Bug #104599 is_boot parameter no longer needed for InnoDB TDE encryption
Submitted: 11 Aug 21:02 Modified: 12 Aug 3:25
Reporter: Marcelo Altmann (OCA) Email Updates:
Status: Verified Impact on me:
Category:MySQL Server: Security: Encryption Severity:S3 (Non-critical)
Version:8.0.26 OS:Any
Assigned to: CPU Architecture:Any
Tags: Contribution

[11 Aug 21:02] Marcelo Altmann
Before https://github.com/mysql/mysql-server/commit/9f51d4fb13b590715929988ab15a3f19ffd43ee6  InnoDB would encrypt redo/undo tablespaces using the default master key at boot time because server_uuid was not populated yet and later rotated with the actual master key.

Parameter  `bool is_boot` was required to choose between using the hardcoded default master key or ask the keyring for the current master key.

After changes from the above commit, is_boot is no longer used since we do not accept the default master_key and always ask the keyring to provide the master_key.

Also, create_new_db parameter from srv_undo_tablespaces_construct is no longer necessary.

How to repeat:
Inspect commit https://github.com/mysql/mysql-server/commit/9f51d4fb13b590715929988ab15a3f19ffd43ee6 for changes at Encryption::fill_encryption_info
[11 Aug 21:05] Marcelo Altmann
Patch generated based on tag mysql-8.0.26

(*) I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.

Contribution: bug_104599.patch (application/octet-stream, text), 20.10 KiB.

[12 Aug 3:25] MySQL Verification Team
Hello Marcelo,

Thank you for the report and contribution.