MySQL 8.4.2
Source Code Documentation
Keyring Component

Introduction

MySQL Keyring infrastructure consists of following parts:

  1. Keyring component Implementation A shared library that communicates to key server and handles key management.
  2. Keyring component service APIs A set of APIs through which a program or a shared library can communicate to a keyring component to manage keys.

One of the most important usecase for using keyring infrastructure is to support encryption for data at rest. A program like MySQL server stores data on file system. If someone gets access to this data, all sensitive information will be exposed. In order to protect such an offline threat, data should be stored in an encrypted manner. Keyring infrastructure helps managing key(s) secure. By using keyring component APIs, program does not have to worry about how keyring server manages these keys.

In order to support transparent data encryption usecase, it is imperative that keyring is available very early in start-up sequence. That's why keyring component should be able to load only using minmal chassis framework. See The Minimal Chassis for more details on minimal chassis.

Keyring Component Services

Keyring component services provide a way for a binary to communicate to diffierent key management server/backend in a uniform manner. The complexity to use the actual key management server/backend are hidden by these services.

Keyring component services can be devided in 4 parts:

Data management

These services provide ways to manage sensitive data Examples: fetch, generate, store, remove sensitive data.

List of services:

  1. Keyring reader with status: Provides ability to fetch sensitive data from key management server/backend. It returns one of the three states: a> Key present b> Key absent c> component error
  2. Keyring writer: A service that allows adding and removing sensitive data to/from key management server/backend.
  3. Keyring generator: A service to generate and store sensitive data in key management server/backend. If server has built-in capability to generate data, same shall be used.
  4. Keys metadata iterator: A service to iterate over metadata associated with keys

Operations

These services provide functionality using data stored in keyring. Examples: encryption services using keys stored in keyring

List of services:

  1. AES encryption/decryption: Provides ability to perform AES encryption/decryption operations using key identifiers provided by callers. Actual key never leaves keyring component.

Initialization/Re-initialization

These services are responisble for making sure that keyring is operational. Examples: load service

List of services:

  1. Keyring load: A service to initialize or re-initialize keyring

Status

These services provide information about keyring component's status. Example: component metadata in {key, value} format

List of services:

  1. Keyring status: A service that provides status of keyring component - whether it is ready or not.
  2. Keyring metadata query: A service to provide {key, value} pair based information about keyring component. Component choose the exact information to expose. Examples: Name of component, implementation name of services, component configuration parameters.

Refer to Keyring component services for details of keyring component services.

Additional Information

  1. See: Keyring Component Implementation Keyring Component Implementation
  2. See: Common Keyring Implementation Infrastructure Common Keyring Implementation Infrastructure