MySQL 8.0 Reference Manual Including MySQL NDB Cluster 8.0
MySQL Server supports a keyring that enables internal server components and plugins to securely store sensitive information for later retrieval. The implementation comprises these elements:
Keyring plugins that manage a backing store or communicate with a storage back end. These keyring plugins are available:
keyring_file stores keyring data in a
file local to the server host. This plugin is available in
MySQL Community Edition and MySQL Enterprise Edition distributions. See
Section 6.4.4.2, “Using the keyring_file File-Based Plugin”.
keyring_encrypted_file stores keyring
data in an encrypted file local to the server host. This
plugin is available in MySQL Enterprise Edition distributions. See
Section 6.4.4.3, “Using the keyring_encrypted_file Keyring Plugin”.
keyring_okv is a KMIP 1.1 plugin for
use with KMIP-compatible back end keyring storage products
such as Oracle Key Vault and Gemalto SafeNet KeySecure
Appliance. This plugin is available in MySQL Enterprise Edition
distributions. See Section 6.4.4.4, “Using the keyring_okv KMIP Plugin”.
keyring_aws communicates with the
Amazon Web Services Key Management Service for key
generation and uses a local file for key storage. This
plugin is available in MySQL Enterprise Edition distributions. See
Section 6.4.4.5, “Using the keyring_aws Amazon Web Services Keyring Plugin”.
keyring_hashicorp communicates with
HashiCorp Vault for back end storage. This plugin is
available in MySQL Enterprise Edition distributions as of MySQL 8.0.18. See
Section 6.4.4.6, “Using the HashiCorp Vault Keyring Plugin”.
keyring_oci communicates with Oracle
Cloud Infrastructure Vault for back end storage. This
plugin is available in MySQL Enterprise Edition distributions as of MySQL
8.0.22. See Section 6.4.4.7, “Using the Oracle Cloud Infrastructure Vault Keyring Plugin”.
A key migration capability. A MySQL server operational mode enables migration of keys between underlying keyring keystores, permitting DBAs to switch a MySQL installation from one keyring plugin to another. See Section 6.4.4.9, “Migrating Keys Between Keyring Keystores”.
A keyring service interface for keyring key management, accessible at two levels:
SQL interface: In SQL statements, call the user-defined functions (UDFs) described in Section 6.4.4.10, “General-Purpose Keyring Key-Management Functions”.
C interface: In C-language code, call the keyring service functions described in Section 5.6.8.2, “The Keyring Service”.
Key metadata access. In MySQL 8.0.16 and higher, the
Performance Schema keyring_keys
table exposes metadata for keys in the keyring. Key metadata
includes key IDs, key owners, and backend key IDs. The
keyring_keys table does not
expose any sensitive keyring data such as key contents. See
Section 27.12.19.6, “The keyring_keys table”.
The keyring_file and
keyring_encrypted_file plugins for encryption
key management are not intended as a regulatory compliance
solution. Security standards such as PCI, FIPS, and others
require use of key management systems to secure, manage, and
protect encryption keys in key vaults or hardware security
modules (HSMs).
Within MySQL, uses of the keyring include:
The InnoDB storage engine uses the keyring
to store its key for tablespace encryption.
InnoDB can use any supported keyring
plugin. See Section 15.13, “InnoDB Data-at-Rest Encryption”.
MySQL Enterprise Audit uses the keyring to store the audit log file encryption password. The audit log plugin can use any supported keyring plugin. See Encrypting Audit Log Files.
Binary log and relay log management supports keyring-based encryption of log files. With log file encryption activated, the keys used to encrypt passwords for the binary log files and relay log files are stored in the keyring. This capability can use any supported keyring plugin. See Section 17.3.2, “Encrypting Binary Log Files and Relay Log Files”.
For general keyring installation instructions, see Section 6.4.4.1, “Keyring Plugin Installation”. For installation and configuration information specific to a given keyring plugin, see the section describing that plugin.
For information about using the keyring UDFs, see Section 6.4.4.10, “General-Purpose Keyring Key-Management Functions”.
Keyring plugins and UDFs access a keyring service that provides the interface for components to the keyring. For information about accessing the keyring plugin service and writing keyring plugins, see Section 5.6.8.2, “The Keyring Service”, and Writing Keyring Plugins.