PDF (A4) - 43.4Mb
Man Pages (TGZ) - 297.2Kb
Man Pages (Zip) - 402.4Kb
Info (Gzip) - 4.3Mb
Info (Zip) - 4.3Mb
MySQL Globalization
MySQL Information Schema
MySQL Installation Guide
Security in MySQL
Starting and Stopping MySQL
MySQL and Linux/Unix
MySQL and Windows
MySQL and macOS
MySQL and Solaris
Building MySQL from Source
MySQL Restrictions and Limitations
MySQL Partitioning
MySQL Tutorial
MySQL Performance Schema
MySQL Replication
Using the MySQL Yum Repository
MySQL NDB Cluster 8.0
MySQL Keyring plugins support the following system variables. Use them to configure keyring plugin operation. These variables are unavailable unless the appropriate keyring plugin is installed (seeSection 8.4.4.3, “Keyring Plugin Installation”).
Command-Line Format --keyring-aws-cmk-id=valueSystem Variable keyring_aws_cmk_idScope Global Dynamic Yes SET_VARHint AppliesNo Type String The KMS key ID obtained from the AWS KMS server and used by the
keyring_awsplugin. This variable is unavailable unless that plugin is installed.This variable is mandatory. If not specified,
keyring_awsinitialization fails.Command-Line Format --keyring-aws-conf-file=file_nameSystem Variable keyring_aws_conf_fileScope Global Dynamic No SET_VARHint AppliesNo Type File name Default Value platform specificThe location of the configuration file for the
keyring_awsplugin. This variable is unavailable unless that plugin is installed.At plugin startup,
keyring_awsreads the AWS secret access key ID and key from the configuration file. For thekeyring_awsplugin to start successfully, the configuration file must exist and contain valid secret access key information, initialized as described inSection 8.4.4.9, “Using the keyring_aws Amazon Web Services Keyring Plugin”.The default file name is
keyring_aws_conf, located in the default keyring file directory. The location of this default directory is the same as for thekeyring_file_datasystem variable. See the description of that variable for details, as well as for considerations to take into account if you create the directory manually.Command-Line Format --keyring-aws-data-fileSystem Variable keyring_aws_data_fileScope Global Dynamic No SET_VARHint AppliesNo Type File name Default Value platform specificThe location of the storage file for the
keyring_awsplugin. This variable is unavailable unless that plugin is installed.At plugin startup, if the value assigned to
keyring_aws_data_filespecifies a file that does not exist, thekeyring_awsplugin attempts to create it (as well as its parent directory, if necessary). If the file does exist,keyring_awsreads any encrypted keys contained in the file into its in-memory cache.keyring_awsdoes not cache unencrypted keys in memory.The default file name is
keyring_aws_data, located in the default keyring file directory. The location of this default directory is the same as for thekeyring_file_datasystem variable. See the description of that variable for details, as well as for considerations to take into account if you create the directory manually.Command-Line Format --keyring-aws-region=valueSystem Variable keyring_aws_regionScope Global Dynamic Yes SET_VARHint AppliesNo Type Enumeration Default Value us-east-1Valid Values (≥ 8.0.30) af-south-1ap-east-1ap-northeast-1ap-northeast-2ap-northeast-3ap-south-1ap-southeast-1ap-southeast-2ca-central-1cn-north-1cn-northwest-1eu-central-1eu-north-1eu-south-1eu-west-1eu-west-2eu-west-3me-south-1sa-east-1us-east-1us-east-2us-gov-east-1us-iso-east-1us-iso-west-1us-isob-east-1us-west-1us-west-2Valid Values (≥ 8.0.17, ≤ 8.0.29) ap-northeast-1ap-northeast-2ap-south-1ap-southeast-1ap-southeast-2ca-central-1cn-north-1cn-northwest-1eu-central-1eu-west-1eu-west-2eu-west-3sa-east-1us-east-1us-east-2us-west-1us-west-2Valid Values (≤ 8.0.16) ap-northeast-1ap-northeast-2ap-south-1ap-southeast-1ap-southeast-2eu-central-1eu-west-1sa-east-1us-east-1us-west-1us-west-2The AWS region for the
