MySQL 8.0 Reference Manual Including MySQL NDB Cluster 8.0
MySQL Keyring plugins support the following system variables. Use them to configure keyring plugin operation. These variables are unavailable unless the appropriate keyring plugin is installed (see Section 6.4.4.1, “Keyring Plugin Installation”).
Command-Line Format | --keyring-aws-cmk-id=value |
---|---|
System Variable | keyring_aws_cmk_id |
Scope | Global |
Dynamic | Yes |
SET_VAR Hint Applies |
No |
Type | String |
The customer master key (CMK) ID obtained from the AWS KMS
server and used by the keyring_aws
plugin. This variable is unavailable unless that plugin is
installed.
This variable is mandatory. If not specified,
keyring_aws
initialization fails.
Command-Line Format | --keyring-aws-conf-file=file_name |
---|---|
System Variable | keyring_aws_conf_file |
Scope | Global |
Dynamic | No |
SET_VAR Hint Applies |
No |
Type | File name |
Default Value | platform specific |
The location of the configuration file for the
keyring_aws
plugin. This variable is
unavailable unless that plugin is installed.
At plugin startup, keyring_aws
reads the
AWS secret access key ID and key from the configuration
file. For the keyring_aws
plugin to start
successfully, the configuration file must exist and contain
valid secret access key information, initialized as
described in Section 6.4.4.5, “Using the keyring_aws Amazon Web Services Keyring Plugin”.
The default file name is
keyring_aws_conf
, located in the default
keyring file directory. The location of this default
directory is the same as for the
keyring_file_data
system
variable. See the description of that variable for details,
as well as for considerations to take into account if you
create the directory manually.
Command-Line Format | --keyring-aws-data-file |
---|---|
System Variable | keyring_aws_data_file |
Scope | Global |
Dynamic | No |
SET_VAR Hint Applies |
No |
Type | File name |
Default Value | platform specific |
The location of the storage file for the
keyring_aws
plugin. This variable is
unavailable unless that plugin is installed.
At plugin startup, if the value assigned to
keyring_aws_data_file
specifies a file that does not exist, the
keyring_aws
plugin attempts to create it
(as well as its parent directory, if necessary). If the file
does exist, keyring_aws
reads any
encrypted keys contained in the file into its in-memory
cache. keyring_aws
does not cache
unencrypted keys in memory.
The default file name is
keyring_aws_data
, located in the default
keyring file directory. The location of this default
directory is the same as for the
keyring_file_data
system
variable. See the description of that variable for details,
as well as for considerations to take into account if you
create the directory manually.
Command-Line Format | --keyring-aws-region=value |
---|---|
System Variable | keyring_aws_region |
Scope | Global |
Dynamic | Yes |
SET_VAR Hint Applies |
No |
Type | Enumeration |
Default Value | us-east-1 |
Valid Values |
|
The AWS region for the keyring_aws
plugin. This variable is unavailable unless that plugin is
installed.
Command-Line Format | --keyring-encrypted-file-data=file_name |
---|---|
System Variable | keyring_encrypted_file_data |
Scope | Global |
Dynamic | Yes |
SET_VAR Hint Applies |
No |
Type | File name |
Default Value | platform specific |
The path name of the data file used for secure data storage
by the keyring_encrypted_file
plugin.
This variable is unavailable unless that plugin is
installed. The file location should be in a directory
considered for use only by keyring plugins. For example, do
not locate the file under the data directory.
Keyring operations are transactional: The
keyring_encrypted_file
plugin uses a
backup file during write operations to ensure that it can
roll back to the original file if an operation fails. The
backup file has the same name as the value of the
keyring_encrypted_file_data
system variable with a suffix of
.backup
.
Do not use the same
keyring_encrypted_file
data file for
multiple MySQL instances. Each instance should have its own
unique data file.
The default file name is
keyring_encrypted
, located in a
directory that is platform specific and depends on the value
of the INSTALL_LAYOUT
CMake option, as shown in the following
table. To specify the default directory for the file
explicitly if you are building from source, use the
INSTALL_MYSQLKEYRINGDIR
CMake option.
