- 184.108.40.206 Keyring Plugin Installation
- 220.127.116.11 Using the keyring_file File-Based Plugin
- 18.104.22.168 Using the keyring_encrypted_file Keyring Plugin
- 22.214.171.124 Using the keyring_okv KMIP Plugin
- 126.96.36.199 Using the keyring_aws Amazon Web Services Keyring Plugin
- 188.8.131.52 Supported Keyring Key Types and Lengths
- 184.108.40.206 Migrating Keys Between Keyring Keystores
- 220.127.116.11 General-Purpose Keyring Key-Management Functions
- 18.104.22.168 Plugin-Specific Keyring Key-Management Functions
- 22.214.171.124 Keyring Command Options
- 126.96.36.199 Keyring System Variables
MySQL Server supports a keyring that enables internal server components and plugins to securely store sensitive information for later retrieval. The implementation comprises these elements:
Keyring plugins that manage a backing store or communicate with a storage back end. These keyring plugins are available:
keyring_filestores keyring data in a file local to the server host. This plugin is available in MySQL Community Edition and MySQL Enterprise Edition distributions as of MySQL 5.7.11. See Section 188.8.131.52, “Using the keyring_file File-Based Plugin”.
keyring_encrypted_filestores keyring data in an encrypted file local to the server host. This plugin is available in MySQL Enterprise Edition distributions as of MySQL 5.7.21. See Section 184.108.40.206, “Using the keyring_encrypted_file Keyring Plugin”.
keyring_okvis a KMIP 1.1 plugin for use with KMIP-compatible back end keyring storage products such as Oracle Key Vault and Gemalto SafeNet KeySecure Appliance. This plugin is available in MySQL Enterprise Edition distributions as of MySQL 5.7.12. See Section 220.127.116.11, “Using the keyring_okv KMIP Plugin”.
keyring_awscommunicates with the Amazon Web Services Key Management Service for key generation and uses a local file for key storage. This plugin is available in MySQL Enterprise Edition distributions as of MySQL 5.7.19. See Section 18.104.22.168, “Using the keyring_aws Amazon Web Services Keyring Plugin”.
A key migration capability. MySQL 5.7.21 and higher supports a server operational mode that enables migration of keys between underlying keyring keystores, permitting DBAs to switch a MySQL installation from one keyring plugin to another. See Section 22.214.171.124, “Migrating Keys Between Keyring Keystores”.
A keyring service interface for keyring key management (MySQL 5.7.13 and higher), accessible at two levels:
SQL interface: In SQL statements, call the user-defined functions (UDFs) described in Section 126.96.36.199, “General-Purpose Keyring Key-Management Functions”.
C interface: In C-language code, call the keyring service functions described in Section 188.8.131.52, “The Keyring Service”.
Key metadata access. In MySQL 8.0.16 and higher, the Performance Schema
keyring_keystable exposes metadata for keys in the keyring. Key metadata includes key IDs, key owners, and backend key IDs. The
keyring_keystable does not expose any sensitive keyring data such as key contents. See The keyring_keys table.
For encryption key management, the
keyring_encrypted_file plugins are not
intended as a regulatory compliance solution. Security standards
such as PCI, FIPS, and others require use of key management
systems to secure, manage, and protect encryption keys in key
vaults or hardware security modules (HSMs).
Within MySQL, uses of the keyring include:
InnoDBstorage engine uses the keyring to store its key for tablespace encryption.
InnoDBcan use any supported keyring plugin. See Section 14.14, “InnoDB Data-at-Rest Encryption”.
MySQL Enterprise Audit uses the keyring to store the audit log file encryption password. The audit log plugin can use any supported keyring plugin. See Encrypting Audit Log Files.
For general keyring installation instructions, see Section 184.108.40.206, “Keyring Plugin Installation”. For installation and configuration information specific to a given keyring plugin, see the section describing that plugin.
For information about using the keyring UDFs, see Section 220.127.116.11, “General-Purpose Keyring Key-Management Functions”.
Keyring plugins and UDFs access a keyring service that provides the interface for server components to the keyring. For information about accessing the keyring service and writing keyring plugins, see Section 18.104.22.168, “The Keyring Service”, and Writing Keyring Plugins.