mysqld_safe, and mysqld_safe is not installed. This may require some adjustment to the manner in which you specify server options. 

Reference : https://dev.mysql.com/doc/refman/5.7/en/using-systemd.html

3) The location of mysql_install_db becomes less material as of MySQL 5.7.6 because as of that version it is deprecated in favor of mysqld --initialize (or mysqld --initialize-insecure). 

In MySQL 5.7.5, the executable binary version of mysql_install_db is located in the bin installation directory, whereas the Perl version was located in the scripts installation directory. For upgrades from an older version of MySQL, you may find a version in both directories. To avoid confusion, remove the version in the scripts directory. For fresh installations of MySQL 5.7.5 or later, mysql_install_db is only found in the bin directory, and the scripts directory is no longer present.

Reference :  https://dev.mysql.com/doc/refman/5.7/en/data-directory-initialization-mysqld.html

4) Strict SQL mode for transnational storage engines (STRICT_TRANS_TABLES) is now enabled by default. The changes to the default SQL mode result in a default sql_mode system variable value with these modes enabled:ONLY_FULL_GROUP_BY, STRICT_TRANS_TABLES, NO_ENGINE_SUBSTITUTION.

5) The Password column of the mysql.user table was removed in MySQL 5.7.6. All credentials are stored in the authentication_string column, including those formerly stored in the Password column.

6) As of MySQL 5.7.5, support for passwords that use the older pre-4.1 password hashing format is removed. Applications that use any feature no longer supported must be modified.

For the old_passwords system variable, a value of 1 (produce pre-4.1 hash values) is no longer permitted.

The --secure-auth option to the server and client programs is the default, but is now a no-op. It is deprecated and will be removed in a future MySQL release.

The --skip-secure-auth option to the server and client programs is no longer supported and using it produces an error.

The secure_auth system variable permits only a value of 1; a value of 0 is no longer permitted.

The OLD_PASSWORD() function is removed.

7) In MySQL 5.6.6, the YEAR(2) data type was deprecated. In MySQL 5.7.5, support for YEAR(2) is removed. 

8) Upgrade temporal columns as part of MySQL Upgrade.

As of MySQL 5.7.7, CHECK TABLE ... FOR UPGRADE reports a table as needing a rebuild if it contains old temporal columns in pre-5.6.4 format (TIME, DATETIME, and TIMESTAMP columns without support for fractional seconds precision) and theavoid_temporal_upgrade system variable is disabled. This helps mysql_upgrade to detect and upgrade tables containing old temporal columns. If avoid_temporal_upgrade is enabled, FOR UPGRADE ignores the old temporal columns present in the table; consequently, mysql_upgrade does not upgrade them.

9)  As of MySQL 5.7.2, the server requires account rows in the mysql.user table to have a nonempty plugincolumn value and disables accounts with an empty value.

10) It is possible for a column DEFAULT value to be valid for the sql_mode value at table-creation time but invalid for the sql_mode value when rows are inserted or updated.

Reference : https://dev.mysql.com/doc/refman/5.7/en/upgrading-from-previous-series.html

11) Several changes were made to the audit log plugin for better compatibility with Oracle Audit Vault. For upgrading purpose, the main issue is that the default format of the audit log file has changed.

If you previously used an older version of the audit log plugin, use this procedure to avoid writing new-format log entries to an existing log file that contains old-format entries:

1. Stop the server.
2. Rename the current audit log file manually. This file will contain only old-format log entries.
3. Update the server and restart it. The audit log plugin will create a new log file, which will contain only new-format log entries.

12) To simplify InnoDB tablespace discovery during crash recovery, new redo log record types were introduced in MySQL 5.7.5. This enhancement changes the redo log format. Before performing an in-place upgrade, perform a clean shutdown using an innodb_fast_shutdown setting of 0 or 1. A slow shutdown using innodb_fast_shutdown=0 is a recommended.

13) As of MySQL 5.7.9, the redo log header of the first redo log file (ib_logfile0) includes a format version identifier and a text string that identifies the MySQL version that created the redo log files. This enhancement changes the redo log format, requiring that MySQL be shutdown cleanly useing innodb_fast_shutdown=0.

14) In MySQL 5.7.9, DYNAMIC replaces COMPACT as the implicit default row format for InnoDB tables. A new configuration option,innodb_default_row_format, specifies the default InnoDB row format.