INSTALL_LAYOUT Value |
Default keyring_encrypted_file_data Value |
---|---|
DEB , RPM , SVR4 |
/var/lib/mysql-keyring/keyring_encrypted |
Otherwise | keyring/keyring_encrypted under the
CMAKE_INSTALL_PREFIX
value |
At plugin startup, if the value assigned to
keyring_encrypted_file_data
specifies a file that does not exist, the
keyring_encrypted_file
plugin attempts to
create it (as well as its parent directory, if necessary).
If you create the directory manually, it should have a
restrictive mode and be accessible only to the account used
to run the MySQL server. For example, on Unix and Unix-like
systems, to use the
/usr/local/mysql/mysql-keyring
directory, the following commands (executed as
root
) create the directory and set its
mode and ownership:
cd /usr/local/mysql mkdir mysql-keyring chmod 750 mysql-keyring chown mysql mysql-keyring chgrp mysql mysql-keyring
If the keyring_encrypted_file
plugin
cannot create or access its data file, it writes an error
message to the error log. If an attempted runtime assignment
to
keyring_encrypted_file_data
results in an error, the variable value remains unchanged.
Once the keyring_encrypted_file
plugin
has created its data file and started to use it, it is
important not to remove the file. Loss of the file causes
data encrypted using its keys to become inaccessible. (It
is permissible to rename or move the file, as long as you
change the value of
keyring_encrypted_file_data
to match.)
keyring_encrypted_file_password
Command-Line Format | --keyring-encrypted-file-password=password |
---|---|
System Variable | keyring_encrypted_file_password |
Scope | Global |
Dynamic | Yes |
SET_VAR Hint Applies |
No |
Type | String |
The password used by the
keyring_encrypted_file
plugin. This
variable is unavailable unless that plugin is installed.
This variable is mandatory. If not specified,
keyring_encrypted_file
initialization
fails.
If this variable is specified in an option file, the file should have a restrictive mode and be accessible only to the account used to run the MySQL server.
Once the
keyring_encrypted_file_password
value has been set, changing it does not rotate the
keyring password and could make the server inaccessible.
If an incorrect password is provided, the
keyring_encrypted_file
plugin cannot
load keys from the encrypted keyring file.
The password value cannot be displayed at runtime with
SHOW VARIABLES
or the
Performance Schema
global_variables
table because
the display value is obfuscated.
Command-Line Format | --keyring-file-data=file_name |
---|---|
System Variable | keyring_file_data |
Scope | Global |
Dynamic | Yes |
SET_VAR Hint Applies |
No |
Type | File name |
Default Value | platform specific |
The path name of the data file used for secure data storage
by the keyring_file
plugin. This variable
is unavailable unless that plugin is installed. The file
location should be in a directory considered for use only by
keyring plugins. For example, do not locate the file under
the data directory.
Keyring operations are transactional: The
keyring_file
plugin uses a backup file
during write operations to ensure that it can roll back to
the original file if an operation fails. The backup file has
the same name as the value of the
keyring_file_data
system
variable with a suffix of .backup
.
Do not use the same keyring_file
data
file for multiple MySQL instances. Each instance should have
its own unique data file.
The default file name is keyring
,
located in a directory that is platform specific and depends
on the value of the
INSTALL_LAYOUT
CMake option, as shown in the following
table. To specify the default directory for the file
explicitly if you are building from source, use the
INSTALL_MYSQLKEYRINGDIR
CMake option.
INSTALL_LAYOUT Value |
Default keyring_file_data Value |
---|---|
DEB , RPM , SVR4 |
/var/lib/mysql-keyring/keyring |
Otherwise | keyring/keyring under the
CMAKE_INSTALL_PREFIX
value |
At plugin startup, if the value assigned to
keyring_file_data
specifies
a file that does not exist, the
keyring_file
plugin attempts to create it
(as well as its parent directory, if necessary).
