MySQL Forums - Security

Encryption can't find master key, please check the keyring is loaded (no replies)

Stefano Pisani — Tue, 25 Nov 2025 16:32:16 +0000

Hello everyone,
After upgrading MySQL Enterprise from 8.0.32 to 8.4.7 on Red Hat Enterprise Linux 8, I’m now getting the following error whenever I try to access encrypted InnoDB tables:

ERROR 3185 (HY000): Encryption can't find master key, please check the keyring is loaded

The mysqld service starts without issues, but any query against tables that use tablespace encryption (TDE) fails with the error above.What I have already checked:The same keyring plugin that worked on 8.0.32 is configured (keyring_file, keyring_encrypted_file, or keyring_oci – same as before)
The keyring file is present in the expected location with correct ownership/permissions (owned by mysql:mysql, 660)
early-plugin-load is correctly set in my.cnf
No errors related to the keyring appear in the MySQL error log during startup

Is there any change in master key handling or keyring migration procedure between MySQL 8.0 and 8.4 that I might have missed when TDE is enabled? Do I need to rotate or re-import the master encryption key after this kind of major version upgrade?Any help or pointers would be greatly appreciated!

Thank you in advance!

Encryption information in datafile can't be decrypted, confirm that keyring is loaded (2 replies)

Imaan Ahmad — Wed, 03 Sep 2025 11:56:11 +0000

Hello Team,

I am currently working on enabling Transparent Data Encryption (TDE) on MySQL using KMIP-managed keys. I have successfully configured the keyring_okv plugin and was able to encrypt tables using keys stored on the KMIP server.

From the KMIP server logs, it is evident that Locate requests are being initiated by the MySQL client, however the server shows the following error:
kmip.server.engine - ERROR - 'NoneType' object has no attribute 'applies_to_object_types

This suggests that the KMIP server is unable to properly process the Locate request, possibly due to missing or malformed key objects.

Could this issue be related to the keyring_okv plugin configuration or its interaction with the KMIP server?

Thanks,
Imaan Ahmad

Unable to access data after securring the database (no replies)

Matt Brown — Thu, 14 Aug 2025 19:56:08 +0000

If we use the following setting in the config file, we are able to access the data in the database.

This gets flagged in a Fortify scan. We can connect to the DB via an SSL certificate in Workbench. We change the value string in the above to the below, and suddenly we can't get the data to come up in our site.

Error encountered while generating keys using the keyring_okv plugin (no replies)

Imaan Ahmad — Mon, 04 Aug 2025 17:05:03 +0000

We’ve installed the MySQL Enterprise edition (Trial version) on a Windows client and configured the keyring_okv.dll plugin to connect to our KMIP server. The MySQL server appears to be connecting to the KMIP server successfully (I have also tested the connection from the windows server to the KMIP server)

However, when we attempt to generate a key using the keyring_key_generate function, we encounter the following error:

Function 'keyring_key_generate' failed because underlying keyring service returned an error. Please check if a keyring is installed and that provided arguments are valid for the keyring you are using.
[Server] Plugin keyring_okv reported: 'Could not add attribute, attribute_name=x-key-id attribute value=Key1'
[Server] Plugin keyring_okv reported: 'Could not flush keys to keyring'.

Has anyone faced a similar issue or can provide help with what might cause the x-key-id attribute error?

Any help or pointers would be greatly appreciated.

management of mysql-keyring file (5 replies)

Krzysztof Wróblewski — Mon, 06 Apr 2026 14:17:08 +0000

Hi,
I'm trying to implement my own keyring file management mechanism on Linux OS.
I searched documentation and I didn't find any information when exactly MySQL accesses mysql-keyring file.

Would you like to confirm if it's safe to move keyring file (to other safe place) after MySQL starts?
When exactly I need provide mysql-keyring file to proper component directory pointed in configuration?

I found only that for migration purpose it should be on place before key rotation and during startup of mysqld. Anything else?

If it's somewhere described, I would be happy to read more about access file mechanism.

SSL connection error: error:0A000086:SSL routines::certificate verify failed (no replies)

Boisseau Nicolas — Tue, 01 Apr 2025 11:52:18 +0000

Hello,

I'm dealing with a problem that's taking up far too much of my time. I must have spent around 30 hours on the subject and I'm starting to overdose.

Let me explain what I'm dealing with: I want to use MySQL to replicate 2 databases. Everything was working fine, I was able to replicate correctly.

