# Advanced encryption key rotation

!!! important

    This feature, and associated system variables, status variables, and options have been removed in Percona Server for MySQL 8.0.31-23.

The Advanced Encryption Key Rotation feature lets you perform specific encryption and
decryption tasks in real time.

The following table explains the benefits of Advanced Encryption Key Rotation:

| Advanced Encryption Key Rotation                                                                                                                                                                | Master Key Encryption                                                                      |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------|
| Encrypts any existing tablespaces in a single operation. Advanced Encryption Key Rotation allows encryption to be applied to all or selected existing tablespaces. You can exclude tablespaces. | Encrypts each existing tablespace as a separate operation.                                 |
| Encrypts tables with a key from a keyring.                                                                                                                                                      | Encrypts tables with a key that is then stored in the encryption header of the tablespace. |
| Re-encrypts each tablespace page by page when the key is rotated.                                                                                                                               | Re-encrypts only the tablespace encryption header when the key is rotated.                 |

If you enable Advanced Encryption Key Rotation with a Master key encrypted
tablespace, the tablespace is re-encrypted with the keyring key in a background
process. If the Advanced Encryption Key Rotation feature is enabled, you cannot
convert a tablespace to use Master key encryption. You must disable the feature
before you convert the tablespace.

**This feature is in tech preview.**

You must have the SYSTEM_VARIABLES_ADMIN privilege or the SUPER privilege to set
these variables.

### `innodb_encryption_threads`

This variable is removed in Percona Server for MySQL 8.0.31-23.

| Option       | Description                 |
|--------------|-----------------------------|
| Command-line | --innodb-encryption-threads |
| Scope        | Global                      |
| Dynamic      | Yes                         |
| Data type    | Numeric                     |
| Default      | 0                           |

This variable works in combination with the
default_table_encryption variable set to `ONLINE_TO_KEYRING`.
This variable
configures the number of threads for background encryption. For the online
encryption, the value must be greater than **zero**.

### `innodb_online_encryption_rotate_key_age`

This variable is removed in Percona Server for MySQL 8.0.31-23.

| Option       | Description                               |
|--------------|-------------------------------------------|
| Command-line | --innodb-online-encryption-rotate-key-age |
| Scope        | Global                                    |
| Dynamic      | Yes                                       |
| Data type    | Numeric                                   |
| Default      | 1                                         |

Defines the rotation for the re-encryption of a table encrypted using KEYRING.
The value of this variable determines the how frequently the encrypted tables
are re-encrypted.

For example, the following values would trigger a re-encryption in the
following intervals:

* The value is **1**, and the table is re-encrypted on each key rotation.

* The value is **2**, and the table is re-encrypted on every other key rotation.

* The value is **10**, and the table is re-encrypted on every tenth key rotation.

You should select the value which best fits your operational requirements.

### `innodb_encryption_rotation_iops`

This variable is removed in Percona Server for MySQL 8.0.31-23.

| Option       | Description                       |
|--------------|-----------------------------------|
| Command-line | --innodb-encryption-rotation-iops |
| Scope        | Global                            |
| Dynamic      | Yes                               |
| Data type    | Numeric                           |
| Default      | 100                               |

Defines the number of input/output operations per second (iops) available for
use by a key rotation process.

### `innodb_default_encryption_key_id`

This variable is removed in Percona Server for MySQL 8.0.31-23.

| Option       | Description                        |
|--------------|------------------------------------|
| Command-line | --innodb-default-encryption-key-id |
| Scope        | Session                            |
| Dynamic      | Yes                                |
| Data type    | Numeric                            |
| Default      | 0                                  |

Defines the default encryption ID used to encrypt tablespaces.

## Use Keyring Encryption

This feature is removed in Percona Server for MySQL 8.0.31-23.

Keyring management is enabled for each table, per file table, separately when
you set encryption in the `ENCRYPTION` clause to `KEYRING` in the supported
SQL statement.

* CREATE TABLE … ENCRYPTION=’KEYRING’

* ALTER TABLE … ENCRYPTION=’KEYRING’

!!! note

    Running an `ALTER TABLE ... ENCRYPTION='N'` on a table created with `ENCRYPTION='KEYRING'` converts the table to the existing MySQL schema, tablespace, or table encryption state.