Good question !
Basically it's like that:
The server exposes a keyring plugin service (https://dev.mysql.com/doc/dev/mysql-server/latest/structmysql__keyring__service__st.html) for other plugins (and the server of course) to use.
Innodb is one such user of the keyring service.
But the server doesn't really know how to implement the service. Thus it relies on a keyring plugin to be present to implement it.
This is where keyring_file comes in (or any other keyring plugin really).
It implements the methods of the keyring service.
So it goes like this:
* Innodb calls the keyring plugin service in the server when it needs a key
* The server finds e.g. the keyring_file plugin and calls the relevant method defined by it
* the keyring_file plugin's method does execute the method (e.g. retrieves the key) and sends it back to innodb via the server.
If there's no keyring plugin loaded the server's keyring service just returns an error to the consumer (innodb in this case).
This is exactly why you need to load the keyring plugin via --early-plugin-load *before* innodb searches for it at init time trying to read encrypted data.
See slide 21 of my presentation
https://www.slideshare.net/GeorgiKodinov/pl17-mysql-80-security for a diagram of it all.
Georgi "Joro" Kodinov
MySQL SrvGen team lead
Plovdiv, Bulgaria