But then I got a message telling me that it's not safe to let the password show through, so I need to use the SSL/TLS protocol to make things more secure
and not have the password in clear text on the network (even though I'm on a LAN).
To do this, I used the .pem files created automatically during installation with MySQL, i.e. my ca.pem - client-cert.pem - client-key.pem files that I sent to my 2nd server (the slave). Once the rights had been given, as well as the correct group, I initialised the connection between my slave and my master. except that I came up against the following error:

‘Last_IO_Error: Error connecting to source ‘replication@192.168.1.10:3306’. This was attempt 16162/86400, with a delay of 20 seconds between attempts. Message: SSL connection error: error:0A000086:SSL routines::certificate verify failed’

I've spent countless hours trying to find out why this error is appearing, and I can't figure it out. I've looked everywhere (maybe not enough?) but I just don't get it, and I'd welcome any help.

I'd also like to point out that I originally thought it was the fault of the certificate generated by MySQL that wasn't working, but I finally regenerated all the certificates with openssl to see if that was the cause.
to see if it was coming from there, but apparently not, I have the same problem. (I generated the ca.pem - ca-key.pem - client-cert.pem - client-key.pem - server-cert.pem - server-key.pem.
I also signed the certificates with the ca.pem and normally I have my certificates set to CA=True and not false on my client and server, but that doesn't seem to have a
change. I should also point out that I have changed the following parameter: SOURCE_SSL_VERIFY_SERVER_CERT=1 to ‘0’ and the connection works again, which I suppose is logical because of course
I also tested a command line connection with the certificates, but I don't think this proves anything about the validity of my certificates ?
mysql -h 192.168.1.10 -u replication -p --ssl-ca=ca.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem / This command works and I connect.

Here are all my configurations for the first server, the master (the one with the server certificates)

1/ Configuration my.cnf :

[mysqld]
log-bin=master1
server-id=1
binlog-format=mixed
relay-log=relay-log-master1
bind-address=0.0.0.0
ssl-ca=ca.pem
ssl-cert=server-cert.pem
ssl-key=server-key.pem
require_secure_transport=ON

2/ MySQL parameters :
mysql> SHOW VARIABLES LIKE '%ssl%';
+-------------------------------------+-----------------+
| Variable_name | Value |
+-------------------------------------+-----------------+
| admin_ssl_ca | |
| admin_ssl_capath | |
| admin_ssl_cert | |
| admin_ssl_cipher | |
| admin_ssl_crl | |
| admin_ssl_crlpath | |
| admin_ssl_key | |
| have_openssl | YES |
| have_ssl | YES |
| mysqlx_ssl_ca | |
| mysqlx_ssl_capath | |
| mysqlx_ssl_cert | |
| mysqlx_ssl_cipher | |
| mysqlx_ssl_crl | |
| mysqlx_ssl_crlpath | |
| mysqlx_ssl_key | |
| performance_schema_show_processlist | OFF |
| ssl_ca | ca.pem |
| ssl_capath | |
| ssl_cert | server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_fips_mode | OFF |
| ssl_key | server-key.pem |
| ssl_session_cache_mode | ON |
| ssl_session_cache_timeout | 300 |
+-------------------------------------+-----------------+

3/File in /var/lib/MySQL :

-rw------- 1 mysql mysql 1,7K mars 28 14:14 server-key.pem
-rw-r--r-- 1 mysql mysql 1,4K mars 28 14:14 server-cert.pem
-rw------- 1 mysql mysql 1,7K mars 28 14:14 client-key.pem
-rw-r--r-- 1 mysql mysql 1,3K mars 28 14:14 ca.pem
-rw------- 1 mysql mysql 1,7K mars 28 14:14 ca-key.pem
-rw-r--r-- 1 mysql mysql 1,4K mars 28 14:14 client-cert.pem

openssl verify -CAfile /var/lib/mysql/ca.pem /var/lib/mysql/server-cert.pem
/var/lib/mysql/server-cert.pem: OK

Slave side (customer) :

[mysqld]
log-bin=slave1
server-id=2
binlog-format=mixed
relay-log=relay-log-slave1

2/ Configuration file in /var/lib/MySQL :
-rw-r--r-- 1 mysql mysql 1,3K mars 28 14:46 ca.pem
-rw------- 1 mysql mysql 1,7K mars 28 14:46 client-key.pem
-rw-r--r-- 1 mysql mysql 1,4K mars 28 14:46 client-cert.pem

