MDEV-7593: Default encryption key does not work correctly for page

encrypted tables

Introduced a new innodb_default_page_encryption_key configuration
variable to allow user to set the default key identifier.

13 files changed, 249 insertions, 21 deletions

diff --git a/mysql-test/suite/innodb/r/innodb-page_encryption.result b/mysql-test/suite/innodb/r/innodb-page_encryption.result
index 77ca7a9205b..dfc93508b90 100644
--- a/mysql-test/suite/innodb/r/innodb-page_encryption.result
+++ b/mysql-test/suite/innodb/r/innodb-page_encryption.result
@@ -5,6 +5,14 @@ create table innodb_compact(c1 bigint not null, b char(200)) engine=innodb row_f
 create table innodb_compressed(c1 bigint not null, b char(200)) engine=innodb row_format=compressed page_encryption=1 page_encryption_key=2;
 create table innodb_dynamic(c1 bigint not null, b char(200)) engine=innodb row_format=dynamic page_encryption=1  page_encryption_key=3;
 create table innodb_redundant(c1 bigint not null, b char(200))  engine=innodb row_format=redundant page_encryption=1  page_encryption_key=4;
+SET GLOBAL innodb_default_page_encryption_key = 5;
+create table innodb_defkey(c1  bigint not null, b char(200))  engine=innodb page_encryption=1;
+show create table innodb_defkey;
+Table	Create Table
+innodb_defkey	CREATE TABLE `innodb_defkey` (
+  `c1` bigint(20) NOT NULL,
+  `b` char(200) DEFAULT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=latin1 `page_encryption`=1
 show create table innodb_compact;
 Table	Create Table
 innodb_compact	CREATE TABLE `innodb_compact` (
@@ -47,11 +55,13 @@ insert into innodb_compact select * from innodb_normal;
 insert into innodb_compressed select * from innodb_normal;
 insert into innodb_dynamic select * from innodb_normal;
 insert into innodb_redundant select * from innodb_normal;
+insert into innodb_defkey select * from innodb_normal;
 update innodb_normal set c1 = c1 +1;
 update innodb_compact set c1 = c1 + 1;
 update innodb_compressed set c1 = c1 + 1;
 update innodb_dynamic set c1 = c1 + 1;
 update innodb_redundant set c1 = c1 + 1;
+update innodb_defkey set c1 = c1 + 1;
 select count(*) from innodb_compact where c1 < 1500000;
 count(*)
 2000
@@ -64,6 +74,9 @@ count(*)
 select count(*) from innodb_redundant where c1 < 1500000;
 count(*)
 2000
+select count(*) from innodb_defkey where c1 < 1500000;
+count(*)
+2000
 select count(*) from innodb_compact t1, innodb_normal t2 where
 t1.c1 = t2.c1 and t1.b = t2.b;
 count(*)
@@ -80,6 +93,10 @@ select count(*) from innodb_redundant t1, innodb_normal t2 where
 t1.c1 = t2.c1 and t1.b = t2.b;
 count(*)
 2000
+select count(*) from innodb_defkey t1, innodb_normal t2 where
+t1.c1 = t2.c1 and t1.b = t2.b;
+count(*)
+2000
 SELECT variable_value >= 0 FROM information_schema.global_status WHERE LOWER(variable_name) = 'innodb_num_pages_page_encrypted';
 variable_value >= 0
 1
@@ -96,6 +113,7 @@ update innodb_compact set c1 = c1 + 1;
 update innodb_compressed set c1 = c1 + 1;
 update innodb_dynamic set c1 = c1 + 1;
 update innodb_redundant set c1 = c1 + 1;
+update innodb_defkey set c1 = c1 + 1;
 select count(*) from innodb_compact where c1 < 1500000;
 count(*)
 2000
@@ -108,6 +126,9 @@ count(*)
 select count(*) from innodb_redundant where c1 < 1500000;
 count(*)
 2000
+select count(*) from innodb_defkey where c1 < 1500000;
+count(*)
+2000
 select count(*) from innodb_compact t1, innodb_normal t2 where
 t1.c1 = t2.c1 and t1.b = t2.b;
 count(*)
@@ -124,6 +145,10 @@ select count(*) from innodb_redundant t1, innodb_normal t2 where
 t1.c1 = t2.c1 and t1.b = t2.b;
 count(*)
 2000
+select count(*) from innodb_defkey t1, innodb_normal t2 where
+t1.c1 = t2.c1 and t1.b = t2.b;
+count(*)
+2000
 SELECT variable_value >= 0 FROM information_schema.global_status WHERE LOWER(variable_name) = 'innodb_num_pages_page_encrypted';
 variable_value >= 0
 1
@@ -187,6 +212,12 @@ innodb_redundant	CREATE TABLE `innodb_redundant` (
   `c1` bigint(20) NOT NULL,
   `b` char(200) DEFAULT NULL
 ) ENGINE=InnoDB DEFAULT CHARSET=latin1 ROW_FORMAT=REDUNDANT
+show create table innodb_defkey;
+Table	Create Table
+innodb_defkey	CREATE TABLE `innodb_defkey` (
+  `c1` bigint(20) NOT NULL,
+  `b` char(200) DEFAULT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=latin1 `page_encryption`=1
 update innodb_normal set c1 = c1 +1;
 update innodb_compact set c1 = c1 + 1;
 update innodb_compressed set c1 = c1 + 1;
@@ -235,3 +266,4 @@ drop table innodb_compact;
 drop table innodb_compressed;
 drop table innodb_dynamic;
 drop table innodb_redundant;
+drop table innodb_defkey;
diff --git a/mysql-test/suite/innodb/t/innodb-page_encryption.test b/mysql-test/suite/innodb/t/innodb-page_encryption.test
index 3664d8d0f75..66927d1905f 100644
--- a/mysql-test/suite/innodb/t/innodb-page_encryption.test
+++ b/mysql-test/suite/innodb/t/innodb-page_encryption.test
@@ -4,6 +4,7 @@
 --disable_query_log
 let $innodb_file_format_orig = `SELECT @@innodb_file_format`;
 let $innodb_file_per_table_orig = `SELECT @@innodb_file_per_table`;
+let $default_page_encryption_key = `SELECT @@innodb_default_page_encryption_key`;
 --enable_query_log
 