If you create the directory manually, it should have a
restrictive mode and be accessible only to the account used
to run the MySQL server. For example, on Unix and Unix-like
systems, to use the
/usr/local/mysql/mysql-keyring
directory, the following commands (executed as
root
) create the directory and set its
mode and ownership:
cd /usr/local/mysql mkdir mysql-keyring chmod 750 mysql-keyring chown mysql mysql-keyring chgrp mysql mysql-keyring
If the keyring_file
plugin cannot create
or access its data file, it writes an error message to the
error log. If an attempted runtime assignment to
keyring_file_data
results
in an error, the variable value remains unchanged.
Once the keyring_file
plugin has
created its data file and started to use it, it is
important not to remove the file. For example,
InnoDB
uses the file to store the
master key used to decrypt the data in tables that use
InnoDB
tablespace encryption; see
Section 15.13, “InnoDB Data-at-Rest Encryption”. Loss of the file
causes data in such tables to become inaccessible. (It is
permissible to rename or move the file, as long as you
change the value of
keyring_file_data
to
match.) It is recommended that you create a separate
backup of the keyring data file immediately after you
create the first encrypted table and before and after
master key rotation.
Command-Line Format | --keyring-hashicorp-auth-path=value |
---|---|
Introduced | 8.0.18 |
System Variable | keyring_hashicorp_auth_path |
Scope | Global |
Dynamic | Yes |
SET_VAR Hint Applies |
No |
Type | String |
Default Value | /v1/auth/approle/login |
The authentication path where AppRole authentication is
enabled within the HashiCorp Vault server, for use by the
keyring_hashicorp
plugin. This variable
is unavailable unless that plugin is installed.
Command-Line Format | --keyring-hashicorp-ca-path=file_name |
---|---|
Introduced | 8.0.18 |
System Variable | keyring_hashicorp_ca_path |
Scope | Global |
Dynamic | Yes |
SET_VAR Hint Applies |
No |
Type | File name |
Default Value | empty string |
The absolute path name of a local file accessible to the
MySQL server that contains a properly formatted TLS
certificate authority for use by the
keyring_hashicorp
plugin. This variable
is unavailable unless that plugin is installed.
If this variable is not set, the
keyring_hashicorp
plugin opens an HTTPS
connection without using server certificate verification,
and trusts any certificate delivered by the HashiCorp Vault
server. For this to be safe, it must be assumed that the
Vault server is not malicious and that no man-in-the-middle
attack is possible. If those assumptions are invalid, set
keyring_hashicorp_ca_path
to the path of a trusted CA certificate. (For example, for
the instructions in
Certificate and Key Preparation,
this is the company.crt
file.)
Command-Line Format | --keyring-hashicorp-caching[={OFF|ON}] |
---|---|
Introduced | 8.0.18 |
System Variable | keyring_hashicorp_caching |
Scope | Global |
Dynamic | Yes |
SET_VAR Hint Applies |
No |
Type | Boolean |
Default Value | OFF |
Whether to enable the optional in-memory key cache used by
the keyring_hashicorp
plugin to cache
keys from the HashiCorp Vault server. This variable is
unavailable unless that plugin is installed. If the cache is
enabled, the plugin populates it during initialization.
Otherwise, the plugin populates only the key list during
initialization.
Enabling the cache is a compromise: It improves performance, but maintains a copy of sensitive key information in memory, which may be undesirable for security purposes.
keyring_hashicorp_commit_auth_path
Introduced | 8.0.18 |
---|---|
System Variable | keyring_hashicorp_commit_auth_path |
Scope | Global |
Dynamic | No |
SET_VAR Hint Applies |
No |
Type | String |
This variable is associated with
keyring_hashicorp_auth_path
,
from which it takes its value during
keyring_hashicorp
plugin initialization.
This variable is unavailable unless that plugin is
installed. It reflects the “committed” value
actually used for plugin operation if initialization
succeeds. For additional information, see
keyring_hashicorp Configuration.
keyring_hashicorp_commit_ca_path
Introduced | 8.0.18 |
---|---|
System Variable | keyring_hashicorp_commit_ca_path |
Scope | Global |
Dynamic | No |
SET_VAR Hint Applies |
No |
Type | String |
This variable is associated with
keyring_hashicorp_ca_path
,
from which it takes its value during
keyring_hashicorp
plugin initialization.
