WL#12859: Store secret data in keyring
Affects: Server-8.0
—
Status: Complete
MySQL server, through keyring plugin supports secure storage for various types of keys. Depending on keyring backend (e.g. a KMIP compliant server), different types of keys (e.g. AES) are managed differently.
At present, there is no mechanism for MySQL customers to use keyring plugin to store sensitive data that does not fall into specific key types. Example of such data: Passwords, X509 Certificates etc.
Aim of the worklog is to enhance existing keyring plugins to support a new type of data - SECRET. This will allow customers to store/retrieve/manage any opaque data (subject to maximum restriction of 16k) in keyring. Keyring backend would not interpret data in any manner and treat it as a BLOB.
- Defination 1: Secret data: Data, that is deemed sensitive by customer.
- FR 1: It should be possible to manage (store/retrieve/remove/generate) Secret data in keyring through keyring APIs.
- FR 1.1: Following keyring plugins should be able to manage Secret data:
- File keyring plugin (keyring_file)
- Encrypted file keyring plugin (keyring_encrypted_file)
- KMIP keyring plugin (keyring_okv)
- AWS KMS keyring plugin (keyring_aws)
- Hashicorp vault keyring plugin (keyring_hashicorp)
- FR 1.1: Following keyring plugins should be able to manage Secret data:
- FR 2: It should be possible to manage Secret data through keyring UDFs.
- I1: In keyring infrastructure, add support for a new data type - SECRET.
- I2: Although there is no theoretical restriction on length of Secret data, a maximum length restriction of 16384 bytes will be imposed.
- I3: Support for Secret data will be added for keyring mentioned in FR 1.1.
- I3.1 Keyring_okv will store data in following manner:
- Object type: SECRET
- Usage mask: Encryption | Decryption
- Type: Password (0x00000001)
- I3.1 Keyring_okv will store data in following manner:
- I4: Keyrings will not interpret Secret data in any manner. It will be stored and retrieved as byte stream.
- I5: Some of the keyring backend may not support generation of random data. In such cases, OpenSSL's PRNG will be used to generate data and store request will be sent to server.
- I6: Keyring UDFs will support management of Secret Data.
- I6.1: Secret data retrieved through keyring UDF (keyring_key_fetch) will be in binary string format.
Examples:
SELECT keyring_key_generate('MySecret1', 'SECRET', 20);
SELECT keyring_key_store('MySecret1', 'SECRET', 'MySecretData');
SELECT keyring_key_fetch('MySecret1');
SELECT keyring_key_length_fetch('MySecret1');
SELECT keyring_key_type_fetch('MySecret1');
SELECT keyring_key_remove('MySecret1');
Notes:
- AWS KMS imposes restriction on key lengths. Due to this, following limitations exist for keyring_aws plugin.
- Maximum length of key that can be stored is 4096. See: https://sdk.amazonaws.com/cpp/api/LATEST/class_aws_1_1_k_m_s_1_1_k_m_s_client.html#aa575287aec019eafbceabcc339f205fc
- Maximum length of key that can be generated is 1024. See: https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html
Copyright (c) 2000, 2024, Oracle Corporation and/or its affiliates. All rights reserved.