 SET GLOBAL innodb_file_format = `Barracuda`;
@@ -15,6 +16,10 @@ create table innodb_compressed(c1 bigint not null, b char(200)) engine=innodb ro
 create table innodb_dynamic(c1 bigint not null, b char(200)) engine=innodb row_format=dynamic page_encryption=1  page_encryption_key=3;
 create table innodb_redundant(c1 bigint not null, b char(200))  engine=innodb row_format=redundant page_encryption=1  page_encryption_key=4;
 
+SET GLOBAL innodb_default_page_encryption_key = 5;
+create table innodb_defkey(c1  bigint not null, b char(200))  engine=innodb page_encryption=1;
+show create table innodb_defkey;
+
 show create table innodb_compact;
 show create table innodb_compressed;
 show create table innodb_dynamic;
@@ -42,16 +47,20 @@ insert into innodb_compact select * from innodb_normal;
 insert into innodb_compressed select * from innodb_normal;
 insert into innodb_dynamic select * from innodb_normal;
 insert into innodb_redundant select * from innodb_normal;
+insert into innodb_defkey select * from innodb_normal;
 
 update innodb_normal set c1 = c1 +1;
 update innodb_compact set c1 = c1 + 1;
 update innodb_compressed set c1 = c1 + 1;
 update innodb_dynamic set c1 = c1 + 1;
 update innodb_redundant set c1 = c1 + 1;
+update innodb_defkey set c1 = c1 + 1;
+
 select count(*) from innodb_compact where c1 < 1500000;
 select count(*) from innodb_compressed where c1 < 1500000;
 select count(*) from innodb_dynamic where c1 < 1500000;
 select count(*) from innodb_redundant where c1 < 1500000;
+select count(*) from innodb_defkey where c1 < 1500000;
 select count(*) from innodb_compact t1, innodb_normal t2 where
 t1.c1 = t2.c1 and t1.b = t2.b;
 select count(*) from innodb_dynamic t1, innodb_normal t2 where
@@ -60,6 +69,8 @@ select count(*) from innodb_compressed t1, innodb_normal t2 where
 t1.c1 = t2.c1 and t1.b = t2.b;
 select count(*) from innodb_redundant t1, innodb_normal t2 where
 t1.c1 = t2.c1 and t1.b = t2.b;
+select count(*) from innodb_defkey t1, innodb_normal t2 where
+t1.c1 = t2.c1 and t1.b = t2.b;
 