This variable is unavailable unless that plugin is
installed. It reflects the “committed” value
actually used for plugin operation if initialization
succeeds. For additional information, see
keyring_hashicorp Configuration.
keyring_hashicorp_commit_caching
Introduced | 8.0.18 |
---|---|
System Variable | keyring_hashicorp_commit_caching |
Scope | Global |
Dynamic | No |
SET_VAR Hint Applies |
No |
Type | String |
This variable is associated with
keyring_hashicorp_caching
,
from which it takes its value during
keyring_hashicorp
plugin initialization.
This variable is unavailable unless that plugin is
installed. It reflects the “committed” value
actually used for plugin operation if initialization
succeeds. For additional information, see
keyring_hashicorp Configuration.
keyring_hashicorp_commit_role_id
Introduced | 8.0.18 |
---|---|
System Variable | keyring_hashicorp_commit_role_id |
Scope | Global |
Dynamic | No |
SET_VAR Hint Applies |
No |
Type | String |
This variable is associated with
keyring_hashicorp_role_id
,
from which it takes its value during
keyring_hashicorp
plugin initialization.
This variable is unavailable unless that plugin is
installed. It reflects the “committed” value
actually used for plugin operation if initialization
succeeds. For additional information, see
keyring_hashicorp Configuration.
keyring_hashicorp_commit_server_url
Introduced | 8.0.18 |
---|---|
System Variable | keyring_hashicorp_commit_server_url |
Scope | Global |
Dynamic | No |
SET_VAR Hint Applies |
No |
Type | String |
This variable is associated with
keyring_hashicorp_server_url
,
from which it takes its value during
keyring_hashicorp
plugin initialization.
This variable is unavailable unless that plugin is
installed. It reflects the “committed” value
actually used for plugin operation if initialization
succeeds. For additional information, see
keyring_hashicorp Configuration.
keyring_hashicorp_commit_store_path
Introduced | 8.0.18 |
---|---|
System Variable | keyring_hashicorp_commit_store_path |
Scope | Global |
Dynamic | No |
SET_VAR Hint Applies |
No |
Type | String |
This variable is associated with
keyring_hashicorp_store_path
,
from which it takes its value during
keyring_hashicorp
plugin initialization.
This variable is unavailable unless that plugin is
installed. It reflects the “committed” value
actually used for plugin operation if initialization
succeeds. For additional information, see
keyring_hashicorp Configuration.
Command-Line Format | --keyring-hashicorp-role-id=value |
---|---|
Introduced | 8.0.18 |
System Variable | keyring_hashicorp_role_id |
Scope | Global |
Dynamic | Yes |
SET_VAR Hint Applies |
No |
Type | String |
Default Value | empty string |
The HashiCorp Vault AppRole authentication role ID, for use
by the keyring_hashicorp
plugin. This
variable is unavailable unless that plugin is installed. The
value must be in UUID format.
This variable is mandatory. If not specified,
keyring_hashicorp
initialization fails.
Command-Line Format | --keyring-hashicorp-secret-id=value |
---|---|
Introduced | 8.0.18 |
System Variable | keyring_hashicorp_secret_id |
Scope | Global |
Dynamic | Yes |
SET_VAR Hint Applies |
No |
Type | String |
Default Value | empty string |
The HashiCorp Vault AppRole authentication secret ID, for
use by the keyring_hashicorp
plugin. This
variable is unavailable unless that plugin is installed. The
value must be in UUID format.
This variable is mandatory. If not specified,
keyring_hashicorp
initialization fails.
The value of this variable is sensitive, so its value is
masked by *
characters when displayed.
Command-Line Format | --keyring-hashicorp-server-url=value |
---|---|
Introduced | 8.0.18 |
System Variable | keyring_hashicorp_server_url |
Scope | Global |
Dynamic | Yes |
SET_VAR Hint Applies |
No |
Type | String |
Default Value | https://127.0.0.1:8200 |
The HashiCorp Vault server URL, for use by the
keyring_hashicorp
plugin. This variable
is unavailable unless that plugin is installed. The value
must begin with https://
.
