Documentation Home
MySQL 8.0 Reference Manual
Related Documentation Download this Manual
PDF (US Ltr) - 42.2Mb
PDF (A4) - 42.2Mb
Man Pages (TGZ) - 270.2Kb
Man Pages (Zip) - 381.3Kb
Info (Gzip) - 4.2Mb
Info (Zip) - 4.2Mb
Excerpts from this Manual

MySQL 8.0 Reference Manual  /  ...  /  The MySQL Keyring

6.4.4 The MySQL Keyring

MySQL Server supports a keyring that enables internal server components and plugins to securely store sensitive information for later retrieval. The implementation comprises these elements:

Warning

For encryption key management, the component_keyring_file and component_keyring_encrypted_file components, and the keyring_file and keyring_encrypted_file plugins are not intended as a regulatory compliance solution. Security standards such as PCI, FIPS, and others require use of key management systems to secure, manage, and protect encryption keys in key vaults or hardware security modules (HSMs).

Within MySQL, keyring service consumers include:

  • The InnoDB storage engine uses the keyring to store its key for tablespace encryption. See Section 15.13, “InnoDB Data-at-Rest Encryption”.

  • MySQL Enterprise Audit uses the keyring to store the audit log file encryption password. See Encrypting Audit Log Files.

  • Binary log and relay log management supports keyring-based encryption of log files. With log file encryption activated, the keyring stores the keys used to encrypt passwords for the binary log files and relay log files. See Section 17.3.2, “Encrypting Binary Log Files and Relay Log Files”.

  • The master key to decrypt the file key that decrypts the persisted values of sensitive system variables is stored in the keyring. A keyring component (component_keyring_file or component_keyring_encrypted_file) must be enabled on the MySQL Server instance to support secure storage for persisted system variable values, rather than a keyring plugin, which do not support the function. See Persisting Sensitive System Variables.

For general keyring installation instructions, see Section 6.4.4.2, “Keyring Component Installation”, and Section 6.4.4.3, “Keyring Plugin Installation”. For installation and configuration information specific to a given keyring component or plugin, see the section describing it.

For information about using the keyring functions, see Section 6.4.4.14, “General-Purpose Keyring Key-Management Functions”.

Keyring components, plugins, and functions access a keyring service that provides the interface to the keyring. For information about accessing this service and writing keyring plugins, see Section 5.6.9.2, “The Keyring Service”, and Writing Keyring Plugins.