 # Note there that these variables are updated only when real I/O is done, thus they are not reliable
 SELECT variable_value >= 0 FROM information_schema.global_status WHERE LOWER(variable_name) = 'innodb_num_pages_page_encrypted';
@@ -76,10 +87,12 @@ update innodb_compact set c1 = c1 + 1;
 update innodb_compressed set c1 = c1 + 1;
 update innodb_dynamic set c1 = c1 + 1;
 update innodb_redundant set c1 = c1 + 1;
+update innodb_defkey set c1 = c1 + 1;
 select count(*) from innodb_compact where c1 < 1500000;
 select count(*) from innodb_compressed where c1 < 1500000;
 select count(*) from innodb_dynamic where c1 < 1500000;
 select count(*) from innodb_redundant where c1 < 1500000;
+select count(*) from innodb_defkey where c1 < 1500000;
 select count(*) from innodb_compact t1, innodb_normal t2 where
 t1.c1 = t2.c1 and t1.b = t2.b;
 select count(*) from innodb_dynamic t1, innodb_normal t2 where
@@ -88,6 +101,8 @@ select count(*) from innodb_compressed t1, innodb_normal t2 where
 t1.c1 = t2.c1 and t1.b = t2.b;
 select count(*) from innodb_redundant t1, innodb_normal t2 where
 t1.c1 = t2.c1 and t1.b = t2.b;
+select count(*) from innodb_defkey t1, innodb_normal t2 where
+t1.c1 = t2.c1 and t1.b = t2.b;
 
 SELECT variable_value >= 0 FROM information_schema.global_status WHERE LOWER(variable_name) = 'innodb_num_pages_page_encrypted';
 SELECT variable_value >= 0 FROM information_schema.global_status WHERE LOWER(variable_name) = 'innodb_num_pages_page_decrypted';
@@ -111,6 +126,7 @@ show create table innodb_compact;
 show create table innodb_compressed;
 show create table innodb_dynamic;
 show create table innodb_redundant;
+show create table innodb_defkey;
 
 update innodb_normal set c1 = c1 +1;
 update innodb_compact set c1 = c1 + 1;
@@ -141,9 +157,11 @@ drop table innodb_compact;
 drop table innodb_compressed;
 drop table innodb_dynamic;
 drop table innodb_redundant;
+drop table innodb_defkey;
 