3/ Replica configuration :
CHANGE REPLICATION SOURCE TO
SOURCE_HOST='192.168.1.10',
SOURCE_USER='replication',
SOURCE_PASSWORD='password',
SOURCE_PORT=3306,
SOURCE_LOG_FILE='master1.000011',
SOURCE_LOG_POS=157,
SOURCE_CONNECT_RETRY=20,
SOURCE_SSL_CA='/var/lib/mysql/ca.pem',
SOURCE_SSL_CERT='/var/lib/mysql/client-cert.pem',
SOURCE_SSL_KEY='/var/lib/mysql/client-key.pem',
SOURCE_SSL_VERIFY_SERVER_CERT=1,
GET_SOURCE_PUBLIC_KEY=1,
SOURCE_SSL=1;

Problem with caching_sha2_password and proxy/proxied user (3 replies)

Silvio Schloeffel — Thu, 30 Jan 2025 10:32:27 +0000

Hi,

I am currently setting up a completely new MySQL 8.4 server in order to migrate an old server to it.
In the course of the work, all users are to be newly created with caching_sha2_password passwords.
Furthermore, users should be given their rights with the help of proxy/proxied user roles.
The creation of users and subsequent login works without any problems.
However, problems occur when I assign rights to the users via grant proxy.
The rights are not transferred to the users.

However, if I change the hashing procedure from caching_sha2_ppassword to sha256_password, the assignment of rights works (same user only a change of the password module).
For security reasons and for testing I created 2 users, same result,
test_user_6 is working, test_user-7 isn't working:

| test_user_6 | sha256_password |
| test_user_7 | caching_sha2_password |

mysql> show grants for 'test_user_6'@'10.234.16.0/255.255.255.0';
+---------------------------------------------------------------------------------------+
| Grants for test_user_6@10.234.16.0/255.255.255.0 |
+---------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO `test_user_6`@`10.234.16.0/255.255.255.0` |
| GRANT PROXY ON `bc_monitoring_proxy`@`%` TO `test_user_6`@`10.234.16.0/255.255.255.0` |
+---------------------------------------------------------------------------------------+
2 rows in set (0,00 sec)

mysql> show grants for 'test_user_7'@'10.234.16.0/255.255.255.0';
+---------------------------------------------------------------------------------------+
| Grants for test_user_7@10.234.16.0/255.255.255.0 |
+---------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO `test_user_7`@`10.234.16.0/255.255.255.0` |
| GRANT PROXY ON `bc_monitoring_proxy`@`%` TO `test_user_7`@`10.234.16.0/255.255.255.0` |
+---------------------------------------------------------------------------------------+
2 rows in set (0,00 sec)

Does caching_sha2 not yet support the assignment of proxy rights?
I can't find anything about restrictions in this regard and also the documentation:
https://dev.mysql.com/doc/refman/8.4/en/proxy-users.html
does not indicate any problems with the module.

The proxy rules under [mysqld] currently look like this:
check_proxy_users=ON
sha256_password_proxy_users=ON

I would be very grateful for any advice

Best

Silvio

MySQL FLUSH_PRIVILEGES: A new dynamic privilege to execute FLUSH PRIVILEGES (no replies)

Edwin Desouza — Mon, 28 Oct 2024 23:40:28 +0000

https://blogs.oracle.com/mysql/post/flushprivileges-a-new-dynamic-privilege-to-execute-flush-privileges

How to use passkeys to authenticate to MySQL (no replies)

Edwin Desouza — Mon, 28 Oct 2024 22:47:14 +0000

https://blogs.oracle.com/mysql/post/how-to-use-passkeys-to-authenticate-to-mysql

MySQL: OpenID Connect (Oauth2 - JWT) Authentication (no replies)

Edwin Desouza — Tue, 22 Oct 2024 15:16:22 +0000

MySQL: OpenID Connect (Oauth2 - JWT) Authentication
- https://blogs.oracle.com/mysql/post/openid-connect-oauth2-jwt-authentication-support-in-mysql

mysql_native_password deprecation plans (2 replies)

Mou Rik — Thu, 10 Oct 2024 19:07:13 +0000

Hi,
We see that the default authentication plugin has changed from mysql_native_password to caching_sha2_password.

We know we have to (and are in the process of) migrating over to caching_sha2_password.

Our question: will mysql_native_password actually be REMOVED from mysql? Will it stop working any time (soon-ish) or is it just a default that has changed?

Thanks!

question on "--ssl-ca" flag during ssl connection (1 reply)

sridhar subramanya — Thu, 29 Aug 2024 07:57:12 +0000

I've a mysql server running on redhat8 and enabled it for TLS/SSL one way authentication.

my question is about the significance of using "--ssl-ca" to validate the server certificate , given that there are instances where mysql client/shell (probably version 8 or older) getting connected successfully to the server without providing --ssl-ca as a part of connection.

