Keyring service consumers require that a keyring component or plugin be installed:
To use a keyring plugin, begin with the instructions here. (Also, for general information about installing plugins, see Section 7.6.1, “Installing and Uninstalling Plugins”.)
To use a keyring component instead, begin with Section 8.4.4.2, “Keyring Component Installation”.
If you intend to use keyring functions in conjunction with the chosen keyring component or plugin, install the functions after installing that component or plugin, using the instructions in Section 8.4.4.12, “General-Purpose Keyring Key-Management Functions”.
Only one keyring component or plugin should be enabled at a time. Enabling multiple keyring components or plugins is unsupported and results may not be as anticipated.
A keyring component must be enabled on the MySQL Server instance if you need to support secure storage for persisted system variable values, rather than a keyring plugin, which do not support the function. See Persisting Sensitive System Variables.
MySQL provides these keyring plugin choices:
keyring_okv
: A KMIP 1.1 plugin for use with KMIP-compatible back end keyring storage products such as Oracle Key Vault and Gemalto SafeNet KeySecure Appliance. Available in MySQL Enterprise Edition distributions.keyring_aws
: Communicates with the Amazon Web Services Key Management Service as a back end for key generation and uses a local file for key storage. Available in MySQL Enterprise Edition distributions.keyring_hashicorp
: Communicates with HashiCorp Vault for back end storage. Available in MySQL Enterprise Edition distributions.
To be usable by the server, the plugin library file must be
located in the MySQL plugin directory (the directory named by
the plugin_dir
system
variable). If necessary, configure the plugin directory location
by setting the value of
plugin_dir
at server startup.
A keyring component or plugin must be loaded early during the
server startup sequence so that other components can access it
as necessary during their own initialization. For example, the
InnoDB
storage engine uses the keyring for
tablespace encryption, so a keyring component or plugin must be
loaded and available prior to InnoDB
initialization.
Installation for each keyring plugin is similar. The following
instructions describe how to install
keyring_okv
. To use a different keyring
plugin, substitute its name for keyring_okv
.
The keyring_okv
plugin library file base name
is keyring_okv
. The file name suffix differs
per platform (for example, .so
for Unix and
Unix-like systems, .dll
for Windows).
To load the plugin, use the
--early-plugin-load
option to
name the plugin library file that contains it. For example, on
platforms where the plugin library file suffix is
.so
, use these lines in the server
my.cnf
file, adjusting the
.so
suffix for your platform as necessary:
[mysqld]
early-plugin-load=keyring_okv.so
Before starting the server, check the notes for your chosen keyring plugin for configuration instructions specific to that plugin:
keyring_okv
: Section 8.4.4.6, “Using the keyring_okv KMIP Plugin”.keyring_aws
: Section 8.4.4.7, “Using the keyring_aws Amazon Web Services Keyring Plugin”keyring_hashicorp
: Section 8.4.4.8, “Using the HashiCorp Vault Keyring Plugin”
After performing any plugin-specific configuration, start the
server. Verify plugin installation by examining the Information
Schema PLUGINS
table or use the
SHOW PLUGINS
statement (see
Section 7.6.2, “Obtaining Server Plugin Information”). For example:
mysql> SELECT PLUGIN_NAME, PLUGIN_STATUS
FROM INFORMATION_SCHEMA.PLUGINS
WHERE PLUGIN_NAME LIKE 'keyring%';
+--------------+---------------+
| PLUGIN_NAME | PLUGIN_STATUS |
+--------------+---------------+
| keyring_okv | ACTIVE |
+--------------+---------------+
If the plugin fails to initialize, check the server error log for diagnostic messages.
Plugins can be loaded by methods other than
--early-plugin-load
, such as the
--plugin-load
or
--plugin-load-add
option or the
INSTALL PLUGIN
statement.
However, keyring plugins loaded using those methods may be
available too late in the server startup sequence for certain
components that use the keyring, such as
InnoDB
:
Plugin loading using
--plugin-load
or--plugin-load-add
occurs afterInnoDB
initialization.Plugins installed using
INSTALL PLUGIN
are registered in themysql.plugin
system table and loaded automatically for subsequent server restarts. However, becausemysql.plugin
is anInnoDB
table, any plugins named in it can be loaded during startup only afterInnoDB
initialization.
If no keyring component or plugin is available when a component
tries to access the keyring service, the service cannot be used
by that component. As a result, the component may fail to
initialize or may initialize with limited functionality. For
example, if InnoDB
finds that there are
encrypted tablespaces when it initializes, it attempts to access
the keyring. If the keyring is unavailable,
InnoDB
can access only unencrypted
tablespaces. To ensure that InnoDB
can access
encrypted tablespaces as well, use
--early-plugin-load
to load the
keyring plugin.