 # reset system
 --disable_query_log
 EVAL SET GLOBAL innodb_file_per_table = $innodb_file_per_table_orig;
 EVAL SET GLOBAL innodb_file_format = $innodb_file_format_orig;
+EVAL SET GLOBAL innodb_default_page_encryption_key = $default_page_encryption_key;
 --enable_query_log
diff --git a/mysql-test/suite/sys_vars/r/innodb_default_page_encryption_key_basic.result b/mysql-test/suite/sys_vars/r/innodb_default_page_encryption_key_basic.result
new file mode 100644
index 00000000000..1e779d7c4f6
--- /dev/null
+++ b/mysql-test/suite/sys_vars/r/innodb_default_page_encryption_key_basic.result
@@ -0,0 +1,71 @@
+SET @start_global_value = @@global.innodb_default_page_encryption_key;
+SELECT @start_global_value;
+@start_global_value
+1
+Valid value 0-9
+select @@global.innodb_default_page_encryption_key <= 9;
+@@global.innodb_default_page_encryption_key <= 9
+1
+select @@global.innodb_default_page_encryption_key;
+@@global.innodb_default_page_encryption_key
+1
+select @@session.innodb_default_page_encryption_key;
+ERROR HY000: Variable 'innodb_default_page_encryption_key' is a GLOBAL variable
+show global variables like 'innodb_default_page_encryption_key';
+Variable_name	Value
+innodb_default_page_encryption_key	1
+show session variables like 'innodb_default_page_encryption_key';
+Variable_name	Value
+innodb_default_page_encryption_key	1
+select * from information_schema.global_variables where variable_name='innodb_default_page_encryption_key';
+VARIABLE_NAME	VARIABLE_VALUE
+INNODB_DEFAULT_PAGE_ENCRYPTION_KEY	1
+select * from information_schema.session_variables where variable_name='innodb_default_page_encryption_key';
+VARIABLE_NAME	VARIABLE_VALUE
+INNODB_DEFAULT_PAGE_ENCRYPTION_KEY	1
+set global innodb_default_page_encryption_key=2;
+select @@global.innodb_default_page_encryption_key;
+@@global.innodb_default_page_encryption_key
+2
+select * from information_schema.global_variables where variable_name='innodb_default_page_encryption_key';
+VARIABLE_NAME	VARIABLE_VALUE
+INNODB_DEFAULT_PAGE_ENCRYPTION_KEY	2
+select * from information_schema.session_variables where variable_name='innodb_default_page_encryption_key';
+VARIABLE_NAME	VARIABLE_VALUE
+INNODB_DEFAULT_PAGE_ENCRYPTION_KEY	2
+set session innodb_default_page_encryption_key=4;
+ERROR HY000: Variable 'innodb_default_page_encryption_key' is a GLOBAL variable and should be set with SET GLOBAL
+set global innodb_default_page_encryption_key=1.1;
+ERROR 42000: Incorrect argument type to variable 'innodb_default_page_encryption_key'
+set global innodb_default_page_encryption_key=1e1;
+ERROR 42000: Incorrect argument type to variable 'innodb_default_page_encryption_key'
+set global innodb_default_page_encryption_key="foo";
+ERROR 42000: Incorrect argument type to variable 'innodb_default_page_encryption_key'
+set global innodb_default_page_encryption_key=10;
+select @@global.innodb_default_page_encryption_key;
+@@global.innodb_default_page_encryption_key
+10
+select * from information_schema.global_variables where variable_name='innodb_default_page_encryption_key';
+VARIABLE_NAME	VARIABLE_VALUE
+INNODB_DEFAULT_PAGE_ENCRYPTION_KEY	10
+set global innodb_default_page_encryption_key=-7;
+Warnings:
+Warning	1292	Truncated incorrect innodb_default_page_encryption_k value: '-7'
+select @@global.innodb_default_page_encryption_key;
+@@global.innodb_default_page_encryption_key
+1
+select * from information_schema.global_variables where variable_name='innodb_default_page_encryption_key';
+VARIABLE_NAME	VARIABLE_VALUE
+INNODB_DEFAULT_PAGE_ENCRYPTION_KEY	1
+set global innodb_default_page_encryption_key=1;
+select @@global.innodb_default_page_encryption_key;
+@@global.innodb_default_page_encryption_key
+1
+set global innodb_default_page_encryption_key=255;
+select @@global.innodb_default_page_encryption_key;
+@@global.innodb_default_page_encryption_key
+255
+SET @@global.innodb_default_page_encryption_key = @start_global_value;
+SELECT @@global.innodb_default_page_encryption_key;
+@@global.innodb_default_page_encryption_key
+1
diff --git a/mysql-test/suite/sys_vars/r/sysvars_innodb.result b/mysql-test/suite/sys_vars/r/sysvars_innodb.result
index 966187a61ab..553ca6f4042 100644
--- a/mysql-test/suite/sys_vars/r/sysvars_innodb.result
+++ b/mysql-test/suite/sys_vars/r/sysvars_innodb.result
@@ -565,6 +565,20 @@ NUMERIC_BLOCK_SIZE	NULL
 ENUM_VALUE_LIST	NULL
 READ_ONLY	YES
 COMMAND_LINE_ARGUMENT	REQUIRED
+VARIABLE_NAME	INNODB_DEFAULT_PAGE_ENCRYPTION_KEY
+SESSION_VALUE	NULL
+GLOBAL_VALUE	1
+GLOBAL_VALUE_ORIGIN	COMPILE-TIME
+DEFAULT_VALUE	1
+VARIABLE_SCOPE	GLOBAL
+VARIABLE_TYPE	INT UNSIGNED
+VARIABLE_COMMENT	Encryption key used for page encryption.
+NUMERIC_MIN_VALUE	1
+NUMERIC_MAX_VALUE	255
+NUMERIC_BLOCK_SIZE	0
+ENUM_VALUE_LIST	NULL
+READ_ONLY	NO
+COMMAND_LINE_ARGUMENT	REQUIRED
 VARIABLE_NAME	INNODB_DEFRAGMENT
 SESSION_VALUE	NULL
 GLOBAL_VALUE	OFF
diff --git a/mysql-test/suite/sys_vars/t/innodb_default_page_encryption_key_basic.test b/mysql-test/suite/sys_vars/t/innodb_default_page_encryption_key_basic.test
new file mode 100644
index 00000000000..c8a02cb8c74
--- /dev/null
+++ b/mysql-test/suite/sys_vars/t/innodb_default_page_encryption_key_basic.test
@@ -0,0 +1,60 @@
+
+--source include/have_innodb.inc
+
+SET @start_global_value = @@global.innodb_default_page_encryption_key;
+SELECT @start_global_value;
+
+#
+# exists as global only
+#
+--echo Valid value 0-9
+select @@global.innodb_default_page_encryption_key <= 9;
+select @@global.innodb_default_page_encryption_key;
+--error ER_INCORRECT_GLOBAL_LOCAL_VAR
+select @@session.innodb_default_page_encryption_key;
+show global variables like 'innodb_default_page_encryption_key';
+show session variables like 'innodb_default_page_encryption_key';
+select * from information_schema.global_variables where variable_name='innodb_default_page_encryption_key';
+select * from information_schema.session_variables where variable_name='innodb_default_page_encryption_key';
+
+#
+# show that it's writable
+#
+set global innodb_default_page_encryption_key=2;
+select @@global.innodb_default_page_encryption_key;
+select * from information_schema.global_variables where variable_name='innodb_default_page_encryption_key';
+select * from information_schema.session_variables where variable_name='innodb_default_page_encryption_key';
+--error ER_GLOBAL_VARIABLE
+set session innodb_default_page_encryption_key=4;
+
+#
+# incorrect types
+#
+--error ER_WRONG_TYPE_FOR_VAR
+set global innodb_default_page_encryption_key=1.1;
+--error ER_WRONG_TYPE_FOR_VAR
+set global innodb_default_page_encryption_key=1e1;
+--error ER_WRONG_TYPE_FOR_VAR
+set global innodb_default_page_encryption_key="foo";
+
+set global innodb_default_page_encryption_key=10;
+select @@global.innodb_default_page_encryption_key;
+select * from information_schema.global_variables where variable_name='innodb_default_page_encryption_key';
+set global innodb_default_page_encryption_key=-7;
+select @@global.innodb_default_page_encryption_key;
+select * from information_schema.global_variables where variable_name='innodb_default_page_encryption_key';
+
+#
+# min/max values
+#
+set global innodb_default_page_encryption_key=1;
+select @@global.innodb_default_page_encryption_key;
+set global innodb_default_page_encryption_key=255;
+select @@global.innodb_default_page_encryption_key;
+
+#
+# cleanup
+#
+
+SET @@global.innodb_default_page_encryption_key = @start_global_value;
+SELECT @@global.innodb_default_page_encryption_key;
diff --git a/storage/innobase/handler/ha_innodb.cc b/storage/innobase/handler/ha_innodb.cc
index e7060622c2f..dc395b50d3a 100644
--- a/storage/innobase/handler/ha_innodb.cc
+++ b/storage/innobase/handler/ha_innodb.cc
@@ -4,7 +4,7 @@ Copyright (c) 2000, 2014, Oracle and/or its affiliates. All Rights Reserved.
 Copyright (c) 2008, 2009 Google Inc.
 Copyright (c) 2009, Percona Inc.
 Copyright (c) 2012, Facebook Inc.
-Copyright (c) 2013, 2014, SkySQL Ab.
+Copyright (c) 2013, 2015, MariaDB Corporation.
 