I thought it was an expected behavior. in the above case i assume connections are still secure its just that, server certificate were not validated from the client side.

i assume its the responsibility of the connecting client or application to validate/verify that the certificate from their end .

if my assumption was wrong , Does server can act as a gate keeper or does have any setting on the server side which could dictate incoming client connections to validate its certificate and restrict the connection if its not.

request your valuable input on the matter.

Thanks,
Sri

FIPS mode help! (2 replies)

B W — Mon, 09 Sep 2024 07:58:43 +0000

I installed MySQL 8.0.38 Community Server on my Windows machine, but when I try to turn on FIPS mode, I get an error:

ERROR] [MY-011272] [Server] SSL fips mode error: error:12800067:DSO support routines::could not load the shared library

I believe running this running this query
mysql> show status like '%Tls_library_version%';
OpenSSL 3.0.13 30 Jan 2024

shows that MySQL was build with that version of OpenSSL.

Reading OpenSSL documentation, the last FIPS compliant version is actually 3.0.9. so I downloaded the OpenSSL 3.0.9 source and built it with the FIPS flag and installed it on the machine (I do see various DLLs related to FIPS being installed)

Am I able to have MySQL link in the the OpenSSL DLLs that I compiled (if so, how do I do this?) or do I have to download the MySQL Source and compile that on my Windows machine?

Any guidance would be greatly appreciated.

Copy password from one user to another (3 replies)

Noel Abela — Thu, 08 Aug 2024 11:12:04 +0000

With mysql5.5 we used to copy passwords from one user to another with the following sql

update mysql.user set password = ((select pass from (select password as pass from mysql.user where mysql.user.user='nla_jim' and mysql.user.host='localhost') as c)) where mysql.user.user ='abc_jim';

Is there a way to do this same thing on mysql8? We are using native passwords.

Unable to login mysql after keyring plugin install (no replies)

Santosh Nag Narasimha Dadhirao — Wed, 10 Jul 2024 10:59:12 +0000

I'm unable to log in after enabling the keyring plugin in mysql.

Request you to assist

Component Key ring file (1 reply)

Pradeep Kumar Bojja — Thu, 27 Jun 2024 07:35:46 +0000

Hi everyone,

I was trying to work on component key ring file installation and after performing all the steps am not able to encrypt a table. Am I missing something? Can someone guide me on this?

Added manifest file under /usr/sbin

cat mysqld.my
{
"components": "file://component_keyring_file"
}

Added configuration file under /usr/lib64/mysql/plugin/

cat component_keyring_file.cnf
{
"path": "/usr/lib64/mysql/plugin/component_keyring_file",
"read_only": false
}

created a zero bytes file under /usr/lib64/mysql/plugin/component_keyring_file

Its showing as active in mysql prompt but when am trying to encrypt a table it is not working.

mysql> SELECT * FROM performance_schema.keyring_component_status;
+---------------------+------------------------------------------------+
| STATUS_KEY | STATUS_VALUE |
+---------------------+------------------------------------------------+
| Component_name | component_keyring_file |
| Author | Oracle Corporation |
| License | GPL |
| Implementation_name | component_keyring_file |
| Version | 1.0 |
| Component_status | Active |
| Data_file | /usr/lib64/mysql/plugin/component_keyring_file |
| Read_only | No |
+---------------------+------------------------------------------------+
8 rows in set (0.00 sec)

mysql> alter table emp encryption='Y';
ERROR 3185 (HY000): Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully.

MySQL: Keyring components (no replies)

Edwin Desouza — Fri, 03 May 2024 01:37:24 +0000

Introducing Keyring Components in MySQL

— https://blogs.oracle.com/mysql/post/keyring-components
— https://blogs.oracle.com/mysql/post/component-keyring-file
— https://blogs.oracle.com/mysql/post/keyring-component-to-plugin-migration
— https://blogs.oracle.com/mysql/post/component-keyring-oci

Configuring keyring component (no replies)

John Carver — Fri, 26 Apr 2024 12:33:23 +0000

Gents,I an trying to configure component keyring on RHEL 8. I placed a global file in /sbin per the instructions. I placed a second file in /usr/lib64/mysql/plugin and verified library was there. Restarted mysqld but no go

Global config is as follows:
[root@rhel8 plugin]# ls -l /sbin/mysqld.my
-rw-r-----. 1 mysql mysql 52 Apr 25 17:38 /sbin/mysqld.my

[root@rhel8 vagrant]# more /sbin/mysqld.my
{
"components": "file://component_keyring_file"
}
[root@rhel8 plugin]# ls -l component_keyring_file.cnf
-r--r-----. 1 mysql mysql 68 Apr 25 20:16 component_keyring_file.cnf

[root@rhel8 plugin]# more component_keyring_file.cnf
{
"path": "/usr/local/mysql/keyring/app",
"read_only": false
}

It seems setup right. Cannot figure out why it is not working.

