Tuesday, February 27, 2024

MySQL Keyring Component Installation for TDE


MySQL Plugin has been extensively used with MySQL.   It is being evolved into COMPONENT deployment.   This article is written to share the steps with MySQL Keyring Component Installation.   

MySQL Enterprise Edition includes encrypted file component for Keyring.    This provides a more secure way to store the master key with TDE.

Installation of component with keyring has to be static rather than running SQL command "INSTALL COMPONENT".   There are 2 scopes with component installation.


Global vs Local

With Global component installation, the configuration is located with the MySQL installation folder.

With Local component installation, the global configuration is referenced to locate the local configuration from the Datadir.


Global Configuration

Assuming the installation is with the package and installed within /usr.  The mysqld is located in /usr/sbin.   The plugin folder can be found with SQL Command :

mysql> show variables like 'plugin_dir'';

for example :

mysqld folder : /usr/sbin

plugin_dir : /usr/lib64/mysql/plugin


There are 2 configuration files.

1. mysqld.my : This is the configuration with what components are deployed with mysqld.  It is located with the same folder as 'mysqld'.

    # cat mysqld.my

{
"components": "file://component_keyring_encrypted_file"
}

The file must be accessible (R) by the OS user which starts the mysqld.


2.  component_keyring_encrypted_file.cnf : This is the configuration file with the component defined with mysqld.my.  It is located with the plugin folder.

  # cat /usr/lib64/mysql/plugin/component_keyring_encrypted_file.cnf

{
  "path": "/var/lib/mysql-keyring/component_keyring_encrypted_file",
  "password": "password",
  "read_only": false
}

The "path" with the configuration determines the location of the encrypted key file.    The folder must be a valid and accessible (RW) by the  OS user to start mysqld.


Local Configuration

Assuming the installation is with the package and installed within /usr.  The mysqld is located in /usr/sbin.   The plugin folder can be found with SQL Command :

mysql> show variables like 'plugin_dir'';

for example :

mysqld folder : /usr/sbin

plugin_dir : /usr/lib64/mysql/plugin


There are 2 configuration files.

1. mysqld.my : This is the configuration with what components are deployed with mysqld.  It is located with the same folder as 'mysqld'.    The content "read_local_manifest" : true indicates that the components configuration file is with the DATADIR for the MySQL server startup.

    # cat /usr/sbin/mysqld.my

{
  "read_local_manifest": true
}

  # cat $DATADIR/mysqld.my

{
"components": "file://component_keyring_encrypted_file"
}

The file must be accessible (R) by the OS user which starts the mysqld.


2. component_keyring_encrypted_file.cnf : This is the configuration file with the component defined with mysqld.my.  It is located with the plugin folder.  The "read_local_config":true indicates the configuration is referenced with the configuration file located in $DATADIR.

  # cat /usr/lib64/mysql/plugin/component_keyring_encrypted_file.cnf

{
  "read_local_config": true
}

  # cat $DATADIR/component_keyring_encrypted_file.cnf

{
  "path": "/var/lib/mysql-keyring/component_keyring_encrypted_file",
  "password": "password",
  "read_only": false
}

The "path" with the configuration determines the location of the encrypted key file.    The folder must be a valid and accessible (RW) by the  OS user to start mysqld.


Once the configuration is done.  The startup of MySQL Server will create the encrypted file located with the "path" definition.  

To validate the installation,  the following SQL Command shows the keyring installation status :

mysql> select * from performance_schema.keyring_component_status;
+---------------------+---------------------------------------------------------+
| STATUS_KEY          | STATUS_VALUE                                            |
+---------------------+---------------------------------------------------------+
| Component_name      | component_keyring_encrypted_file                        |
| Author              | Oracle Corporation                                      |
| License             | PROPRIETARY                                             |
| Implementation_name | component_keyring_encrypted_file                        |
| Version             | 1.0                                                     |
| Component_status    | Active                                                  |
| Data_file           | /var/lib/mysql-keyring/component_keyring_encrypted_file |
| Read_only           | No                                                      |
+---------------------+---------------------------------------------------------+
8 rows in set (0.00 sec)


For any empty row result, please check the mysql error log for more information.

One of the known issue is the privilege setting for the files.  If they are not accessible by the mysql startup OS user, it might throw error.



For ubuntu installation, there is /etc/apparmor.d/usr.sbin.mysqld, append the line "/usr/sbin/mysqld.my" as shown below.  By doing so, mysqld is able to read the mysqld.my in /usr/sbin folder. 

# Allow config access

  /etc/mysql/** r,

  /usr/sbin/mysqld.my r,


Reference

https://dev.mysql.com/doc/refman/8.0/en/keyring-component-installation.html

https://dev.mysql.com/doc/refman/8.0/en/keyring-encrypted-file-component.html



No comments:

Post a Comment