 Portions of this file contain modifications contributed and copyrighted by
 Google, Inc. Those modifications are gratefully acknowledged and are described
@@ -103,6 +103,7 @@ this program; if not, write to the Free Software Foundation, Inc.,
 #include "fts0priv.h"
 #include "page0zip.h"
 #include "fil0pagecompress.h"
+#include "fil0pageencryption.h"
 
 #define thd_get_trx_isolation(X) ((enum_tx_isolation)thd_tx_isolation(X))
 
@@ -567,9 +568,8 @@ ha_create_table_option innodb_table_option_list[]=
   HA_TOPTION_ENUM("ATOMIC_WRITES", atomic_writes, "DEFAULT,ON,OFF", 0),
   /* With this option the user can enable page encryption for the table */
   HA_TOPTION_BOOL("PAGE_ENCRYPTION", page_encryption, 0),
-
   /* With this option the user defines the key identifier using for the encryption */
-  HA_TOPTION_NUMBER("PAGE_ENCRYPTION_KEY", page_encryption_key, ULINT_UNDEFINED, 1, 255, 1),
+  HA_TOPTION_NUMBER("PAGE_ENCRYPTION_KEY", page_encryption_key, 0, 1, 255, 1),
 
   HA_TOPTION_END
 };
@@ -11021,7 +11021,7 @@ innobase_table_flags(
 	modified by another thread while the table is being created. */
 	const ulint     default_compression_level = page_zip_level;
 
-	const ulint default_encryption_key = 1;
+	const ulint default_encryption_key = srv_default_page_encryption_key;
 
 	*flags = 0;
 	*flags2 = 0;
@@ -11222,12 +11222,12 @@ index_bad:
 		    zip_ssize,
 		    use_data_dir,
 		    options->page_compressed,
-		    (ulint)options->page_compression_level == 0 ?
+		    options->page_compression_level == 0 ?
 		        default_compression_level : options->page_compression_level,
 		    options->atomic_writes,
 		    options->page_encryption,
-		    (ulint)options->page_encryption_key == ULINT_UNDEFINED ?
-                        default_encryption_key : options->page_encryption_key);
+		    options->page_encryption_key == 0 ?
+		        default_encryption_key : options->page_encryption_key);
 
 	if (create_info->options & HA_LEX_CREATE_TMP_TABLE) {
 		*flags2 |= DICT_TF2_TEMPORARY;
@@ -11363,7 +11363,7 @@ ha_innobase::check_table_options(
 		}
 	}
 