How to change the login plugin from mysql_native_password to caching_sha2_password (2 replies)

Liang Cheng — Wed, 24 Jul 2024 00:07:56 +0000

Hi,
Most of our environments are mysql5.7 and we are trying MySQL8 recently. One difference between 5.7.x and 8.0 is that the default login plugin is changed from mysql_native_password to caching_sha2_password.
For now, we know that we can upgrade the existing 5.7 environments to 8.0 by specifying the plugin to mysql_native_password. But mysql_native_password will be deprecated anyway. So we wonder that how to change login plugin of existing users from mysql_native_password to caching_sha2_password in case that we want to plan upgrade 5.7 to latest 8.0+. We know how to change the login plugin for any user manually created by us.
But we don't know how to migrate for system users, e.g. mysql.sys, mysql.session and the internal users created by mysqlrouter, I suspect the login plugin of mysqlrouter user maybe related to plugin type of system user.

| mysql_router1_9dpfyggnr7bg | % | mysql_native_password |
| mysql_router1_r2dvd2ouvpsh | % | mysql_native_password |
| mysql_router8_nnuisdqf5bgi | % | mysql_native_password |
| mysql_router8_q67c850fzp1p | % | mysql_native_password |
| replication_user | % | caching_sha2_password |
| root | % | caching_sha2_password |
| mysql.infoschema | localhost | caching_sha2_password |
| mysql.session | localhost | mysql_native_password |
| mysql.sys | localhost | mysql_native_password |

Please share some knowledge, thanks a lot.

Keyring_OKV integration with external KMS for TDE (1 reply)

Simon Thornell — Sat, 30 Dec 2023 17:05:59 +0000

Hi there,

I'm trying to configure MySQL db to use the keyring_okv to communicate using KMIP with my external KMS when doing TDE. I have the MEK in my KMS but I get multiple errors from MySQL during the setup.

I'm using Ubuntu 20.04 and I've tried 22.04 aswell. I've installed the V1038776-01 package on Ubuntu 20.04 and V1038777-01 on 22.04.

After running through all the configuration steps online, in the /var/log/mysql/error.log I get:

2023-12-11T12:28:56.448105Z 0 [Warning] [MY-010918] [Server] 'default_authentication_plugin' is deprecated and will be removed in a future release. Please use authentication_policy instead.
2023-12-11T12:28:56.448130Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.35-commercial) starting as process 14038
2023-12-11T12:28:56.452968Z 0 [ERROR] [MY-011382] [Server] Plugin keyring_okv reported: 'Could not find entry for server in configuration file /usr/local/mysql/mysql-keyring-okv/okvclient.ora'
2023-12-11T12:28:56.452995Z 0 [ERROR] [MY-011384] [Server] Plugin keyring_okv reported: 'Could not parse the okvclient.ora file provided'
2023-12-11T12:28:56.453005Z 0 [ERROR] [MY-011377] [Server] Plugin keyring_okv reported: 'keyring_okv initialization failure. Please check that the keyring_okv_conf_dir points to a readable directory and that the directory contains Oracle Key Vault configuration file and ssl materials. Please also check that Oracle Key Vault is up and running.'
2023-12-11T12:28:56.453015Z 0 [ERROR] [MY-010202] [Server] Plugin 'keyring_okv' init function returned error.

But the config all looks ok in the okvclient.ora file (used X to keep my domain safe but see the test below using openssl with KMIP to check connectivity):

root@simon-virtual-machine:/usr/lib/mysql/plugin# cat /usr/local/mysql/mysql-keyring-okv/okvclient.ora
SERVER=XX.XXXXXXXX.XX:5696
STANDBY_SERVER=XX.XXXXXXXX.XX:5696

and my okvclient.ora looks ok:

[mysqld]
early-plugin-load=keyring_okv.so
keyring_okv_conf_dir=/usr/local/mysql/mysql-keyring-okv
ssl-ca=/var/lib/mysql/ca.pem
ssl-cert=/var/lib/mysql/server-cert.pem
ssl-key=/var/lib/mysql/server-key.pem
pid-file=/var/run/mysqld/mysqld.pid
socket=/var/run/mysqld/mysqld.sock
datadir=/var/lib/mysql
log-error=/var/log/mysql/error.log

Testing the cert, key etc. between DSM and my server hosting MySQL using KMIP also looks good:

root@simon-virtual-machine:/usr/local/mysql/mysql-keyring-okv/ssl# openssl s_client -connect XX.XXXXXXXX.XX:5696 -cert cert.pem -key key.pem -CAfile CA.pem
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = XX.XXXXXXXX.XX
verify return:1

Running MySQL enterprise:

mysql> SELECT VERSION();
+-------------------+
| VERSION() |
+-------------------+
| 8.0.35-commercial |
+-------------------+
1 row in set (0.00 sec)

Am I missing some configuration or do I need to install another package?

