diff --git a/mysql-test/suite/innodb/r/innodb_encryption_debug.result b/mysql-test/suite/innodb/r/innodb_encryption_debug.result
new file mode 100644
index 00000000000..808ebbf3f74
--- /dev/null
+++ b/mysql-test/suite/innodb/r/innodb_encryption_debug.result
@@ -0,0 +1,19 @@
+show variables like 'innodb_encrypt%';
+Variable_name	Value
+innodb_encrypt_log	OFF
+innodb_encrypt_tables	ON
+innodb_encryption_rotate_key_age	2
+innodb_encryption_rotation_iops	100
+innodb_encryption_threads	4
+select space,name,min_key_version,current_key_version from information_schema.innodb_tablespaces_encryption;
+space	name	min_key_version	current_key_version
+1	mysql/innodb_table_stats	0	1
+2	mysql/innodb_index_stats	0	1
+0	NULL	0	1
+set global debug_key_management_plugin_version=10;
+select space,name,min_key_version,current_key_version from information_schema.innodb_tablespaces_encryption;
+space	name	min_key_version	current_key_version
+1	mysql/innodb_table_stats	0	10
+2	mysql/innodb_index_stats	0	10
+0	NULL	0	10
+set global debug_key_management_plugin_version=1;
diff --git a/mysql-test/suite/innodb/t/innodb_encryption_debug.opt b/mysql-test/suite/innodb/t/innodb_encryption_debug.opt
new file mode 100644
index 00000000000..d7c0b5bcd6a
--- /dev/null
+++ b/mysql-test/suite/innodb/t/innodb_encryption_debug.opt
@@ -0,0 +1,5 @@
+--innodb-encrypt-tables=ON
+--innodb-encryption-rotate-key-age=2
+--innodb-encryption-threads=4
+--innodb-tablespaces-encryption
+--plugin-load-add=$DEBUG_KEY_MANAGEMENT_PLUGIN_SO
diff --git a/mysql-test/suite/innodb/t/innodb_encryption_debug.test b/mysql-test/suite/innodb/t/innodb_encryption_debug.test
new file mode 100644
index 00000000000..cc455d87945
--- /dev/null
+++ b/mysql-test/suite/innodb/t/innodb_encryption_debug.test
@@ -0,0 +1,13 @@
+-- source include/have_innodb.inc
+if (`select count(*) = 0 from information_schema.plugins
+     where plugin_name = 'debug_key_management_plugin' and plugin_status='active'`)
+{
+  --skip Needs debug_key_management_plugin
+}
+
+show variables like 'innodb_encrypt%';
+select space,name,min_key_version,current_key_version from information_schema.innodb_tablespaces_encryption;
+set global debug_key_management_plugin_version=10;
+select space,name,min_key_version,current_key_version from information_schema.innodb_tablespaces_encryption;
+set global debug_key_management_plugin_version=1;
+
diff --git a/mysql-test/suite/sys_vars/r/debug_use_static_encryption_keys_basic.result b/mysql-test/suite/sys_vars/r/debug_use_static_encryption_keys_basic.result
deleted file mode 100644
index a0d4f45cdbf..00000000000
--- a/mysql-test/suite/sys_vars/r/debug_use_static_encryption_keys_basic.result
+++ /dev/null
@@ -1,3 +0,0 @@
-show global variables like "debug_use_static_encryption_keys";
-Variable_name	Value
-debug_use_static_encryption_keys	OFF
diff --git a/mysql-test/suite/sys_vars/r/sysvars_debug.result b/mysql-test/suite/sys_vars/r/sysvars_debug.result
index b7f169dc22e..a46e135af0a 100644
--- a/mysql-test/suite/sys_vars/r/sysvars_debug.result
+++ b/mysql-test/suite/sys_vars/r/sysvars_debug.result
@@ -57,20 +57,6 @@ NUMERIC_BLOCK_SIZE	NULL
 ENUM_VALUE_LIST	NULL
 READ_ONLY	NO
 COMMAND_LINE_ARGUMENT	OPTIONAL
-VARIABLE_NAME	DEBUG_ENCRYPTION_KEY_VERSION
-SESSION_VALUE	NULL
-GLOBAL_VALUE	0
-GLOBAL_VALUE_ORIGIN	COMPILE-TIME
-DEFAULT_VALUE	0
-VARIABLE_SCOPE	GLOBAL
-VARIABLE_TYPE	INT UNSIGNED
-VARIABLE_COMMENT	Encryption key version. Only to be used in internal testing.
-NUMERIC_MIN_VALUE	0
-NUMERIC_MAX_VALUE	4294967295
-NUMERIC_BLOCK_SIZE	1
-ENUM_VALUE_LIST	NULL
-READ_ONLY	NO
-COMMAND_LINE_ARGUMENT	REQUIRED
 VARIABLE_NAME	DEBUG_MUTEX_DEADLOCK_DETECTOR
 SESSION_VALUE	NULL
 GLOBAL_VALUE	ON
@@ -113,17 +99,3 @@ NUMERIC_BLOCK_SIZE	NULL
 ENUM_VALUE_LIST	NULL
 READ_ONLY	NO
 COMMAND_LINE_ARGUMENT	NULL
-VARIABLE_NAME	DEBUG_USE_STATIC_ENCRYPTION_KEYS
-SESSION_VALUE	NULL
-GLOBAL_VALUE	OFF
-GLOBAL_VALUE_ORIGIN	COMPILE-TIME
-DEFAULT_VALUE	OFF
-VARIABLE_SCOPE	GLOBAL
-VARIABLE_TYPE	BOOLEAN
-VARIABLE_COMMENT	Enable use of nonrandom encryption keys. Only to be used in internal testing
-NUMERIC_MIN_VALUE	NULL
-NUMERIC_MAX_VALUE	NULL