-	if ((ulint)options->page_encryption_key != ULINT_UNDEFINED) {
+	if (options->page_encryption_key != 0) {
 		if (options->page_encryption == false) {
 			/* ignore this to allow alter table without changing page_encryption_key ...*/
 		}
@@ -11386,7 +11386,6 @@ ha_innobase::check_table_options(
 				options->page_encryption_key
 			);
 			return "PAGE_ENCRYPTION_KEY";
-
 		}
 	}
 
@@ -19128,6 +19127,13 @@ static MYSQL_SYSVAR_UINT(encryption_rotation_iops, srv_n_fil_crypt_iops,
 			 innodb_encryption_rotation_iops_update,
 			 srv_n_fil_crypt_iops, 0, UINT_MAX32, 0);
 
+static MYSQL_SYSVAR_UINT(default_page_encryption_key, srv_default_page_encryption_key,
+			 PLUGIN_VAR_RQCMDARG,
+			 "Encryption key used for page encryption.",
+			 NULL,
+			 NULL,
+			 DEFAULT_ENCRYPTION_KEY, 1, 255, 0);
+
 static MYSQL_SYSVAR_BOOL(scrub_log, srv_scrub_log,
   PLUGIN_VAR_OPCMDARG | PLUGIN_VAR_READONLY,
   "Enable redo log scrubbing",
@@ -19389,6 +19395,7 @@ static struct st_mysql_sys_var* innobase_system_variables[]= {
   MYSQL_SYSVAR(scrub_log),
   MYSQL_SYSVAR(scrub_log_interval),
   MYSQL_SYSVAR(encrypt_log),
+  MYSQL_SYSVAR(default_page_encryption_key),
 
   /* Scrubing feature */
   MYSQL_SYSVAR(immediate_scrub_data_uncompressed),
diff --git a/storage/innobase/include/fil0pageencryption.h b/storage/innobase/include/fil0pageencryption.h
index 3a8ac1e9543..405b91c8c06 100644
--- a/storage/innobase/include/fil0pageencryption.h
+++ b/storage/innobase/include/fil0pageencryption.h
@@ -26,6 +26,9 @@ this program; if not, write to the Free Software Foundation, Inc.,
 #define PAGE_ENCRYPTION_OK 0
 #define PAGE_ENCRYPTION_WILL_NOT_ENCRYPT  5
 
+/* This key will be used if nothing else is given */
+#define DEFAULT_ENCRYPTION_KEY 1
+
 #include "fsp0fsp.h"
 #include "fsp0pageencryption.h"
 
diff --git a/storage/innobase/include/srv0srv.h b/storage/innobase/include/srv0srv.h
index be0112959c7..a23e9306716 100644
--- a/storage/innobase/include/srv0srv.h
+++ b/storage/innobase/include/srv0srv.h
@@ -3,7 +3,7 @@
 Copyright (c) 1995, 2013, Oracle and/or its affiliates. All rights reserved.
 Copyright (c) 2008, 2009, Google Inc.
 Copyright (c) 2009, Percona Inc.
-Copyright (c) 2013, 2014, SkySQL Ab. All Rights Reserved.
+Copyright (c) 2013, 2015, MariaDB Corporation. All Rights Reserved.
 
 Portions of this file contain modifications contributed and copyrighted by
 Google, Inc. Those modifications are gratefully acknowledged and are described
@@ -562,6 +562,9 @@ that semaphore times out in InnoDB */
 #define DEFAULT_SRV_FATAL_SEMAPHORE_TIMEOUT 600
 extern ulong	srv_fatal_semaphore_wait_threshold;
 
+/** Default encryption key used for page encryption */
+extern uint srv_default_page_encryption_key;
+
 # ifdef UNIV_PFS_THREAD
 /* Keys to register InnoDB threads with performance schema */
 extern mysql_pfs_key_t	buf_page_cleaner_thread_key;
diff --git a/storage/innobase/srv/srv0srv.cc b/storage/innobase/srv/srv0srv.cc
index 7c796efe58f..07d8539836a 100644
--- a/storage/innobase/srv/srv0srv.cc
+++ b/storage/innobase/srv/srv0srv.cc
@@ -3,7 +3,7 @@
 Copyright (c) 1995, 2013, Oracle and/or its affiliates. All Rights Reserved.
 Copyright (c) 2008, 2009 Google Inc.
 Copyright (c) 2009, Percona Inc.
-Copyright (c) 2013, 2014, SkySQL Ab. All Rights Reserved.
+Copyright (c) 2013, 2015, MariaDB Corporation. All Rights Reserved.
 