keyring_awsplugin. This variable is unavailable unless that plugin is installed.If not set, the AWS region defaults to
us-east-1. Thus, for any other region, this variable must be set explicitly.Command-Line Format --keyring-encrypted-file-data=file_nameDeprecated 8.0.34 System Variable keyring_encrypted_file_dataScope Global Dynamic Yes SET_VARHint AppliesNo Type File name Default Value platform specificNoteAs of MySQL 8.0.34, the
keyring_encrypted_fileplugin is deprecated and subject to removal in a future version of MySQL. Consider usingcomponent_keyring_encrypted_fileinstead; thecomponent_keyring_encrypted_filecomponent supersedes thekeyring_encrypted_fileplugin.The path name of the data file used for secure data storage by the
keyring_encrypted_fileplugin. This variable is unavailable unless that plugin is installed. The file location should be in a directory considered for use only by keyring plugins. For example, do not locate the file under the data directory.Keyring operations are transactional: The
keyring_encrypted_fileplugin uses a backup file during write operations to ensure that it can roll back to the original file if an operation fails. The backup file has the same name as the value of thekeyring_encrypted_file_datasystem variable with a suffix of.backup.Do not use the same
keyring_encrypted_filedata file for multiple MySQL instances. Each instance should have its own unique data file.The default file name is
keyring_encrypted, located in a directory that is platform specific and depends on the value of theINSTALL_LAYOUTCMake option, as shown in the following table. To specify the default directory for the file explicitly if you are building from source, use theINSTALL_MYSQLKEYRINGDIRCMake option.INSTALL_LAYOUTValueDefault keyring_encrypted_file_dataValueDEB,RPM,SVR4/var/lib/mysql-keyring/keyring_encryptedOtherwise keyring/keyring_encryptedunder theCMAKE_INSTALL_PREFIXvalueAt plugin startup, if the value assigned to
keyring_encrypted_file_dataspecifies a file that does not exist, thekeyring_encrypted_fileplugin attempts to create it (as well as its parent directory, if necessary).If you create the directory manually, it should have a restrictive mode and be accessible only to the account used to run the MySQL server. For example, on Unix and Unix-like systems, to use the
/usr/local/mysql/mysql-keyringdirectory, the following commands (executed asroot) create the directory and set its mode and ownership:cd /usr/local/mysqlmkdir mysql-keyringchmod 750 mysql-keyringchown mysql mysql-keyringchgrp mysql mysql-keyringIf the
keyring_encrypted_fileplugin cannot create or access its data file, it writes an error message to the error log. If an attempted runtime assignment tokeyring_encrypted_file_dataresults in an error, the variable value remains unchanged.ImportantOnce the
keyring_encrypted_fileplugin has created its data file and started to use it, it is important not to remove the file. Loss of the file causes data encrypted using its keys to become inaccessible. (It is permissible to rename or move the file, as long as you change the value ofkeyring_encrypted_file_datato match.)keyring_encrypted_file_passwordCommand-Line Format --keyring-encrypted-file-password=passwordDeprecated 8.0.34 System Variable keyring_encrypted_file_passwordScope Global Dynamic Yes SET_VARHint AppliesNo Type String NoteAs of MySQL 8.0.34, the
keyring_encrypted_fileplugin is deprecated and subject to removal in a future version of MySQL. Consider usingcomponent_keyring_encrypted_fileinstead; thecomponent_keyring_encrypted_filecomponent supersedes thekeyring_encrypted_fileplugin.The password used by the
keyring_encrypted_fileplugin. This variable is unavailable unless that plugin is installed.This variable is mandatory. If not specified,
keyring_encrypted_fileinitialization fails.If this variable is specified in an option file, the file should have a restrictive mode and be accessible only to the account used to run the MySQL server.