-NUMERIC_BLOCK_SIZE	NULL
-ENUM_VALUE_LIST	OFF,ON
-READ_ONLY	YES
-COMMAND_LINE_ARGUMENT	OPTIONAL
diff --git a/mysql-test/suite/sys_vars/t/debug_encryption_key_version_basic.test b/mysql-test/suite/sys_vars/t/debug_encryption_key_version_basic.test
deleted file mode 100644
index 007724b0966..00000000000
--- a/mysql-test/suite/sys_vars/t/debug_encryption_key_version_basic.test
+++ /dev/null
@@ -1,3 +0,0 @@
---source include/have_debug.inc
-# This is just to satisfy all_vars
-select 1;
diff --git a/mysql-test/suite/sys_vars/t/debug_use_static_encryption_keys_basic.test b/mysql-test/suite/sys_vars/t/debug_use_static_encryption_keys_basic.test
deleted file mode 100644
index 2e0d51e89b7..00000000000
--- a/mysql-test/suite/sys_vars/t/debug_use_static_encryption_keys_basic.test
+++ /dev/null
@@ -1,3 +0,0 @@
-# This is just to satisfy all_vars
---source include/have_debug.inc
-show global variables like "debug_use_static_encryption_keys";
diff --git a/plugin/debug_key_management_plugin/CMakeLists.txt b/plugin/debug_key_management_plugin/CMakeLists.txt
new file mode 100644
index 00000000000..d61adf00537
--- /dev/null
+++ b/plugin/debug_key_management_plugin/CMakeLists.txt
@@ -0,0 +1,2 @@
+MYSQL_ADD_PLUGIN(DEBUG_KEY_MANAGEMENT_PLUGIN debug_key_management_plugin.cc
+                 MODULE_ONLY)
diff --git a/plugin/debug_key_management_plugin/debug_key_management_plugin.cc b/plugin/debug_key_management_plugin/debug_key_management_plugin.cc
new file mode 100644
index 00000000000..98873687556
--- /dev/null
+++ b/plugin/debug_key_management_plugin/debug_key_management_plugin.cc
@@ -0,0 +1,98 @@
+/*
+  Copyright (c) 2015 MariaDB Corporation
+
+  This program is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published by
+  the Free Software Foundation; version 2 of the License.
+
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with this program; if not, write to the Free Software
+  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA */
+
+/**
+  Debug key management plugin.
+  It's used to debug the encryption code with a fixed keys that change
+  only on user request.
+
+  THIS IS AN EXAMPLE ONLY! ENCRYPTION KEYS ARE HARD-CODED AND *NOT* SECRET!
+  DO NOT USE THIS PLUGIN IN PRODUCTION! EVER!
+*/
+
+#include <my_global.h>
+#include <mysql/plugin_encryption_key_management.h>
+#include <string.h>
+#include <myisampack.h>
+
+static uint key_version;
+
+static MYSQL_SYSVAR_UINT(version, key_version, PLUGIN_VAR_RQCMDARG,
+  "Latest key version", NULL, NULL, 1, 0, UINT_MAX, 1);
+
+static struct st_mysql_sys_var* sysvars[] = {
+  MYSQL_SYSVAR(version),
+  NULL
+};
+
+static unsigned int get_latest_key_version()
+{
+  return key_version;
+}
+
+static int get_key(unsigned int version, unsigned char* dstbuf, unsigned buflen)
+{
+  if (buflen < 4)
+    return 1;
+  memset(dstbuf, 0, buflen);
+  mi_int4store(dstbuf, version);
+  return 0;
+}
+
+static unsigned int has_key(unsigned int ver)
+{
+  return 1;
+}
+
+static unsigned int get_key_size(unsigned int ver)
+{
+  return 16;
+}
+
+static int get_iv(unsigned int ver, unsigned char* dstbuf, unsigned buflen)
+{
+  return 0; // to be removed
+}
+
+struct st_mariadb_encryption_key_management debug_key_management_plugin= {
+  MariaDB_ENCRYPTION_KEY_MANAGEMENT_INTERFACE_VERSION,
+  get_latest_key_version,
+  has_key,
+  get_key_size,
+  get_key,
+  get_iv
+};
+
+/*
+  Plugin library descriptor
+*/
+maria_declare_plugin(debug_key_management_plugin)
+{
+  MariaDB_ENCRYPTION_KEY_MANAGEMENT_PLUGIN,
+  &debug_key_management_plugin,
+  "debug_key_management_plugin",
+  "Sergei Golubchik",
+  "Debug key management plugin",
+  PLUGIN_LICENSE_GPL,
+  NULL,
+  NULL,
+  0x0100,
+  NULL,
+  sysvars,
+  "1.0",
+  MariaDB_PLUGIN_MATURITY_EXPERIMENTAL
+}
+maria_declare_plugin_end;
diff --git a/sql/encryption_keys.cc b/sql/encryption_keys.cc
index 07a5d346a05..631fee7623b 100644
--- a/sql/encryption_keys.cc
+++ b/sql/encryption_keys.cc
@@ -1,30 +1,14 @@
 #include <my_global.h>
 #include <mysql/plugin_encryption_key_management.h>
-#include "encryption_keys.h"
 #include "log.h"
 #include "sql_plugin.h"
 
