Wednesday, December 4, 2019

Storing keyring_encrypted_file_password settings in extra option file

MySQL configuration file (my.ini or my.cnf) is to define the variables to be used for the server start up.

In MySQL 8.0, we have Persistent Variables which is stored within the data directory as 'mysqld-auto.cnf'

In many cases, using "--defaults-file" for mysqld (or mysqld_safe on linunx) is commonly used. 


# mysqld_safe --defaults-file=/data/my.ini &

The my.ini may contain all the settings which is required.   For security reason, the password if it is stored within the same file 'my.ini' may contribute extra risk where accidentally we may send my.ini for troubleshooting. 

Scenario :  MySQL Transparent Encryption with encrypted file keyring (in MySQL Enterprise Edition).  

For Windows :  Define a New File (e.g. my-tde.ini) which includes only the TDE settings


For the my.ini file, Append a line to include the my-tde.ini.

<... all other settings...>
!include C:/ProgramData/MySQL/my-tde.ini

On Windows, if !include /path/to/extra.ini is the last line in the file, make sure that a newline is appended at the end or the line will be ignored.

Having extra option file with !include directive, it can reduce the risk by separating the settings between option files.