Rechercher dans le manuel MySQL
6.4.4.3 Using the keyring_encrypted_file Keyring Plugin
The keyring_encrypted_file
plugin is an
extension included in MySQL Enterprise Edition, a commercial product. To learn
more about commercial products, see
https://www.mysql.com/products/.
The keyring_encrypted_file
plugin is a
keyring plugin that stores keyring data in an encrypted file
local to the server host. This plugin is available as of MySQL
5.7.21.
The keyring_encrypted_file
plugin for
encryption key management is not intended as a regulatory
compliance solution. Security standards such as PCI, FIPS, and
others require use of key management systems to secure,
manage, and protect encryption keys in key vaults or hardware
security modules (HSMs).
To install the keyring_encrypted_file
plugin,
use the general keyring installation instructions found in
Section 6.4.4.1, “Keyring Plugin Installation”, together with the
configuration information specific to
keyring_encrypted_file
found here.
To be usable during the server startup process,
keyring_encrypted_file
must be loaded using
the --early-plugin-load
option.
To specify the password for encrypting the keyring data file,
set the
keyring_encrypted_file_password
system variable. (The password is mandatory; if not specified at
server startup, keyring_encrypted_file
initialization fails.) The
keyring_encrypted_file_data
system variable optionally configures the location of the file
used by the keyring_encrypted_file
plugin for
data storage. The default value is platform specific. To
configure the file location explicitly, set the variable value
at startup. For example, use these lines in the server
my.cnf
file (adjust the
.so
suffix and file location for your
platform as necessary and substitute your chosen password):
[mysqld]
early-plugin-load=keyring_encrypted_file.so
keyring_encrypted_file_data=/usr/local/mysql/mysql-keyring/keyring-encrypted
keyring_encrypted_file_password=password
Because the my.cnf
file stores a password
when written as shown, it should have a restrictive mode and be
accessible only to the account used to run the MySQL server.
Keyring operations are transactional: The
keyring_encrypted_file
plugin uses a backup
file during write operations to ensure that it can roll back to
the original file if an operation fails. The backup file has the
same name as the value of the
keyring_encrypted_file_data
system variable with a suffix of .backup
.
For additional information about the system variables used to
configure the keyring_encrypted_file
plugin,
see Section 6.4.4.11, “Keyring System Variables”.
To ensure that keys are flushed only when the correct keyring
storage file exists, keyring_encrypted_file
stores a SHA-256 checksum of the keyring in the file. Before
updating the file, the plugin verifies that it contains the
expected checksum. In addition,
keyring_encrypted_file
encrypts file contents
using AES before writing the file, and decrypts file contents
after reading the file.
The keyring_encrypted_file
plugin supports
the functions that comprise the standard keyring service
interface. Keyring operations performed by those functions are
accessible at two levels:
SQL interface: In SQL statements, call the user-defined functions (UDFs) described in Section 6.4.4.8, “General-Purpose Keyring Key-Management Functions”.
C interface: In C-language code, call the keyring service functions described in Section 29.3.2, “The Keyring Service”.
Example (using UDFs):
The key types permitted by
keyring_encrypted_file
are described in
Section 6.4.4.7, “Supported Keyring Key Types”.
Document created the 26/06/2006, last modified the 26/10/2018
Source of the printed document:https://www.gaudry.be/en/mysql-rf-keyring-encrypted-file-plugin.html
The infobrol is a personal site whose content is my sole responsibility. The text is available under CreativeCommons license (BY-NC-SA). More info on the terms of use and the author.
References
These references and links indicate documents consulted during the writing of this page, or which may provide additional information, but the authors of these sources can not be held responsible for the content of this page.
The author This site is solely responsible for the way in which the various concepts, and the freedoms that are taken with the reference works, are presented here. Remember that you must cross multiple source information to reduce the risk of errors.