 Portions of this file contain modifications contributed and copyrighted by
 Google, Inc. Those modifications are gratefully acknowledged and are described
@@ -522,6 +522,9 @@ thread ensures that we flush the log files at least once per
 second. */
 static time_t	srv_last_log_flush_time;
 
+/** Default encryption key used for page encryption */
+UNIV_INTERN uint	srv_default_page_encryption_key;
+
 /* Interval in seconds at which various tasks are performed by the
 master thread when server is active. In order to balance the workload,
 we should try to keep intervals such that they are not multiple of
diff --git a/storage/xtradb/handler/ha_innodb.cc b/storage/xtradb/handler/ha_innodb.cc
index 7dd887cec18..9a760eb62d5 100644
--- a/storage/xtradb/handler/ha_innodb.cc
+++ b/storage/xtradb/handler/ha_innodb.cc
@@ -4,7 +4,7 @@ Copyright (c) 2000, 2014, Oracle and/or its affiliates. All Rights Reserved.
 Copyright (c) 2008, 2009 Google Inc.
 Copyright (c) 2009, Percona Inc.
 Copyright (c) 2012, Facebook Inc.
-Copyright (c) 2013, 2014, SkySQL Ab.
+Copyright (c) 2013, 2015, MariaDB Corporation.
 
 Portions of this file contain modifications contributed and copyrighted by
 Google, Inc. Those modifications are gratefully acknowledged and are described
@@ -106,6 +106,7 @@ this program; if not, write to the Free Software Foundation, Inc.,
 #include "fts0priv.h"
 #include "page0zip.h"
 #include "fil0pagecompress.h"
+#include "fil0pageencryption.h"
 
 
 #define thd_get_trx_isolation(X) ((enum_tx_isolation)thd_tx_isolation(X))
@@ -633,9 +634,8 @@ ha_create_table_option innodb_table_option_list[]=
   HA_TOPTION_ENUM("ATOMIC_WRITES", atomic_writes, "DEFAULT,ON,OFF", 0),
   /* With this option the user can enable page encryption for the table */
   HA_TOPTION_BOOL("PAGE_ENCRYPTION", page_encryption, 0),
-
   /* With this option the user defines the key identifier using for the encryption */
-  HA_TOPTION_NUMBER("PAGE_ENCRYPTION_KEY", page_encryption_key, ULINT_UNDEFINED, 1, 255, 1),
+  HA_TOPTION_NUMBER("PAGE_ENCRYPTION_KEY", page_encryption_key, 0, 1, 255, 1),
 
   HA_TOPTION_END
 };
@@ -11541,7 +11541,7 @@ innobase_table_flags(
 	modified by another thread while the table is being created. */
 	const ulint     default_compression_level = page_zip_level;
 
-	const ulint default_encryption_key = 1;
+	const ulint default_encryption_key = srv_default_page_encryption_key;
 
 	*flags = 0;
 	*flags2 = 0;
@@ -11739,12 +11739,12 @@ index_bad:
 		    zip_ssize,
 		    use_data_dir,
 		    options->page_compressed,
-		    (ulint)options->page_compression_level == 0 ?
+		    options->page_compression_level == 0 ?
 		        default_compression_level : options->page_compression_level,
 		    options->atomic_writes,
 		    options->page_encryption,
-		    (ulint)options->page_encryption_key == ULINT_UNDEFINED ?
-                        default_encryption_key : options->page_encryption_key);
+		    options->page_encryption_key == 0 ?
+		        default_encryption_key : options->page_encryption_key);
 
 	if (create_info->options & HA_LEX_CREATE_TMP_TABLE) {
 		*flags2 |= DICT_TF2_TEMPORARY;
@@ -11880,7 +11880,7 @@ ha_innobase::check_table_options(
 		}
 	}
 
-	if ((ulint)options->page_encryption_key != ULINT_UNDEFINED) {
+	if (options->page_encryption_key != 0) {
 		if (options->page_encryption == false) {
 			/* ignore this to allow alter table without changing page_encryption_key ...*/
 		}
@@ -20318,6 +20318,13 @@ static MYSQL_SYSVAR_UINT(encryption_rotation_iops, srv_n_fil_crypt_iops,
 			 innodb_encryption_rotation_iops_update,
 			 srv_n_fil_crypt_iops, 0, UINT_MAX32, 0);
 