Command-Line Format | --keyring-hashicorp-store-path=value |
---|---|
Introduced | 8.0.18 |
System Variable | keyring_hashicorp_store_path |
Scope | Global |
Dynamic | Yes |
SET_VAR Hint Applies |
No |
Type | String |
Default Value | empty string |
A store path within the HashiCorp Vault server that is
writeable when appropiate AppRole AppRole credentials are
provided by the keyring_hashicorp
plugin.
This variable is unavailable unless that plugin is
installed. To specify the credentials, set the
keyring_hashicorp_role_id
and
keyring_hashicorp_secret_id
system variables (for example, as shown in
keyring_hashicorp Configuration).
This variable is mandatory. If not specified,
keyring_hashicorp
initialization fails.
Command-Line Format | --keyring-oci-ca-certificate=file_name |
---|---|
Introduced | 8.0.22 |
System Variable | keyring_oci_ca_certificate |
Scope | Global |
Dynamic | No |
SET_VAR Hint Applies |
No |
Type | String |
Default Value | empty string |
The path name of the CA certificate bundle file that the
keyring_oci
plugin uses for Oracle Cloud Infrastructure
certificate verification. This variable is unavailable
unless that plugin is installed.
The file contains one or more certificates for peer
verification. If no file is specified, the default CA bundle
installed on the system is used. If the value is
disabled
(case-sensitive),
keyring_oci
performs no certificate
verification.
Command-Line Format | --keyring-oci-compartment=ocid |
---|---|
Introduced | 8.0.22 |
System Variable | keyring_oci_compartment |
Scope | Global |
Dynamic | No |
SET_VAR Hint Applies |
No |
Type | String |
The OCID of the tenancy compartment that the
keyring_oci
plugin uses as the location
of the MySQL keys. This variable is unavailable unless that
plugin is installed.
Prior to using keyring_oci
, you must
create a MySQL compartment or subcompartment if it does not
exist. This compartment should contain no vault keys or
vault secrets. It should not be used by systems other than
MySQL Keyring.
For information about managing compartments and obtaining the OCID, see Managing Compartments.
This variable is mandatory. If not specified,
keyring_oci
initialization fails.
keyring_oci_encryption_endpoint
Command-Line Format | --keyring-oci-encryption-endpoint=value |
---|---|
Introduced | 8.0.22 |
System Variable | keyring_oci_encryption_endpoint |
Scope | Global |
Dynamic | No |
SET_VAR Hint Applies |
No |
Type | String |
The endpoint of the Oracle Cloud Infrastructure encryption server that the
keyring_oci
plugin uses for generating
ciphertext for new keys. This variable is unavailable unless
that plugin is installed.
The encryption endpoint is vault specific and Oracle Cloud Infrastructure assigns
it at vault-creation time. To obtain the endpoint OCID, view
the configuration details for your
keyring_oci
vault, using the instructions
at
Managing
Vaults.
This variable is mandatory. If not specified,
keyring_oci
initialization fails.
Command-Line Format | --keyring-oci-key-file=file_name |
---|---|
Introduced | 8.0.22 |
System Variable | keyring_oci_key_file |
Scope | Global |
Dynamic | No |
SET_VAR Hint Applies |
No |
Type | String |
The path name of the file containing the RSA private key
that the keyring_oci
plugin uses for
Oracle Cloud Infrastructure authentication. This variable is unavailable unless
that plugin is installed.
You must also upload the corresponding RSA public key using
the Console. The Console displays the key fingerprint value,
which you can use to set the
keyring_oci_key_fingerprint
system variable.
For information about generating and uploading API keys, see Required Keys and OCIDs.
This variable is mandatory. If not specified,
keyring_oci
initialization fails.
