- 220.127.116.11 Keyring Plugin Installation
- 18.104.22.168 Using the keyring_file File-Based Keyring Plugin
- 22.214.171.124 Using the keyring_encrypted_file Encrypted File-Based Keyring Plugin
- 126.96.36.199 Using the keyring_okv KMIP Plugin
- 188.8.131.52 Using the keyring_aws Amazon Web Services Keyring Plugin
- 184.108.40.206 Supported Keyring Key Types and Lengths
- 220.127.116.11 Migrating Keys Between Keyring Keystores
- 18.104.22.168 General-Purpose Keyring Key-Management Functions
- 22.214.171.124 Plugin-Specific Keyring Key-Management Functions
- 126.96.36.199 Keyring Metadata
- 188.8.131.52 Keyring Command Options
- 184.108.40.206 Keyring System Variables
MySQL Server supports a keyring that enables internal server components and plugins to securely store sensitive information for later retrieval. The implementation comprises these elements:
Keyring plugins that manage a backing store or communicate with a storage back end. These keyring plugins are available:
keyring_file: Stores keyring data in a file local to the server host. Available in MySQL Community Edition and MySQL Enterprise Edition distributions as of MySQL 5.7.11. See Section 220.127.116.11, “Using the keyring_file File-Based Keyring Plugin”.
keyring_encrypted_file: Stores keyring data in an encrypted, password-protected file local to the server host. Available in MySQL Enterprise Edition distributions as of MySQL 5.7.21. See Section 18.104.22.168, “Using the keyring_encrypted_file Encrypted File-Based Keyring Plugin”.
keyring_okv: A KMIP 1.1 plugin for use with KMIP-compatible back end keyring storage products such as Oracle Key Vault and Gemalto SafeNet KeySecure Appliance. Available in MySQL Enterprise Edition distributions as of MySQL 5.7.12. See Section 22.214.171.124, “Using the keyring_okv KMIP Plugin”.
keyring_aws: Communicates with the Amazon Web Services Key Management Service for key generation and uses a local file for key storage. Available in MySQL Enterprise Edition distributions as of MySQL 5.7.19. See Section 126.96.36.199, “Using the keyring_aws Amazon Web Services Keyring Plugin”.
A keyring service interface for keyring key management (MySQL 5.7.13 and higher). This service is accessible at two levels:
SQL interface: In SQL statements, call the functions described in Section 188.8.131.52, “General-Purpose Keyring Key-Management Functions”.
C interface: In C-language code, call the keyring service functions described in Section 184.108.40.206, “The Keyring Service”.
A key migration capability. MySQL 5.7.21 and higher supports migration of keys between keystores, enabling DBAs to switch a MySQL installation from one keystore to another. See Section 220.127.116.11, “Migrating Keys Between Keyring Keystores”.
For encryption key management, the
keyring_encrypted_file plugins are not
intended as a regulatory compliance solution. Security standards
such as PCI, FIPS, and others require use of key management
systems to secure, manage, and protect encryption keys in key
vaults or hardware security modules (HSMs).
Within MySQL, keyring service consumers include:
For general keyring installation instructions, see Section 18.104.22.168, “Keyring Plugin Installation”. For installation and configuration information specific to a given keyring plugin, see the section describing that plugin.
For information about using the keyring functions, see Section 22.214.171.124, “General-Purpose Keyring Key-Management Functions”.
Keyring plugins and functions access a keyring service that provides the interface to the keyring. For information about accessing this service and writing keyring plugins, see Section 126.96.36.199, “The Keyring Service”, and Writing Keyring Plugins.