-#ifndef DBUG_OFF
-my_bool debug_use_static_encryption_keys = 0;
-uint opt_debug_encryption_key_version = 0;
-#endif
-
 /* there can be only one encryption key management plugin enabled */
 static plugin_ref encryption_key_manager= 0;
 static struct st_mariadb_encryption_key_management *handle;
 
 unsigned int get_latest_encryption_key_version()
 {
-#ifndef DBUG_OFF
-  if (debug_use_static_encryption_keys)
-  {
-    //mysql_mutex_lock(&LOCK_global_system_variables);
-    uint res = opt_debug_encryption_key_version;
-    //mysql_mutex_unlock(&LOCK_global_system_variables);
-    return res;
-  }
-#endif
-
   if (encryption_key_manager)
     return handle->get_latest_key_version();
 
@@ -49,19 +33,6 @@ unsigned int get_encryption_key_size(uint version)
 
 int get_encryption_key(uint version, uchar* key, uint size)
 {
-#ifndef DBUG_OFF
-  if (debug_use_static_encryption_keys)
-  {
-    memset(key, 0, size);
-    // Just don't support tiny keys, no point anyway.
-    if (size < 4)
-      return 1;
-
-    mi_int4store(key, version);
-    return 0;
-  }
-#endif
-
   if (encryption_key_manager)
     return handle->get_key(version, key, size);
 
diff --git a/sql/encryption_keys.h b/sql/encryption_keys.h
deleted file mode 100644
index 10907c1332a..00000000000
--- a/sql/encryption_keys.h
+++ /dev/null
@@ -1,11 +0,0 @@
-#ifndef SQL_CRYPTOKEY_INCLUDED
-#define SQL_CRYPTOKEY_INCLUDED
-
-#include "my_global.h"
-
-#ifndef DBUG_OFF
-  extern my_bool debug_use_static_encryption_keys;
-extern uint opt_debug_encryption_key_version;
-#endif /* DBUG_OFF */
-
-#endif // SQL_CRYPTOKEY_INCLUDED
diff --git a/sql/sys_vars.cc b/sql/sys_vars.cc
index 734b6ed9171..9cba8739eee 100644
--- a/sql/sys_vars.cc
+++ b/sql/sys_vars.cc
@@ -62,7 +62,6 @@
 #include "sql_repl.h"
 #include "opt_range.h"
 #include "rpl_parallel.h"
-#include "encryption_keys.h"
 
 /*
   The rule for this file: everything should be 'static'. When a sys_var
@@ -1126,22 +1125,6 @@ static Sys_var_mybool Sys_log_bin(
        READ_ONLY GLOBAL_VAR(opt_bin_log), NO_CMD_LINE, DEFAULT(FALSE));
 
 
-#ifndef DBUG_OFF
-static Sys_var_mybool Sys_debug_use_static_keys(
-       "debug_use_static_encryption_keys",
-       "Enable use of nonrandom encryption keys. Only to be used in "
-       "internal testing",
-       READ_ONLY GLOBAL_VAR(debug_use_static_encryption_keys),
-       CMD_LINE(OPT_ARG), DEFAULT(FALSE));
-
-static Sys_var_uint Sys_debug_encryption_key_version(
-       "debug_encryption_key_version",
-       "Encryption key version. Only to be used in internal testing.",
-       GLOBAL_VAR(opt_debug_encryption_key_version),
-       CMD_LINE(REQUIRED_ARG), VALID_RANGE(0,UINT_MAX), DEFAULT(0),
-       BLOCK_SIZE(1));
-#endif
-
 static Sys_var_mybool Sys_trust_function_creators(
        "log_bin_trust_function_creators",
        "If set to FALSE (the default), then when --log-bin is used, creation "