Command-Line Format | --keyring-oci-key-fingerprint=value |
---|---|
Introduced | 8.0.22 |
System Variable | keyring_oci_key_fingerprint |
Scope | Global |
Dynamic | No |
SET_VAR Hint Applies |
No |
Type | String |
The fingerprint of the RSA private key that the
keyring_oci
plugin uses for Oracle Cloud Infrastructure
authentication. This variable is unavailable unless that
plugin is installed.
To obtain the key fingerprint while creating the API keys, execute this command:
openssl rsa -pubout -outform DER -in ~/.oci/oci_api_key.pem | openssl md5 -c
Alternatively, obtain the fingerprint from the Console, which automatically displays the fingerprint when you upload the RSA public key.
For information about obtaining key fingerprints, see Required Keys and OCIDs.
This variable is mandatory. If not specified,
keyring_oci
initialization fails.
keyring_oci_management_endpoint
Command-Line Format | --keyring-oci-management-endpoint=value |
---|---|
Introduced | 8.0.22 |
System Variable | keyring_oci_management_endpoint |
Scope | Global |
Dynamic | No |
SET_VAR Hint Applies |
No |
Type | String |
The endpoint of the Oracle Cloud Infrastructure key management server that the
keyring_oci
plugin uses for listing
existing keys. This variable is unavailable unless that
plugin is installed.
The key management endpoint is vault specific and Oracle Cloud Infrastructure
assigns it at vault-creation time. To obtain the endpoint
OCID, view the configuration details for your
keyring_oci
vault, using the instructions
at
Managing
Vaults.
This variable is mandatory. If not specified,
keyring_oci
initialization fails.
Command-Line Format | --keyring-oci-master-key=ocid |
---|---|
Introduced | 8.0.22 |
System Variable | keyring_oci_master_key |
Scope | Global |
Dynamic | No |
SET_VAR Hint Applies |
No |
Type | String |
The OCID of the Oracle Cloud Infrastructure master encryption key that the
keyring_oci
plugin uses for encryption of
secrets. This variable is unavailable unless that plugin is
installed.
Prior to using keyring_oci
, you must
create a cryptographic key for the Oracle Cloud Infrastructure compartment if it
does not exist. Provide a MySQL-specific name for the
generated key, and do not use it for other purposes.
For information about key creation, see Managing Keys.
This variable is mandatory. If not specified,
keyring_oci
initialization fails.
Command-Line Format | --keyring-oci-secrets-endpoint=value |
---|---|
Introduced | 8.0.22 |
System Variable | keyring_oci_secrets_endpoint |
Scope | Global |
Dynamic | No |
SET_VAR Hint Applies |
No |
Type | String |
The endpoint of the Oracle Cloud Infrastructure secrets server that the
keyring_oci
plugin uses for listing,
creating, and retiring secrets. This variable is unavailable
unless that plugin is installed.
The secrets endpoint is vault specific and Oracle Cloud Infrastructure assigns it
at vault-creation time. To obtain the endpoint OCID, view
the configuration details for your
keyring_oci
vault, using the instructions
at
Managing
Vaults.
This variable is mandatory. If not specified,
keyring_oci
initialization fails.
Command-Line Format | --keyring-oci-tenancy=ocid |
---|---|
Introduced | 8.0.22 |
System Variable | keyring_oci_tenancy |
Scope | Global |
Dynamic | No |
SET_VAR Hint Applies |
No |
Type | String |
The OCID of the Oracle Cloud Infrastructure tenancy that the
keyring_oci
plugin uses as the location
of the MySQL compartment. This variable is unavailable
unless that plugin is installed.
Prior to using keyring_oci
, you must
create a tenancy if it does not exist. To obtain the tenancy
OCID from the Console, use the instructions at
Required
Keys and OCIDs.
This variable is mandatory. If not specified,
keyring_oci
initialization fails.
Command-Line Format | --keyring-oci-user=ocid |
---|---|
Introduced | 8.0.22 |
System Variable | keyring_oci_user |
Scope | Global |
Dynamic | No |
SET_VAR Hint Applies |
No |
Type | String |
The OCID of the Oracle Cloud Infrastructure user that the
keyring_oci
plugin uses for cloud
connections. This variable is unavailable unless that plugin
is installed.