ImportantOnce the
keyring_encrypted_file_passwordvalue has been set, changing it does not rotate the keyring password and could make the server inaccessible. If an incorrect password is provided, thekeyring_encrypted_fileplugin cannot load keys from the encrypted keyring file.The password value cannot be displayed at runtime with
SHOW VARIABLESor the Performance Schemaglobal_variablestable because the display value is obfuscated.Command-Line Format --keyring-file-data=file_nameDeprecated 8.0.34 System Variable keyring_file_dataScope Global Dynamic Yes SET_VARHint AppliesNo Type File name Default Value platform specificNoteAs of MySQL 8.0.34, the
keyring_fileplugin is deprecated and subject to removal in a future version of MySQL. Consider usingcomponent_keyring_fileinstead; thecomponent_keyring_filecomponent supersedes thekeyring_fileplugin.The path name of the data file used for secure data storage by the
keyring_fileplugin. This variable is unavailable unless that plugin is installed. The file location should be in a directory considered for use only by keyring plugins. For example, do not locate the file under the data directory.Keyring operations are transactional: The
keyring_fileplugin uses a backup file during write operations to ensure that it can roll back to the original file if an operation fails. The backup file has the same name as the value of thekeyring_file_datasystem variable with a suffix of.backup.Do not use the same
keyring_filedata file for multiple MySQL instances. Each instance should have its own unique data file.The default file name is
keyring, located in a directory that is platform specific and depends on the value of theINSTALL_LAYOUTCMake option, as shown in the following table. To specify the default directory for the file explicitly if you are building from source, use theINSTALL_MYSQLKEYRINGDIRCMake option.INSTALL_LAYOUTValueDefault keyring_file_dataValueDEB,RPM,SVR4/var/lib/mysql-keyring/keyringOtherwise keyring/keyringunder theCMAKE_INSTALL_PREFIXvalueAt plugin startup, if the value assigned to
keyring_file_dataspecifies a file that does not exist, thekeyring_fileplugin attempts to create it (as well as its parent directory, if necessary).If you create the directory manually, it should have a restrictive mode and be accessible only to the account used to run the MySQL server. For example, on Unix and Unix-like systems, to use the
/usr/local/mysql/mysql-keyringdirectory, the following commands (executed asroot) create the directory and set its mode and ownership:cd /usr/local/mysqlmkdir mysql-keyringchmod 750 mysql-keyringchown mysql mysql-keyringchgrp mysql mysql-keyringIf the
keyring_fileplugin cannot create or access its data file, it writes an error message to the error log. If an attempted runtime assignment tokeyring_file_dataresults in an error, the variable value remains unchanged.ImportantOnce the
keyring_fileplugin has created its data file and started to use it, it is important not to remove the file. For example,InnoDBuses the file to store the master key used to decrypt the data in tables that useInnoDBtablespace encryption; seeSection 17.13, “InnoDB Data-at-Rest Encryption”. Loss of the file causes data in such tables to become inaccessible. (It is permissible to rename or move the file, as long as you change the value ofkeyring_file_datato match.) It is recommended that you create a separate backup of the keyring data file immediately after you create the first encrypted table and before and after master key rotation.Command-Line Format --keyring-hashicorp-auth-path=valueIntroduced 8.0.18 System Variable keyring_hashicorp_auth_pathScope Global Dynamic Yes SET_VARHint AppliesNo Type String Default Value /v1/auth/approle/loginThe authentication path where AppRole authentication is enabled within the HashiCorp Vault server, for use by the
keyring_hashicorpplugin. This variable is unavailable unless that plugin is installed.Command-Line Format --keyring-hashicorp-ca-path=file_nameIntroduced 8.0.18 System Variable keyring_hashicorp_ca_pathScope Global Dynamic Yes SET_VARHint AppliesNo Type File name Default Value empty stringThe absolute path name of a local file accessible to the MySQL server that contains a properly formatted TLS certificate authority for use by the
keyring_hashicorpplugin. This variable is unavailable unless that plugin is installed.If this variable is not set, the
keyring_hashicorpplugin opens an HTTPS connection without using server certificate verification, and trusts any certificate delivered by the HashiCorp Vault server. For this to be safe, it must be assumed that the Vault server is not malicious and that no man-in-the-middle attack is possible. If those assumptions are invalid, setkeyring_hashicorp_ca_pathto the path of a trusted CA certificate. (For example, for the instructions inCertificate and Key Preparation, this is thecompany.crtfile.)Command-Line Format --keyring-hashicorp-caching[={OFF|ON}]Introduced 8.0.18 System Variable keyring_hashicorp_cachingScope Global Dynamic Yes SET_VARHint AppliesNo Type Boolean Default Value OFFWhether to enable the optional in-memory key cache used by the
keyring_hashicorpplugin to cache keys from the HashiCorp Vault server. This variable is unavailable unless that plugin is installed. If the cache is enabled, the plugin populates it during initialization. Otherwise, the plugin populates only the key list during initialization.Enabling the cache is a compromise: It improves performance, but maintains a copy of sensitive key information in memory, which may be undesirable for security purposes.
