MySQL Enterprise Encryption lets you limit keys to a length that provides adequate security for your requirements while balancing this with resource usage. You can also configure the functions provided by the component_enterprise_encryption
component from MySQL 8.0.30, to support decryption and verification for content produced by the legacy openssl_udf
shared library functions.
By default, the functions provided by the component_enterprise_encryption
component from MySQL 8.0.30 do not decrypt encrypted text, or verify signatures, that were produced by the legacy functions provided in earlier releases by the openssl_udf
shared library. The component functions assume that encrypted text uses the RSAES-OAEP padding scheme, and signatures use the RSASSA-PSS signature scheme. However, encrypted text produced by the legacy functions uses the RSAES-PKCS1-v1_5 padding scheme, and signatures produced by the legacy functions use the RSASSA-PKCS1-v1_5 signature scheme.
If you want the component functions to support content produced by the legacy functions before MySQL 8.0.30, set the component’s system variable enterprise_encryption.rsa_support_legacy_padding
to ON
. The system variable is available when the component is installed. When you set it to ON
, the component functions first attempt to decrypt or verify content assuming it has their normal schemes. If that does not work, they also attempt to decrypt or verify the content assuming it has the schemes used by the legacy functions. This behavior is not the default because it increases the time taken to process content that cannot be decrypted or verified at all. If you are not handling content produced by the legacy functions, leave the system variable to default to OFF
.
The amount of CPU resources required by MySQL Enterprise Encryption's key generation functions increases as the key length increases. For some installations, this might result in unacceptable CPU usage if applications frequently generate excessively long keys.
OpenSSL specifies a minimum key length of 1024 bits for all keys. OpenSSL also specifies a maximum key length of 16384 bits for RSA keys, 10000 bits for DSA keys, and 10000 bits for DH keys.
From MySQL 8.0.30, the functions provided by the component_enterprise_encryption
component have a higher minimum key length of 2048 bits for RSA keys, which is in line with current best practice for minimum key lengths. The component's system variable enterprise_encryption.maximum_rsa_key_size
specifies the maximum key size, and it defaults to 4096 bits. You can change this to allow keys up to the maximum length allowed by OpenSSL, 16384 bits.
For releases before MySQL 8.0.30, the legacy functions provided by the openssl_udf
shared library default to OpenSSL's minimum and maximum limits. If the maximum values are too high, you can specify a lower maximum key length using the following system variables:
-
MYSQL_OPENSSL_UDF_DSA_BITS_THRESHOLD
: Maximum DSA key length in bits forcreate_asymmetric_priv_key()
. The minimum and maximum values for this variable are 1024 and 10000. -
MYSQL_OPENSSL_UDF_RSA_BITS_THRESHOLD
: Maximum RSA key length in bits forcreate_asymmetric_priv_key()
. The minimum and maximum values for this variable are 1024 and 16384. -
MYSQL_OPENSSL_UDF_DH_BITS_THRESHOLD
: Maximum key length in bits forcreate_dh_parameters()
. The minimum and maximum values for this variable are 1024 and 10000.
To use any of these environment variables, set them in the environment of the process that starts the server. If set, their values take precedence over the maximum key lengths imposed by OpenSSL. For example, to set a maximum key length of 4096 bits for DSA and RSA keys for create_asymmetric_priv_key()
, set these variables:
export MYSQL_OPENSSL_UDF_DSA_BITS_THRESHOLD=4096
export MYSQL_OPENSSL_UDF_RSA_BITS_THRESHOLD=4096
The example uses Bourne shell syntax. The syntax for other shells may differ.