10bet网址
Security in MySQL
Related Documentation Download this Excerpt
PDF (US Ltr)- 2.3Mb
PDF (A4)- 2.3Mb


6.4.3 Keyring Plugin Installation

Keyring service consumers require that a keyring component or plugin be installed:

Note

Only one keyring component or plugin should be enabled at a time. Enabling multiple keyring components or plugins is unsupported and results may not be as anticipated.

MySQL provides these keyring plugin choices:

  • keyring_file: Stores keyring data in a file local to the server host. Available in MySQL Community Edition and MySQL Enterprise Edition distributions.

  • keyring_encrypted_file: Stores keyring data in an encrypted, password-protected file local to the server host. Available in MySQL Enterprise Edition distributions.

  • keyring_okv: A KMIP 1.1 plugin for use with KMIP-compatible back end keyring storage products such as Oracle Key Vault and Gemalto SafeNet KeySecure Appliance. Available in MySQL Enterprise Edition distributions.

  • keyring_aws: Communicates with the Amazon Web Services Key Management Service as a back end for key generation and uses a local file for key storage. Available in MySQL Enterprise Edition distributions.

  • keyring_hashicorp: Communicates with HashiCorp Vault for back end storage. Available in MySQL Enterprise Edition distributions.

  • keyring_oci: Communicates with Oracle Cloud Infrastructure Vault for back end storage. SeeSection 6.4.11, “Using the Oracle Cloud Infrastructure Vault Keyring Plugin”.

To be usable by the server, the plugin library file must be located in the MySQL plugin directory (the directory named by theplugin_dirsystem variable). If necessary, configure the plugin directory location by setting the value ofplugin_dirat server startup.

A keyring component or plugin must be loaded early during the server startup sequence so that other components can access it as necessary during their own initialization. For example, theInnoDBstorage engine uses the keyring for tablespace encryption, so a keyring component or plugin must be loaded and available prior toInnoDBinitialization.

为每一个密匙环安装插件是相似的。The following instructions describe how to installkeyring_file. To use a different keyring plugin, substitute its name forkeyring_file.

Thekeyring_fileplugin library file base name iskeyring_file. The file name suffix differs per platform (for example,.sofor Unix and Unix-like systems,.dllfor Windows).

To load the plugin, use the--early-plugin-loadoption to name the plugin library file that contains it. For example, on platforms where the plugin library file suffix is.so, use these lines in the servermy.cnffile, adjusting the.sosuffix for your platform as necessary:

[mysqld] early-plugin-load=keyring_file.so

Before starting the server, check the notes for your chosen keyring plugin for configuration instructions specific to that plugin:

After performing any plugin-specific configuration, start the server. Verify plugin installation by examining theINFORMATION_SCHEMA.PLUGINStable or use theSHOW PLUGINSstatement (seeObtaining Server Plugin Information). For example:

mysql> SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'keyring%'; +--------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +--------------+---------------+ | keyring_file | ACTIVE | +--------------+---------------+

If the plugin fails to initialize, check the server error log for diagnostic messages.

Plugins can be loaded by methods other than--early-plugin-load, such as the--plugin-loador--plugin-load-addoption or theINSTALL PLUGINstatement. However, keyring plugins loaded using those methods may be available too late in the server startup sequence for certain components that use the keyring, such asInnoDB:

  • Plugin loading using--plugin-loador--plugin-load-addoccurs afterInnoDBinitialization.

  • Plugins installed usingINSTALL PLUGINare registered in themysql.pluginsystem table and loaded automatically for subsequent server restarts. However, becausemysql.pluginis anInnoDBtable, any plugins named in it can be loaded during startup only afterInnoDBinitialization.

If no keyring component or plugin is available when a component tries to access the keyring service, the service cannot be used by that component. As a result, the component may fail to initialize or may initialize with limited functionality. For example, ifInnoDBfinds that there are encrypted tablespaces when it initializes, it attempts to access the keyring. If the keyring is unavailable,InnoDBcan access only unencrypted tablespaces. To ensure thatInnoDBcan access encrypted tablespaces as well, use--early-plugin-loadto load the keyring plugin.