After upgrading to 5.7.9, any new tables that you create will use the row format defined by innodb_default_row_format unless you explicitly define a row format (ROW_FORMAT).
For existing tables that do not explicitly define a ROW_FORMAT option or that use ROW_FORMAT=DEFAULT, any operation that rebuilds a table also silently changes the row format of the table to the format defined by innodb_default_row_format. Otherwise, existing tables retain their current row format setting.

15) Need to understand about the optimizer changes from SQL Changes part of the document : https://dev.mysql.com/doc/refman/5.7/en/upgrading-from-previous-series.html

16) In MySQL 5.7 memory allocation for Performance Schema buffers doesn’t happen at server start-up but is instead based on the actual runtime requirement.

Reference : http://mysqlserverteam.com/new-in-mysql-5-7-performance-schema-scalable-memory-allocation/

17) SHOW ENGINE INNODB MUTEX output is removed. Comparable information can be generated by creating views on Performance Schema tables.

18) The InnoDB Tablespace Monitor and InnoDB Table Monitor are removed. For the Table Monitor, equivalent information can be obtained from InnoDB INFORMATION_SCHEMA tables.

19) The innodb_use_sys_malloc and innodb_additional_mem_pool_size system variables, which were deprecated in MySQL 5.6.3, were removed.

Reference : https://dev.mysql.com/doc/refman/5.7/en/mysql-nutshell.html#mysql-nutshell-removals

20) log-warnings: Log some noncritical warnings to the log file. Deprecated in MySQL 5.7.2.

21) log_backward_compatible_user_definitions: Whether to log CREATE/ALTER USER, GRANT in backward-compatible fashion. Removed in MySQL 5.7.9.

22) thread_concurrency: Permits the application to give the threads system a hint for the desired number of threads that should be run at the same time. Removed in MySQL 5.7.2.

23) mysql_upgrade should not be used when the server is running with --gtid-mode=ON. See GTID mode and mysql_upgrade for more information.

24) If you have created a user-defined function (UDF) with a given name and upgrade MySQL to a version that implements a new built-in function with the same name, the UDF becomes inaccessible. To correct this, use DROP FUNCTION to drop the UDF, and then use CREATE FUNCTION to re-create the UDF with a different nonconflicting name. 

Features Added in MySQL 5.7 :

2) MySQL now enables database administrators to establish a policy for automatic password expiration: Any user who connects to the server using an account for which the password is past its permitted lifetime must change the password. For more information, see Section 6.3.7, “Password Management”.

3) Administrators can lock and unlock accounts for better control over who can log in. For more information, see Section 6.3.11, “User Account Locking”.

4) To make it easier to support secure connections, MySQL servers compiled using OpenSSL can automatically generate missing SSL and RSA certificate and key files at startup. See Section 6.4.3.1, “Creating SSL and RSA Certificates and Keys using MySQL”. MySQL distributions include a mysql_ssl_rsa_setup utility that can be invoked manually to create SSL and RSA key and certificate files. For more information, see Section 4.4.5, “mysql_ssl_rsa_setup — Create SSL/RSA Files”.

5) Online ALTER TABLE.  ALTER TABLE now supports a RENAME INDEX clause that renames an index. The change is made in place without a table-copy operation. It works for all storage engines. 

6) InnoDB temporary table metadata is no longer stored to InnoDB system tables. Instead, a new table,INNODB_TEMP_TABLE_INFO, provides users with a snapshot of active temporary tables. The table contains metadata and reports on all user and system-created temporary tables that are active within a given InnoDB instance. The table is created when the first SELECT statement is run against it.

7) There is now a separate tablespace for all non-compressed InnoDB temporary tables. The new tablespace is always recreated on server startup and is located in DATADIR by default. A newly added configuration file option,innodb_temp_data_file_path, allows for a user-defined temporary data file path.

8) A new type of non-redo undo log for both normal and compressed temporary tables and related objects now resides in the temporary tablespace. For more information, see Section 14.4.12.1, “Temporary Table Undo Logs”.

9) Support is added to InnoDB for full-text parser plugins. For information about full-text parser plugins, see Full-Text Parser Plugins and Section 28.2.4.4, “Writing Full-Text Parser Plugins”.

10) InnoDB supports multiple page cleaner threads for flushing dirty pages from buffer pool instances. A new system variable,innodb_page_cleaners, is used to specify the number of page cleaner threads. The default value of 1 maintains the previous configuration in which there is a single page cleaner thread.  Multi-threaded page cleaner support (innodb_page_cleaners) is extended to shutdown and recovery phases.