+static MYSQL_SYSVAR_UINT(default_page_encryption_key, srv_default_page_encryption_key,
+			 PLUGIN_VAR_RQCMDARG,
+			 "Encryption key used for page encryption.",
+			 NULL,
+			 NULL,
+			 DEFAULT_ENCRYPTION_KEY, 1, 255, 0);
+
 static MYSQL_SYSVAR_BOOL(scrub_log, srv_scrub_log,
   PLUGIN_VAR_OPCMDARG | PLUGIN_VAR_READONLY,
   "Enable redo log scrubbing",
@@ -20617,6 +20624,7 @@ static struct st_mysql_sys_var* innobase_system_variables[]= {
   MYSQL_SYSVAR(scrub_log),
   MYSQL_SYSVAR(scrub_log_interval),
   MYSQL_SYSVAR(encrypt_log),
+  MYSQL_SYSVAR(default_page_encryption_key),
   /* Scrubing feature */
   MYSQL_SYSVAR(immediate_scrub_data_uncompressed),
   MYSQL_SYSVAR(background_scrub_data_uncompressed),
diff --git a/storage/xtradb/include/fil0pageencryption.h b/storage/xtradb/include/fil0pageencryption.h
index ada8fd25d35..fa2b1a5c592 100644
--- a/storage/xtradb/include/fil0pageencryption.h
+++ b/storage/xtradb/include/fil0pageencryption.h
@@ -26,6 +26,9 @@ this program; if not, write to the Free Software Foundation, Inc.,
 #define PAGE_ENCRYPTION_OK 0
 #define PAGE_ENCRYPTION_WILL_NOT_ENCRYPT  5
 
+/* This key will be used if nothing else is given */
+#define DEFAULT_ENCRYPTION_KEY 1
+
 #include "fsp0fsp.h"
 #include "fsp0pageencryption.h"
 
diff --git a/storage/xtradb/include/srv0srv.h b/storage/xtradb/include/srv0srv.h
index 55d17625dfe..de994e79b30 100644
--- a/storage/xtradb/include/srv0srv.h
+++ b/storage/xtradb/include/srv0srv.h
@@ -3,7 +3,7 @@
 Copyright (c) 1995, 2013, Oracle and/or its affiliates.
 Copyright (c) 2008, 2009, Google Inc.
 Copyright (c) 2009, Percona Inc.
-Copyright (c) 2013, 2014, SkySQL Ab.
+Copyright (c) 2013, 2015, MariaDB Corporation.
 
 Portions of this file contain modifications contributed and copyrighted by
 Google, Inc. Those modifications are gratefully acknowledged and are described
@@ -705,6 +705,9 @@ that semaphore times out in InnoDB */
 #define DEFAULT_SRV_FATAL_SEMAPHORE_TIMEOUT 600
 extern ulong	srv_fatal_semaphore_wait_threshold;
 
+/** Default encryption key used for page encryption */
+extern uint srv_default_page_encryption_key;
+
 # ifdef UNIV_PFS_THREAD
 /* Keys to register InnoDB threads with performance schema */
 extern mysql_pfs_key_t	buf_page_cleaner_thread_key;
diff --git a/storage/xtradb/srv/srv0srv.cc b/storage/xtradb/srv/srv0srv.cc
index e050e9d5044..f3d71fac155 100644
--- a/storage/xtradb/srv/srv0srv.cc
+++ b/storage/xtradb/srv/srv0srv.cc
@@ -3,7 +3,7 @@
 Copyright (c) 1995, 2013, Oracle and/or its affiliates. All Rights Reserved.
 Copyright (c) 2008, 2009 Google Inc.
 Copyright (c) 2009, Percona Inc.
-Copyright (c) 2013, 2014, SkySQL Ab.
+Copyright (c) 2013, 2015, MariaDB Corporation.
 
 Portions of this file contain modifications contributed and copyrighted by
 Google, Inc. Those modifications are gratefully acknowledged and are described
@@ -669,6 +669,9 @@ thread ensures that we flush the log files at least once per
 second. */
 static time_t	srv_last_log_flush_time;
 
+/** Default encryption key used for page encryption */
+UNIV_INTERN uint	srv_default_page_encryption_key;
+
 /* Interval in seconds at which various tasks are performed by the
 master thread when server is active. In order to balance the workload,
 we should try to keep intervals such that they are not multiple of