MySQL 8.0.35 and mysql_native_password (1 reply)

Christos Chatzaras — Tue, 20 Feb 2024 21:15:09 +0000

I am currently using MySQL 8.0.33 and am planning to upgrade to version 8.0.35.

In my configuration file (my.cnf) I have set:

default_authentication_plugin=mysql_native_password.

According to the MySQL 8.0.35 release notes found at https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-35.html, it is mentioned that "mysql_native_password now replaces caching_sha2_password as the default authentication method when the server does not support pluggable authentication."

I typically add users using the following command:

CREATE USER 'username'@'%' IDENTIFIED WITH mysql_native_password BY 'password';

Given this information, I am concerned about whether there will be any issues logging in with these accounts after upgrading to MySQL 8.0.35.

MySQL: Improving TLS Ciphers usage (no replies)

Edwin Desouza — Tue, 31 Oct 2023 17:51:17 +0000

MySQL: Improving TLS Ciphers usage
— https://blogs.oracle.com/mysql/post/improving-tls-ciphers-usage-in-mysql-820

MySQL: authentication_webauthn (no replies)

Edwin Desouza — Tue, 31 Oct 2023 17:50:36 +0000

MySQL: authentication_webauthn
— https://blogs.oracle.com/mysql/post/new-kid-on-the-block-authenticationwebauthn

MySQL Connector/J 2FA and FIDO (WebAuthn) (no replies)

Edwin Desouza — Mon, 30 Oct 2023 22:58:52 +0000

MySQL Connector/J 2FA and FIDO (WebAuthn)
- https://blogs.oracle.com/mysql/post/mysql-connectorj-fido-webauthn

Encryption data (no replies)

christophe offroy — Fri, 27 Oct 2023 14:10:22 +0000

Hi,
I would like to crypt data on my mysql database.
I saw that Data-at-rest Encryption exist but is available in Mysql community version or only on mysql Enterprise.
If not how to do the encryption ?

Thanks
Best regards

Christophe

MySQL HeatWave Database Audit for Data Governance, Compliance, and Security (no replies)

Edwin Desouza — Fri, 18 Aug 2023 21:02:19 +0000

MySQL HeatWave Database Audit for Data Governance, Compliance, and Security
- https://blogs.oracle.com/mysql/post/introducing-mysql-heatwave-database-audit

client auth with lets encrypt certs (1 reply)

rob thijssen — Tue, 15 Aug 2023 07:40:25 +0000

i run ops for a few dev teams. because our servers must be publicly accessible and because they are under constant exploit attempts, we prefer to use strong (elyptic curve) tls client and server auth with real (rather than self-signed) certs, which regularly expire and are renewed, for db connections and for replication between source and replicas.

mongodb support for this use case is pretty straightforward and our mongo servers have always been configured this way.

postgresql support seems like an afterthought but is doable with a fair bit of configuration tinkering. we've had this working for a few months.

i've spent a week trying to coerce mysql to work this way and so far, no joy.

i did discover:
- ca.pem needs to contain all intermediaries (everything in le's fullchain.pem + dst-root-x3, something le doesn't make it easy for you to find, but we'd already jumped through those hoops for our other infra)
- cert.pem and privkey.pem need nothing added or removed.

starting the mysql service with the following config works:
```
[mysqld]
require_secure_transport=ON
ssl_ca=/var/lib/mysql/lets-encrypt-ca.pem
ssl_cert=/var/lib/mysql/lets-encrypt-cert.pem
ssl_key=/var/lib/mysql/lets-encrypt-key.pem
#ssl_cipher=TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
tls_version=TLSv1.3
```
client users are created like so:
```
CREATE USER 'foo'@'abc.example.com' REQUIRE SUBJECT 'CN=abc.example.com' AND ISSUER 'C=US,O=Let\'s Encrypt,CN=R3';
```
i've also tried:
```
CREATE USER 'foo'@'%' REQUIRE SUBJECT 'CN=abc.example.com' AND ISSUER 'C=US,O=Let\'s Encrypt,CN=R3';
```
however no clients are able to authenticate (clients also have le certs) and an error is shown client-side which reads:
access denied for user 'foo'@'ip address' (using password: no)

server-side the error log shows:
```
[Warning] [MY-010055] [Server] IP address 'ip address' could not be resolved: Name or service not known
```

some research suggested that the ssl_cipher should be set, but uncommenting that line in the .cnf file causes the server to ignore all ssl settings and run without ssl.

any example of a working client and server tls auth implementation that uses a real cert rather than a self signed one, would be greatly appreciated.