11) InnoDB supports the Transportable Tablespace feature for partitioned InnoDB tables and individual InnoDB table partitions. This enhancement eases backup procedures for partitioned tables and enables copying of partitioned tables and individual table partitions between MySQL instances.

12) The innodb_buffer_pool_size parameter is dynamic, allowing you to resize the buffer pool without restarting the server. The resizing operation, which involves moving pages to a new location in memory, is performed in chunks. Chunk size is configurable using the new innodb_buffer_pool_chunk_size configuration option. You can monitor resizing progress using the new Innodb_buffer_pool_resize_status status variable. For more information, see Configuring InnoDB Buffer Pool Size Online.

13) InnoDB performs a bulk load when creating or rebuilding indexes. This method of index creation is known as a “sorted index build”. This enhancement, which improves the efficiency of index creation, also applies to full-text indexes. A new global configuration option, innodb_fill_factor, defines the percentage of space on each page that is filled with data during a sorted index build, with the remaining space reserved for future index growth. For more information, see Section 14.8.2.3, “Sorted Index Builds”.

14) You can truncate undo logs that reside in undo tablespaces. This feature is enabled using the innodb_undo_log_truncateconfiguration option. For more information, see Section 14.7.8, “Truncating Undo Tablespaces”.

15) InnoDB supports native partitioning. Previously, InnoDB relied on the ha_partition handler, which creates a handler object for each partition. With native partitioning, a partitioned InnoDB table uses a single partition-aware handler object. This enhancement reduces the amount of memory required for partitioned InnoDB tables.

16) DYNAMIC replaces COMPACT as the implicit default row format for InnoDB tables. A new configuration option,innodb_default_row_format, specifies the default InnoDB row format. For more information, see Section 14.11.2, “Specifying the Row Format for a Table”.

17) JSON support.  Beginning with MySQL 5.7.8, MySQL supports a native JSON type. JSON values are not stored as strings, instead using an internal binary format that permits quick read access to document elements. 

18) EXPLAIN can be used to obtain the execution plan for an explainable statement executing in a named connection. For more information, see Section 8.8.4, “Obtaining Execution Plan Information for a Named Connection”.

19) Triggers.  Previously, a table could have at most one trigger for each combination of trigger event (INSERT, UPDATE, DELETE) and action time (BEFORE, AFTER). This limitation has been lifted and multiple triggers are permitted. For more information, seeSection 23.3, “Using Triggers”.

20) Generated Columns.  MySQL now supports the specification of generated columns in CREATE TABLE and ALTER TABLEstatements. 

21) Database name rewriting with mysqlbinlog.  Renaming of databases by mysqlbinlog when reading from binary logs written using the row-based format is now supported using the --rewrite-db option added in MySQL 5.7.1.

22) Multi-source replication is now possible.  MySQL Multi-Source Replication adds the ability to replicate from multiple masters to a slave. MySQL Multi-Source Replication topologies can be used to back up multiple servers to a single server, to merge table shards, and consolidate data from multiple servers to a single server. 

23) The CREATE USER statement now supports an IF NOT EXISTS clause that causes the statement to produce a warning for each named account that already exists, rather than an error. The ALTER USER and DROP USER statements now support an IF EXISTSclause that cause the statements to produce a warning for each named account that does not exist, rather than an error. For details, see CREATE USER Syntax, ALTER USER Syntax, and DROP USER Syntax.

24) The maximum length of MySQL user names has been increased from 16 to 32 characters, which provides greater flexibility in choosing the user name part of MySQL account names. 

25) A new client program, mysqlpump, provides an alternative to mysqldump.
26) Previously, MySQL supported only the TLSv1 protocol for encrypting connections. TLS support is now extended to enable a higher level of connection encryption:

• When compiled using OpenSSL 1.0.1 or higher, MySQL supports the TLSv1, TLSv1.1, and TLSv1.2 protocols.
• When compiled using the bundled version of yaSSL, MySQL supports the TLSv1 and TLSv1.1 protocols.

27) During data directory initialization or upgrade, MySQL now creates a 'mysql.session'@'localhost' reserved account. This account is used internally by plugins to access the server. It is locked so that it cannot be used for client connections.

