- 22.214.171.124 Keyring Plugin Installation
- 126.96.36.199 Using the keyring_file File-Based Plugin
- 188.8.131.52 Using the keyring_encrypted_file Keyring Plugin
- 184.108.40.206 Using the keyring_okv KMIP Plugin
- 220.127.116.11 Using the keyring_aws Amazon Web Services Keyring Plugin
- 18.104.22.168 Migrating Keys Between Keyring Keystores
- 22.214.171.124 Supported Keyring Key Types
- 126.96.36.199 General-Purpose Keyring Key-Management Functions
- 188.8.131.52 Plugin-Specific Keyring Key-Management Functions
- 184.108.40.206 Keyring Command Options
- 220.127.116.11 Keyring System Variables
MySQL Server supports a keyring service that enables internal server components and plugins to securely store sensitive information for later retrieval. The implementation is plugin-based:
keyring_fileplugin stores keyring data in a file local to the server host. This plugin is available in all MySQL distributions, Community Edition and Enterprise Edition included. See Section 18.104.22.168, “Using the keyring_file File-Based Plugin”.
keyring_encrypted_fileplugin stores keyring data in an encrypted file local to the server host. This plugin is available in MySQL Enterprise Edition distributions. See Section 22.214.171.124, “Using the keyring_encrypted_file Keyring Plugin”.
keyring_okvis a KMIP 1.1 plugin for use with KMIP-compatible back end keyring storage products such as Oracle Key Vault and Gemalto SafeNet KeySecure Appliance. This plugin is available in MySQL Enterprise Edition distributions. See Section 126.96.36.199, “Using the keyring_okv KMIP Plugin”.
keyring_awsplugin communicates with the Amazon Web Services Key Management Service for key generation and uses a local file for key storage. This plugin is available in MySQL Enterprise Edition distributions. See Section 188.8.131.52, “Using the keyring_aws Amazon Web Services Keyring Plugin”.
A MySQL server operational mode enables migration of keys between underlying keyring keystores. This enables DBAs to switch a MySQL installation from one keyring plugin to another. See Section 184.108.40.206, “Migrating Keys Between Keyring Keystores”.
An SQL interface for keyring key management is implemented as a set of user-defined functions (UDFs). See Section 220.127.116.11, “General-Purpose Keyring Key-Management Functions”.
keyring_encrypted_file plugins for encryption
key management are not intended as a regulatory compliance
solution. Security standards such as PCI, FIPS, and others
require use of key management systems to secure, manage, and
protect encryption keys in key vaults or hardware security
Uses for the keyring within MySQL include:
InnoDBstorage engine uses the keyring to store its key for tablespace encryption.
InnoDBcan use any supported keyring plugin.
MySQL Enterprise Audit uses the keyring to store the audit log file encryption password. The audit log plugin can use any supported keyring plugin.
For general keyring installation instructions, see Section 18.104.22.168, “Keyring Plugin Installation”. For information specific to a given keyring plugin, see the section describing that plugin.
For information about using the keyring UDFs, see Section 22.214.171.124, “General-Purpose Keyring Key-Management Functions”.
Keyring plugins and UDFs access a keyring service that provides the interface for server components to the keyring. For information about accessing the keyring plugin service and writing keyring plugins, see Section 28.3.2, “The Keyring Service”, and Section 126.96.36.199, “Writing Keyring Plugins”.