MySQL 8.0 Release Notes
MySQL 8.0 Source Code Documentation
The keyring_file keyring plugin stores
keyring data in a file local to the server host.
As of MySQL 8.0.34, this plugin is deprecated and subject to
removal in a future release of MySQL. Instead, consider using
the component_keyring_file component for
storing keyring data (see
Section 8.4.4.4, “Using the component_keyring_file File-Based Keyring Component”).
Warning
For encryption key management, the
keyring_file plugin is not intended as a
regulatory compliance solution. Security standards such as
PCI, FIPS, and others require use of key management systems to
secure, manage, and protect encryption keys in key vaults or
hardware security modules (HSMs).
To install keyring_file, use the general
instructions found in
Section 8.4.4.3, “Keyring Plugin Installation”, together with the
configuration information specific to
keyring_file found here.
To be usable during the server startup process,
keyring_file must be loaded using the
--early-plugin-load option. The
keyring_file_data system
variable optionally configures the location of the file used by
the keyring_file plugin for data storage. The
default value is platform specific. To configure the file
location explicitly, set the variable value at startup. For
example, use these lines in the server
my.cnf file, adjusting the
.so suffix and file location for your
platform as necessary:
[mysqld]
early-plugin-load=keyring_file.so
keyring_file_data=/usr/local/mysql/mysql-keyring/keyring
If keyring_file_data is set to
a new location, the keyring plugin creates a new, empty file
containing no keys; this means that any existing encrypted
tables can no longer be accessed.
Keyring operations are transactional: The
keyring_file plugin uses a backup file during
write operations to ensure that it can roll back to the original
file if an operation fails. The backup file has the same name as
the value of the
keyring_file_data system
variable with a suffix of .backup.
For additional information about
keyring_file_data, see
Section 8.4.4.19, “Keyring System Variables”.
To ensure that keys are flushed only when the correct keyring
storage file exists, keyring_file stores a
SHA-256 checksum of the keyring in the file. Before updating the
file, the plugin verifies that it contains the expected
checksum.
The keyring_file plugin supports the
functions that comprise the standard MySQL Keyring service
interface. Keyring operations performed by those functions are
accessible at two levels:
SQL interface: In SQL statements, call the functions described in Section 8.4.4.15, “General-Purpose Keyring Key-Management Functions”.
C interface: In C-language code, call the keyring service functions described in Section 7.6.9.2, “The Keyring Service”.
Example (using the SQL interface):
SELECT keyring_key_generate('MyKey', 'AES', 32);
SELECT keyring_key_remove('MyKey');
For information about the characteristics of key values
permitted by keyring_file, see
Section 8.4.4.13, “Supported Keyring Key Types and Lengths”.