27) MySQL Enterprise Edition now supports LDAP pluggable authentication of MySQL users. This enables MySQL Server to use LDAP (Lightweight Directory Access Protocol) to authenticate MySQL users by accessing directory services such as X.500. For more information, see Pluggable Authentication.

28) MySQL Enterprise Edition now includes a keyring_aws plugin that communicates with the Amazon Web Services Key Management Service as a back end for key generation and uses a local file for key storage. For more information, see The MySQL Keyring.
29) Replication: The group_replication_transaction_size_limit variable was added to enable you to protect a group against large transactions causing a failure. (Bug #84785, Bug #25510757)

30) Replication: Group Replication now supports SAVEPOINT SQL transactions.

Features Deprecated in MySQL 5.7

1) Using GRANT to create users. Instead, use CREATE USER. Following this practice makes the NO_AUTO_CREATE_USER SQL mode immaterial for GRANT statements, so it too is deprecated.

2) IDENTIFIED BY PASSWORD 'hash_string' syntax for CREATE USER and GRANT. Instead, use IDENTIFIED WITHauth_plugin AS 'hash_string' for CREATE USER and ALTER USER, where the 'hash_string' value is in a format compatible with the named plugin.

3) The PASSWORD() function is deprecated and should be avoided in any context. Thus, SET PASSWORD ... = PASSWORD('auth_string') syntax is also deprecated. SET PASSWORD ... = 'auth_string' syntax is not deprecated; nevertheless, ALTER USER is now the preferred statement for assigning passwords.

4) The query cache is deprecated. Deprecation includes these items:

• The FLUSH QUERY CACHE and RESET QUERY CACHE statements.
• The SQL_CACHE and SQL_NO_CACHE SELECT modifiers.
• These system variables: have_query_cache, ndb_cache_check_time, query_cache_limit, query_cache_min_res_unit,query_cache_size, query_cache_type, query_cache_wlock_invalidate.
• These status variables: Qcache_free_blocks, Qcache_free_memory, Qcache_hits, Qcache_inserts,Qcache_lowmem_prunes, Qcache_not_cached, Qcache_queries_in_cache, Qcache_total_blocks.

5) The global character_set_database and collation_database system variables are deprecated and will be removed in a future version of MySQL.

6) The global scope for the sql_log_bin system variable has been deprecated, and this variable can now be set with session scope only. The statement SET GLOBAL SQL_LOG_BIN now produces an error. It remains possible to read the global value ofsql_log_bin, but doing so produces a warning. You should act now to remove from your applications any dependencies on reading this value; the global scope sql_log_bin is removed in MySQL 8.0.

7) GROUP BY implicitly sorts by default (that is, in the absence of ASC or DESC designators), but relying on implicit GROUP BY sorting in MySQL 5.7 is deprecated. To achieve a specific sort order of grouped results, it is preferable to use To produce a given sort order, use explicit ASC or DESC designators for GROUP BY columns or provide an ORDER BY clause. GROUP BY sorting is a MySQL extension that may change in a future release; for example, to make it possible for the optimizer to order groupings in whatever manner it deems most efficient and to avoid the sorting overhead.

8) The ENCRYPT(), ENCODE(), DECODE(), DES_ENCRYPT(), and DES_DECRYPT() encryption functions are deprecated. Consider usingAES_ENCRYPT() and AES_DECRYPT() instead. The --des-key-file option, the have_crypt system variable, the DES_KEY_FILEoption for the FLUSH statement, and the HAVE_CRYPT CMake option also are deprecated.

9) The INFORMATION_SCHEMA INNODB_LOCKS and INNODB_LOCK_WAITS tables are deprecated, to be removed in MySQL 8.0, which provides replacement Performance Schema tables.

10) Treatment of \N as a synonym for NULL in SQL statements is deprecated and is removed in MySQL 8.0; use NULL instead.

11) PROCEDURE ANALYSE() syntax is deprecated.

12) The mysql_plugin utility is deprecated. Alternatives include loading plugins at server startup using the --plugin-load or --plugin-load-add option, or at runtime using the INSTALL PLUGIN statement.

13) For RPM-based packages, the permissions used to create the data directory (/var/lib/mysql) have been changed from 755 to 751. 

14) With the introduction of the data dictionary in MySQL 8.0, the --ignore-db-dir option and ignore_db_dirs system variable became superfluous and were removed in that version. Consequently, they are now deprecated in MySQL 5.7.

15) The --ledir option now is accepted only on the command line, not in option files.