Problem data at rest encryption configuration of component_keyring_file in Windows 11. (1 reply)

Lesly Campo — Fri, 04 Aug 2023 15:18:41 +0000

I have a problem with the configuration of component_keyring_file in mysql server in windows 11.

Until now these are the steps I have been followed.

STEP BY STEP TO Encryption at DATA-REST

1. Activate Keyring component of mysql
a. In the bin directory installation of MySQL Server create a manifest file called mysqld.my with the following information in JSON format:
{
"read_local_manifest": false,
"components": "file://component_keyring_file"
}
b. In the plugin directory (normally C:\Program Files\MySQL\MySQL Server 8.0\lib\plugin) create a configuration file called component_keyring_file.cnf with the following information
{
"read_local_config": false,
"path": "component_keyring_file",
"read_only": false
}
Note: Even if the instructions tell to use absolute path only relative path worked to activate the component in the server.

c. Use ALTER INSTANCE RELOAD KEYRING in mysql query to update the component configuration.
d. Query SELECT * FROM performance_schema.keyring_component_status; to verify the status of the recent component installation.

2. To alter the encryption of an existing file-per-table tablespace, an ENCRYPTION clause must be specified.

mysql> ALTER TABLE t1 ENCRYPTION = 'Y';

3. When we restart the service and even if we use the ALTER INSTANCE RELOAD KEYRING command, we are still not able to access the encrypted data.

I don't know if this is a bug. Or I need to make changes to any of the manifest or configuration files.

I would appreciate any help.

Permission oddity/issue Mysql 8 (3 replies)

Jordan Brown — Thu, 13 Jul 2023 00:51:37 +0000

Hi y'all,

We've recently upgraded our DB to the Mysql 8 from Mysql 5.7. Version of Mysql 8 we're on is 8.0.32

I'm going to use a test user below but this test user mimics an actual user in our DB.

This user was created this way with these permissions in mysql 5.7:

CREATE USER 'test_jb'@'%' IDENTIFIED BY '{enter_password}';
GRANT ALL PRIVILEGES ON `phone_%prod%`.* TO 'test_jb'@'%';
GRANT SELECT, CREATE TEMPORARY TABLES ON `%prod`.* TO 'test_jb'@'%';

All was working fine and the user had "ALL PRIVILEGES" to phone_%prod%`.*.

So we upgraded to Mysql 8 and there the user looked the same:

Logged in as that user, test_jb.

mysql> show grants for current_user
-> ;
+---------------------------------------------------------------------+
| Grants for test_jb@% |
+---------------------------------------------------------------------+
| GRANT USAGE ON *.* TO `test_jb`@`%` |
| GRANT ALL PRIVILEGES ON `phone_%prod%`.* TO `test_jb`@`%` |
| GRANT SELECT, CREATE TEMPORARY TABLES ON `%prod`.* TO `test_jb`@`%` |
+---------------------------------------------------------------------+
3 rows in set (0.06 sec)

User was able to do things like so:

mysql> create schema phone_api_prod;
Query OK, 1 row affected (0.06 sec)

mysql> CREATE TABLE phone_api_prod.test12 (id int);
Query OK, 0 rows affected (0.08 sec)

in mysql 8, just as they were able in mysql 5.7

I'm to drop those schema now so I can show running them again a bit later:

mysql> drop schema phone_api_prod;
Query OK, 0 rows affected (0.06 sec)

However, we added a role to this user and now its permission is denied for running the same statements as before. For the sake of simplicity, I'll show you a role that is created but the role will have no additional permissions (in real life this wouldn't be the case but this is just to keep it simple. The role we added actually had some additional/unrelated priviliges/permissions and showed the same behavior). The role will be granted to the same user.