Prior to using keyring_oci
, this user
must exist and be granted access to use the configured Oracle Cloud Infrastructure
tenancy, compartment, and vault resources.
To obtain the user OCID from the Console, use the instructions at Required Keys and OCIDs.
This variable is mandatory. If not specified,
keyring_oci
initialization fails.
Command-Line Format | --keyring-oci-vaults-endpoint=value |
---|---|
Introduced | 8.0.22 |
System Variable | keyring_oci_vaults_endpoint |
Scope | Global |
Dynamic | No |
SET_VAR Hint Applies |
No |
Type | String |
The endpoint of the Oracle Cloud Infrastructure vaults server that the
keyring_oci
plugin uses for obtaining the
value of secrets. This variable is unavailable unless that
plugin is installed.
The vaults endpoint is vault specific and Oracle Cloud Infrastructure assigns it
at vault-creation time. To obtain the endpoint OCID, view
the configuration details for your
keyring_oci
vault, using the instructions
at
Managing
Vaults.
This variable is mandatory. If not specified,
keyring_oci
initialization fails.
Command-Line Format | --keyring-oci-virtual-vault=ocid |
---|---|
Introduced | 8.0.22 |
System Variable | keyring_oci_virtual_vault |
Scope | Global |
Dynamic | No |
SET_VAR Hint Applies |
No |
Type | String |
The OCID of the Oracle Cloud Infrastructure Vault that the
keyring_oci
plugin uses for encryption
operations. This variable is unavailable unless that plugin
is installed.
Prior to using keyring_oci
, you must
create a new vault in the MySQL compartment if it does not
exist. (Alternatively, you can reuse an existing vault that
is in a parent compartment of the MySQL compartment.)
Compartment users can see and use only the keys in their
respective compartments.
For information about creating a vault and obtaining the vault OCID, see Managing Vaults.
This variable is mandatory. If not specified,
keyring_oci
initialization fails.
Command-Line Format | --keyring-okv-conf-dir=dir_name |
---|---|
System Variable | keyring_okv_conf_dir |
Scope | Global |
Dynamic | Yes |
SET_VAR Hint Applies |
No |
Type | Directory name |
Default Value | empty string |
The path name of the directory that stores configuration
information used by the keyring_okv
plugin. This variable is unavailable unless that plugin is
installed. The location should be a directory considered for
use only by the keyring_okv
plugin. For
example, do not locate the directory under the data
directory.
The default
keyring_okv_conf_dir
value
is empty. For the keyring_okv
plugin to
be able to access Oracle Key Vault, the value must be set to
a directory that contains Oracle Key Vault configuration and
SSL materials. For instructions on setting up this
directory, see Section 6.4.4.4, “Using the keyring_okv KMIP Plugin”.
The directory should have a restrictive mode and be
accessible only to the account used to run the MySQL server.
For example, on Unix and Unix-like systems, to use the
/usr/local/mysql/mysql-keyring-okv
directory, the following commands (executed as
root
) create the directory and set its
mode and ownership:
cd /usr/local/mysql mkdir mysql-keyring-okv chmod 750 mysql-keyring-okv chown mysql mysql-keyring-okv chgrp mysql mysql-keyring-okv
If the value assigned to
keyring_okv_conf_dir
specifies a directory that does not exist, or that does not
contain configuration information that enables a connection
to Oracle Key Vault to be established,
keyring_okv
writes an error message to
the error log. If an attempted runtime assignment to
keyring_okv_conf_dir
results in an error, the variable value and keyring
operation remain unchanged.
System Variable | keyring_operations |
---|---|
Scope | Global |
Dynamic | Yes |
SET_VAR Hint Applies |
No |
Type | Boolean |
Default Value | ON |
Whether keyring operations are enabled. This variable is
used during key migration operations. See
Section 6.4.4.9, “Migrating Keys Between Keyring Keystores”. The privileges
required to modify this variable are
ENCRYPTION_KEY_ADMIN
in
addition to either
SYSTEM_VARIABLES_ADMIN
or the
deprecated SUPER
privilege.