16) InnoDB: The innodb_undo_logs configuration option is deprecated and will be removed in a future release. Theinnodb_rollback_segments configuration option performs the same function and should be used instead.

Features Removed in MySQL 5.7

https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-9.html
https://dev.mysql.com/doc/refman/5.7/en/mysql-nutshell.htmlhttps://dev.mysql.com/doc/relnotes/mysql/5.7/en/
https://dev.mysql.com/doc/refman/5.7/en/upgrading-from-previous-series.htm

TDE

Introduction

• Enables data-at-rest encryption by encrypting the physical files of the database.
• Data is encrypted automatically in real time prior to writing it to disk and decrypted when reading from disk.
• No Changes in code is required and users/applications can continue to access data without any changes.
• It works only when Innodb file per table is enabled and also system tablespaces are never encrypted.

Architecture

It uses a two tier encryption key architecture, consisting of a master encryption key and tablespace keys. 

When an Innodb table is encrypted,a tablespace key is generated using the master encryption key and it is stored in the tablespace header.

When data is accessed from the encrypted table,Innodb uses master encryption key to decrypt the tablespace key.

The decrypted version of tablespace key never changes and master key can be changed as and when required.

Why two keys ?

Whenever a  key is compromised or key needs to be changed,all the encrypted innodb tables needs to be altered to understand new encryption key. This is very slow and table will be locked during the alter operation  which is logically a downtime.

To avoid altering all the encrypted tables, a tablespace key is maintained in tablespace header which is generated from master key.The decrypted version of the tablespace key is always constant even when the master key is changed. Thus it maintains two keys(two tier encryption) to avoid altering all the encrypted Innodb tables.

How does data is encrypted ?

Innodb uses

i) ECB(Electronic Codebook) for tablespace key encryption.

ii) CBC(Cipher Block Chaining ) for data encryption.

Data is encrypted only on disk and not on Network. On network data will be in clear text format. To enbale encryption of data across the network,TLS/SSL needs to be configured.

How to configure TDE on the mysql instance ?

Mysql provides tablespace encryption with the help of keyring plugin. There are dfferent varients of keyring plugin in terms of securing the key.

plugin name	where does it stores key	availability
keyring_file	stores keyring data in a file local to the server host	available in all MySQL distributions, Community Edition and Enterprise Edition 5.7.11 and later
keyring_encrypted_file	stores keyring data in an encrypted file local to the server host.	MySQL Enterprise Edition distributions 5.7.20 and later.
keyring_okv	a KMIP 1.1 plugin for use with KMIP-compatible back end keyring storage products such as Oracle Key Vault	MySQL Enterprise Edition distributions 5.7.12 and later.
keyring_aws	communicates with the Amazon Web Services Key Management Service for key generation and uses a local file for key storage	MySQL Enterprise Edition distributions 5.7.19 and later.
keyring_udf	SQL interface for keyring key management implemented as set of UDF's	available in all MySQL distributions, Community Edition and Enterprise Edition 5.7.13 and later

Installing plugin:

When the instance is started, Innodb tries to read tablespace information of all the databases that are present.

• If the tablespace is encrypted,and the plugin is not initialized early, it will be unable to decrypt the datafile which was encrypted to apply the redo logs. To avoid such errors, it is always good to initialize the plugin using early-plugin-load option.
• Once the plugin is loaded, it checks for the master key and its location depends on the type of plugin being loaded.
  • keyring_file checks for file on the local storage (by default: /usr/local/mysql/keyring/keyring)
  • keyring_okv checks for directory that contains ssl certs and okvclient.ora (by default: /usr/local/mysql/mysql-keyring-okv )

Thus depending on the plugin being loaded, 2 variables needs to be defined in my.cnf file.

For keyring_file plugin

early-plugin-load=keyring_file.so
keyring_file_data=/usr/local/mysql/mysql-keyring/keyring

For keyring_okv plugin

early-plugin-load=keyring_okv.so
keyring_okv_conf_dir=/usr/local/mysql/mysql-keyring-okv

*** steps needs to be added for configuring Oracle keyvault.

Enabling and Disabling InnoDB Tablespace Encryption

To enable tablespace encryption,

Tables needs to be specified with 'ENCRYPTION' option while creation. (ex: ENCRYPTION='Y' )

For existing tables to enable encryption, tables can be altered by specifying 'ENCRYPTION' option ( ex: alter table <table_name> ENCRYPTION='Y'; )