So this is what we did:

mysql> CREATE ROLE `TESTTESTTEST`@'%';
Query OK, 0 rows affected (0.07 sec)

mysql> GRANT TESTTESTTEST TO 'test_jb'@'%';
Query OK, 0 rows affected (0.06 sec)

Then logging back in to test_jb user:

mysql> set role TESTTESTTEST
-> ;
Query OK, 0 rows affected (0.06 sec)

mysql> select current_role()
-> ;
+--------------------+
| current_role() |
+--------------------+
| `TESTTESTTEST`@`%` |
+--------------------+
1 row in set (0.06 sec)

mysql> show grants for current_user
-> ;
+---------------------------------------------------------------------+
| Grants for test_jb@% |
+---------------------------------------------------------------------+
| GRANT USAGE ON *.* TO `test_jb`@`%` |
| GRANT SELECT, CREATE TEMPORARY TABLES ON `%prod`.* TO `test_jb`@`%` |
| GRANT ALL PRIVILEGES ON `phone_%prod%`.* TO `test_jb`@`%` |
| GRANT `TESTTESTTEST`@`%` TO `test_jb`@`%` |
+---------------------------------------------------------------------+
4 rows in set (0.06 sec)

And as mentioned, now when running just that create schema statement that earlier ran fine, now fails:

mysql> create schema phone_api_prod;
ERROR 1044 (42000): Access denied for user 'test_jb'@'%' to database 'phone_api_prod'

Now if I set my role to NONE, it works again:

mysql> set role NONE;
Query OK, 0 rows affected (0.05 sec)

mysql> create schema phone_api_prod;
Query OK, 1 row affected (0.06 sec)

mysql> CREATE TABLE phone_api_prod.test12 (id int);
Query OK, 0 rows affected (0.09 sec)

set the role back again and it stops working again:

mysql> set role TESTTESTTEST;
Query OK, 0 rows affected (0.06 sec)

mysql> show grants for current_user;
+---------------------------------------------------------------------+
| Grants for test_jb@% |
+---------------------------------------------------------------------+
| GRANT USAGE ON *.* TO `test_jb`@`%` |
| GRANT SELECT, CREATE TEMPORARY TABLES ON `%prod`.* TO `test_jb`@`%` |
| GRANT ALL PRIVILEGES ON `phone_%prod%`.* TO `test_jb`@`%` |
| GRANT `TESTTESTTEST`@`%` TO `test_jb`@`%` |
+---------------------------------------------------------------------+
4 rows in set (0.06 sec)

mysql> CREATE TABLE phone_api_prod.test14 (id int);
ERROR 1142 (42000): CREATE command denied to user 'test_jb'@'ec2-34-197-131-140.compute-1.amazonaws.com' for table 'test14'

read access still works:

mysql> select * from phone_api_prod.test12
-> ;
Empty set (0.06 sec)

and the role we assigned doesn't have any additional permissions. All the permissions come from the GRANTS assigned at the user level. So it's getting its read access from the GRANTS assigned at the user level. It's just when assigning a role which is a feature of mysql 8, those previous "modify" scripts fail to behave as before.

Can someone point me in the Mysql Docs where this behavior is documented? Seems kind of strange.

Only thing remotely related that I could find in the mysql 8 docs is this (https://dev.mysql.com/doc/refman/8.0/en/grant.html#:~:text=Issuing%20multiple%20GRANT): "Issuing multiple GRANT statements containing wildcards may not have the expected effect on DML statements; when resolving grants involving wildcards, MySQL takes only the first matching grant into consideration. In other words, if a user has two database-level grants using wildcards that match the same database, the grant which was created first is applied." To be clear, this is the same behavior documented in mysql 5.7, and like I said, it works fine in mysql 5.7 and mysql 8. But stops working as expected once a role is granted and activiated on a user.

Is there a way to solve this, keeping to the permission strategy we have in place, or does mysql 8 with roles just break permission setup like this? Either way, where is this behavior documented in the mysql 8 docs, so I can understand better?

We use this strategy of permissions to give broad "read only and temporary table creation access to all %prod schemas" and elevated/ALL privileges permissions to a subset of schemas depending on the data subject area /data domain. It was a great strategy for us, but since we want to use roles in mysql 8 for additional simplicity of permission management, we're now coming across the inability to continue BAU permission strategy with role based permissioning.

Could use some help here solving this mystery, thanks!

dynamic privileges for web applications (no replies)

mohamed salah sdiri — Fri, 26 May 2023 13:54:55 +0000

Hello,
I want to design a dynamic privileges system to be applied in relation to some bundles (modules) of my monolithic web application in PHP. My goal is to ensure security by applying custom privileges for each user based on their roles at the database level, not just relying on the application logic. This approach aims to prevent any unwanted behavior in the web application, such as arbitrary execution due to undiscovered vulnerabilities.

During my research, I discovered that one way to achieve this is by creating multiple database users. However, it is strongly advised against switching between multiple database users, and there are no arguments in favor of it. In my application, I have numerous user profiles, each with different access permissions, similar to what we find in cloud solution providers.

Is it possible to implement this in MySQL?