Keyring service consumers require a keyring plugin to be installed. MySQL provides these plugin choices:
keyring_file: Stores keyring data in a file local to the server host. Available in all MySQL distributions as of MySQL 5.7.11.
keyring_encrypted_file: Stores keyring data in an encrypted file local to the server host. Available in MySQL Enterprise Edition distributions as of MySQL 5.7.21.
keyring_okv: Uses KMIP-compatible back end keyring storage products such as Oracle Key Vault and Gemalto SafeNet KeySecure Appliance. Available in MySQL Enterprise Edition distributions as of MySQL 5.7.12.
keyring_aws: Communicates with the Amazon Web Services Key Management Service as a back end for key generation and uses a local file for key storage. Available in MySQL Enterprise Edition distributions as of MySQL 5.7.19.
This section describes how to install the keyring plugin of your choosing. For general information about installing plugins, see Installing and Uninstalling Plugins.
If you intend to use keyring user-defined functions (UDFs) in conjunction with the keyring plugin, install the UDFs after installing the plugin, using the instructions in Section 6.4.8, “General-Purpose Keyring Key-Management Functions”.
To be usable by the server, the plugin library file must be
located in the MySQL plugin directory (the directory named by
variable). If necessary, configure the plugin directory location
by setting the value of
plugin_dir at server startup.
Installation for each keyring plugin is similar. The following
keyring_file. Users of a
different keyring plugin can substitute its name for
keyring_file plugin library file base
keyring_file. The file name suffix
differs per platform (for example,
Unix and Unix-like systems,
Only one keyring plugin should be enabled at a time. Enabling multiple keyring plugins is unsupported and results may not be as anticipated.
The keyring plugin must be loaded early during the server
startup sequence so that server components can access it as
necessary during their own initialization. For example, the
InnoDB storage engine uses the keyring for
tablespace encryption, so the keyring plugin must be loaded and
available prior to
To load the plugin, use the
--early-plugin-load option to
name the plugin library file that contains it. For example, on
platforms where the plugin library file suffix is
.so, use these lines in the server
my.cnf file, adjusting the
.so suffix for your platform as necessary:
In MySQL 5.7.11, the default
--early-plugin-load value was
the name of the
keyring_file plugin library
file, so that plugin was loaded by default.
InnoDB tablespace encryption requires the
keyring_file plugin to be loaded prior to
InnoDB initialization, so this change of
value introduces an incompatibility for upgrades from 5.7.11
to 5.7.12 or higher. Administrators who have encrypted
InnoDB tablespaces must take explicit
action to ensure continued loading of the
keyring_file plugin: Start the server with
that names the plugin library file.
Before starting the server, check the notes for your chosen keyring plugin to see whether it permits or requires additional configuration:
keyring_file: Section 6.4.2, “Using the keyring_file File-Based Plugin”.
keyring_encrypted_file: Section 6.4.3, “Using the keyring_encrypted_file Keyring Plugin”.
keyring_okv: Section 6.4.4, “Using the keyring_okv KMIP Plugin”.
After performing any plugin-specific configuration, verify
plugin installation. With the MySQL server running, examine the
INFORMATION_SCHEMA.PLUGINS table or
SHOW PLUGINS statement
(see Obtaining Server Plugin Information). For
mysql> SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'keyring%'; +--------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +--------------+---------------+ | keyring_file | ACTIVE | +--------------+---------------+
If the plugin fails to initialize, check the server error log for diagnostic messages.
Plugins can be loaded by methods other than
--early-plugin-load, such as the
--plugin-load-add option or the
INSTALL PLUGIN statement.
However, keyring plugins loaded using those methods may be
available too late in the server startup sequence for certain
server components, such as
Plugins installed using
INSTALL PLUGINare registered in the
mysql.pluginsystem table and loaded automatically for subsequent server restarts. However, because
InnoDBtable, any plugins named in it can be loaded during startup only after
If no keyring plugin is available when a server component tries
to access the keyring service, the service cannot be used by
that component. As a result, the component may fail to
initialize or may initialize with limited functionality. For
InnoDB finds that there are
encrypted tablespaces when it initializes, it attempts to access
the keyring. If the keyring is unavailable,
InnoDB can access only unencrypted
tablespaces. To ensure that
InnoDB can access
encrypted tablespaces as well, use
--early-plugin-load to load the