MySQL 8.4 Reference Manual Including MySQL NDB Cluster 8.4
To use MySQL Enterprise Encryption in applications, invoke the functions that are appropriate for the operations you wish to perform. This section demonstrates how to carry out some representative tasks.
MySQL Enterprise Encryption functions are provided by a MySQL component
component_enterprise_encryption. For
information about these functions, see
Section 8.6.4, “MySQL Enterprise Encryption Function Reference”.
The following general considerations apply when choosing key lengths and encryption algorithms:
The strength of encryption for private and public keys increases with the key size, but the time for key generation increases as well.
Component functions support RSA keys only.
Asymmetric encryption functions consume more resources
compared to symmetric functions. They are good for encrypting
small amounts of data and creating and verifying signatures.
For encrypting large amounts of data, symmetric encryption
functions are faster. MySQL Server provides the
AES_ENCRYPT() and
AES_DECRYPT() functions for
symmetric encryption.
Key string values can be created at runtime and stored into a
variable or table using
SET,
SELECT, or
INSERT, as shown here:
SET @priv1 = create_asymmetric_priv_key('RSA', 2048);
SELECT create_asymmetric_priv_key('RSA', 2048) INTO @priv2;
INSERT INTO t (key_col) VALUES(create_asymmetric_priv_key('RSA', 1024));
Key string values stored in files can be read using the
LOAD_FILE() function by users who
have the FILE privilege. Digest and
signature strings can be handled similarly.
This example works with both the component functions and the legacy functions:
-- Encryption algorithm SET @algo = 'RSA'; -- Key length in bits; make larger for stronger keys SET @key_len = 2048; -- Create private key SET @priv = create_asymmetric_priv_key(@algo, @key_len); -- Derive corresponding public key from private key, using same algorithm SET @pub = create_asymmetric_pub_key(@algo, @priv);
You can use the key pair to encrypt and decrypt data or to sign and verify data.
This example works with both the component functions and the legacy functions. In both cases, the members of the key pair must be RSA keys:
SET @ciphertext = asymmetric_encrypt(@algo, 'My secret text', @pub); SET @plaintext = asymmetric_decrypt(@algo, @ciphertext, @priv);
This example works with both the component functions and the legacy functions:
-- Digest type SET @dig_type = 'SHA512'; -- Generate digest string SET @dig = create_digest(@dig_type, 'My text to digest');
The key pair can be used to sign data, then verify that the signature matches the digest. This example works with both the component functions and the legacy functions:
-- Encryption algorithm; keys must -- have been created using same algorithm SET @algo = 'RSA'; –- Digest algorithm to sign the data SET @dig_type = 'SHA512'; -- Generate signature for digest and verify signature against digest SET @sig = asymmetric_sign(@algo, @dig, @priv, @dig_type); -- Verify signature against digest SET @verf = asymmetric_verify(@algo, @dig, @sig, @pub, @dig_type);
For the legacy functions, signatures require a digest. For the component functions, signatures do not require a digest, and can use any data string. The digest type in these functions refers to the algorithm that is used to sign the data, not the algorithm that was used to create the original input for the signature. This example is for the component functions:
-- Encryption algorithm; keys must
-- have been created using same algorithm
SET @algo = 'RSA';
–- Arbitrary text string for signature
SET @text = repeat('j', 256);
–- Digest algorithm to sign the data
SET @dig_type = 'SHA512';
-- Generate signature for digest and verify signature against digest
SET @sig = asymmetric_sign(@algo, @text, @priv, @dig_type);
-- Verify signature against digest
SET @verf = asymmetric_verify(@algo, @text, @sig, @pub, @dig_type);