MySQL Forums
Forum List  »  Security

Re: mysql keyring_file plugin master key storage
Posted by: Georgi Kodinov
Date: March 09, 2018 11:27AM

Good question !
Basically it's like that:
The server exposes a keyring plugin service (https://dev.mysql.com/doc/dev/mysql-server/latest/structmysql__keyring__service__st.html) for other plugins (and the server of course) to use.
Innodb is one such user of the keyring service.

But the server doesn't really know how to implement the service. Thus it relies on a keyring plugin to be present to implement it.

This is where keyring_file comes in (or any other keyring plugin really).

It implements the methods of the keyring service.

So it goes like this:
* Innodb calls the keyring plugin service in the server when it needs a key
* The server finds e.g. the keyring_file plugin and calls the relevant method defined by it
* the keyring_file plugin's method does execute the method (e.g. retrieves the key) and sends it back to innodb via the server.

If there's no keyring plugin loaded the server's keyring service just returns an error to the consumer (innodb in this case).

This is exactly why you need to load the keyring plugin via --early-plugin-load *before* innodb searches for it at init time trying to read encrypted data.

See slide 21 of my presentation https://www.slideshare.net/GeorgiKodinov/pl17-mysql-80-security for a diagram of it all.

Georgi "Joro" Kodinov
MySQL SrvGen team lead
Plovdiv, Bulgaria

Options: ReplyQuote


Subject
Views
Written By
Posted
Re: mysql keyring_file plugin master key storage
679
March 09, 2018 11:27AM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.