To disable encryption, use 'ENCRYPTION=N' while creation or alter of the table.

mysql> create table t1(id int,name varchar(20)) encryption='Y'; Query OK, 0 rows affected (0.29 sec) mysql> ALTER TABLE t1 ENCRYPTION='N'; Query OK, 3 rows affected (0.59 sec) Records: 3  Duplicates: 0  Warnings: 0 mysql> ALTER TABLE t1 ENCRYPTION='Y'; Query OK, 3 rows affected (0.67 sec) Records: 3  Duplicates: 0  Warnings: 0

Using TTS for Encrypted Tablespaces:

TTS can be used for encrypted tablespaces with a limitation that

An Encrypted tablespace can be imported only to another encrypted tablespace. It cannot be imported to a tablespace/instance that doesn't support encryption.

When the command flush table <table> for export is issued, a file named <table_space>.cfp is created(transfer key). This transfer key is used decrypt tablespace key.

Tablespace cannot be imported to other instance without this transfer key.

On 1st Instance: mysql> select * from t1; +------+---------+ | id   | name    | +------+---------+ |    1 | test1   | |   10 | test10  | |  100 | test100 | +------+---------+ 3 rows in set (0.00 sec) mysql> show create table t1\G *************************** 1. row ***************************        Table: t1 Create Table: CREATE TABLE `t1` (   `id` int(11) DEFAULT NULL,   `name` varchar(20) COLLATE utf8mb4_bin DEFAULT NULL ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_bin ENCRYPTION='Y' 1 row in set (0.00 sec) mysql> flush tables t1 for export; Query OK, 0 rows affected (0.01 sec) [vgurram@localhost encrypt]$ ls db.opt  t1.cfg  t1.cfp  t1.frm  t1.ibd

Now, Copying the files to the second instance and importing the ibd files on second database instance.

mysql> use encrypt; Database changed mysql> CREATE TABLE `t1` (     ->   `id` int(11) DEFAULT NULL,     ->   `name` varchar(20) COLLATE utf8mb4_bin DEFAULT NULL     -> ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_bin ENCRYPTION='Y'; Query OK, 0 rows affected (0.32 sec) mysql> alter table t1 discard tablespace; Query OK, 0 rows affected (0.13 sec) [vgurram@localhost encrypt]$ pwd /home/vgurram/test_57/data/encrypt [vgurram@localhost encrypt]$ cp t1.cfg t1.cfp t1.ibd /home/vgurram/mysql_57/data/encrypt/. mysql> alter table t1 import tablespace; Query OK, 0 rows affected (0.47 sec) mysql> select * from t1; +------+---------+ | id   | name    | +------+---------+ |    1 | test1   | |   10 | test10  | |  100 | test100 | +------+---------+ 3 rows in set (0.00 sec)

Once the files are copied to the second instance or backup has been taken, run the unlock tables command on the first instance to release the lock.
This will automatically delete the .cfp and .cfg files as well.

On 1st Instance mysql> unlock tables; Query OK, 0 rows affected (0.00 sec)

Identifying Tables that Use InnoDB Tablespace Encryption

Tables that use Encryption can be identified by using below command

mysql> SELECT TABLE_SCHEMA, TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES        WHERE CREATE_OPTIONS LIKE '%ENCRYPTION="Y"%'; +--------------+------------+----------------+ | TABLE_SCHEMA | TABLE_NAME | CREATE_OPTIONS | +--------------+------------+----------------+ | encrypt      | t1         | ENCRYPTION="Y" | +--------------+------------+----------------+

Master key rotation:

Master key can be rotated periodically or whenever the key gets compromised.

This key file rotation is atomic and instance level operation.

Whenever master key is rotated,all tablespace keys in the MySQL instance are re-encrypted and saved back to their respective tablespace headers.

If this re-encryption is interrupted by server failure in between,InnoDB rolls the operation forward on server restart.

Rotating the master encryption key requires the SUPER privilege.

To rotate the master encryption key, run:

mysql> ALTER INSTANCE ROTATE INNODB MASTER KEY;

Limitations of Tablespace Encryption

• If master key ring file is lost, it is impossible to recover data from the Innodb tablespace.
• Altering the table to enable encryption uses "COPY" algorithm instead of "INPLACE"
• Direct migration of plugins from keyring_file to keyring_okv and viceversa is NOT supported.
• Cannot copy encrypted tablespace to another un-encrypted tablespace.