9/24/2020 Document 2108269.

1
Copyright (c) 2020, Oracle. All rights reserved. Oracle Confidential.

How To Enable InnoDB Tablespace Encryption For a Table Using Transparent Data Encryption
(TDE)? (Doc ID 2108269.1)

In this Document

Goal
Solution
Enable Keyring
Creating a New Table Using TDE
Encrypting an Existing Table Using TDE
References

APPLIES TO:

MySQL Server - Version 5.7 and later

Information in this document applies to any platform.

GOAL

Learn how to use Transparent Data Encryption (TDE) to encrypt an InnoDB table.

SOLUTION

Important!!! By the very nature recovering an encrypted table in case of corruption or the like is more difficult than
recovering a non-encrypted table. For this reason it is even more important than usual to ensure you have current and
valid backups (they restore without errors), when you are using the TDE feature.

Before proceeding be sure to read the following references in order to learn about the prerequisites and limitations of using
TDE to encrypt InnoDB tables:

What Are the Prerequisites For Using MySQL Transparent Data Encryption (TDE)? (Doc ID 2108826.1)
What Are the Limitations of Transparent Data Encryption (TDE)? (Doc ID 2108828.1)

Doc ID 2108828.1 also includes some information about the implementation of TDE such as the encryption used.

The procedure to encrypt an InnoDB table depends on whether it is a new table or an existing table. This will be discussed in
the following.

Enable Keyring

Before you can encrypt any tables, you need to enable a keyring. MySQL offers several keyrings to suit your requirements. For
instructions how to install keyrings, please see Note 2494122.1.

Creating a New Table Using TDE

To create an encrypted table use the ENCRYPTION='Y' option with CREATE TABLE.

An example of creating an encrypted table is:

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=1akao6hzj_236&id=2108269.1 1/2
9/24/2020 Document 2108269.1

mysql> CREATE TABLE t1 (id int unsigned NOT NULL PRIMARY KEY) ENGINE=InnoDB ENCRYPTION='Y'
TABLESPACE=innodb_file_per_table;
Query OK, 0 rows affected (0.03 sec)

Encrypting an Existing Table Using TDE

Encrypting an existing table is similar to creating a new one. The main difference is that you have to use ALTER TABLE instead
of CREATE TABLE, for example:

mysql> ALTER TABLE t1 ENCRYPTION='Y' TABLESPACE=innodb_file_per_table;

Query OK, 0 rows affected (0.09 sec)
Records: 0 Duplicates: 0 Warnings: 0

Enabling TDE for a table requires rebuilding the table, i.e. ALGORITHM=COPY will be used.

REFERENCES

NOTE:2107777.1 - What Is the Performance Overhead of Using InnoDB Encrypted Tablespace/Transparent Data Encryption
(TDE)?
NOTE:2108746.1 - How To Identify Tables That Uses Transparent Data Encryption (TDE)?
NOTE:2494122.1 - How to Enable a Keyring for Use with Transparent Data Encryption (TDE), Encrypted Redo/Undo/Binary
Logs, and Other Encryption Features?
https://dev.mysql.com/doc/refman/en/create-table.html
https://dev.mysql.com/doc/refman/en/alter-table.html
https://dev.mysql.com/doc/refman/en/innodb-tablespace-encryption.html
NOTE:2108270.1 - How To Disable InnoDB Tablespace Encryption For a Table Using Transparent Data Encryption (TDE)?
NOTE:2108826.1 - What Are the Prerequisites For Using MySQL Transparent Data Encryption (TDE)?
NOTE:2132982.1 - How To Verify a Table Is Encrypted Using Transparent Data Encryption (TDE) and How To Test With the
Table?
NOTE:2120572.1 - Master Note For Oracle Key Vault
NOTE:2108828.1 - What Are the Limitations of Transparent Data Encryption (TDE)?
NOTE:2106923.1 - Using the keyring_file Plugin: Creating Encrypted InnoDB Table - ENCRYPTION = 'Y' - Fails With: "ERROR
3185 (HY000): Can't find master key from keyring, please check keyring plugin is loaded."
Didn't find what you are looking for?

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=1akao6hzj_236&id=2108269.1 2/2