keyring_hashicorp_commit_auth_pathIntroduced 8.0.18 System Variable keyring_hashicorp_commit_auth_pathScope Global Dynamic No SET_VARHint AppliesNo Type String This variable is associated with
keyring_hashicorp_auth_path, from which it takes its value duringkeyring_hashicorpplugin initialization. This variable is unavailable unless that plugin is installed. It reflects the“committed” value actually used for plugin operation if initialization succeeds. For additional information, seekeyring_hashicorp Configuration.keyring_hashicorp_commit_ca_pathIntroduced 8.0.18 System Variable keyring_hashicorp_commit_ca_pathScope Global Dynamic No SET_VARHint AppliesNo Type String This variable is associated with
keyring_hashicorp_ca_path, from which it takes its value duringkeyring_hashicorpplugin initialization. This variable is unavailable unless that plugin is installed. It reflects the“committed” value actually used for plugin operation if initialization succeeds. For additional information, seekeyring_hashicorp Configuration.keyring_hashicorp_commit_cachingIntroduced 8.0.18 System Variable keyring_hashicorp_commit_cachingScope Global Dynamic No SET_VARHint AppliesNo Type String This variable is associated with
keyring_hashicorp_caching, from which it takes its value duringkeyring_hashicorpplugin initialization. This variable is unavailable unless that plugin is installed. It reflects the“committed” value actually used for plugin operation if initialization succeeds. For additional information, seekeyring_hashicorp Configuration.keyring_hashicorp_commit_role_idIntroduced 8.0.18 System Variable keyring_hashicorp_commit_role_idScope Global Dynamic No SET_VARHint AppliesNo Type String This variable is associated with
keyring_hashicorp_role_id, from which it takes its value duringkeyring_hashicorpplugin initialization. This variable is unavailable unless that plugin is installed. It reflects the“committed” value actually used for plugin operation if initialization succeeds. For additional information, seekeyring_hashicorp Configuration.keyring_hashicorp_commit_server_urlIntroduced 8.0.18 System Variable keyring_hashicorp_commit_server_urlScope Global Dynamic No SET_VARHint AppliesNo Type String This variable is associated with
keyring_hashicorp_server_url, from which it takes its value duringkeyring_hashicorpplugin initialization. This variable is unavailable unless that plugin is installed. It reflects the“committed” value actually used for plugin operation if initialization succeeds. For additional information, seekeyring_hashicorp Configuration.keyring_hashicorp_commit_store_pathIntroduced 8.0.18 System Variable keyring_hashicorp_commit_store_pathScope Global Dynamic No SET_VARHint AppliesNo Type String This variable is associated with
keyring_hashicorp_store_path, from which it takes its value duringkeyring_hashicorpplugin initialization. This variable is unavailable unless that plugin is installed. It reflects the“committed” value actually used for plugin operation if initialization succeeds. For additional information, seekeyring_hashicorp Configuration.Command-Line Format --keyring-hashicorp-role-id=valueIntroduced 8.0.18 System Variable keyring_hashicorp_role_idScope Global Dynamic Yes SET_VARHint AppliesNo Type String Default Value empty stringThe HashiCorp Vault AppRole authentication role ID, for use by the
keyring_hashicorpplugin. This variable is unavailable unless that plugin is installed. The value must be in UUID format.This variable is mandatory. If not specified,
keyring_hashicorpinitialization fails.Command-Line Format --keyring-hashicorp-secret-id=valueIntroduced 8.0.18 System Variable keyring_hashicorp_secret_idScope Global Dynamic Yes SET_VARHint AppliesNo Type String Default Value empty stringThe HashiCorp Vault AppRole authentication secret ID, for use by the
keyring_hashicorpplugin. This variable is unavailable unless that plugin is installed. The value must be in UUID format.This variable is mandatory. If not specified,
keyring_hashicorpinitialization fails.The value of this variable is sensitive, so its value is masked by
*characters when displayed.Command-Line Format --keyring-hashicorp-server-url=valueIntroduced 8.0.18 System Variable keyring_hashicorp_server_urlScope Global Dynamic Yes SET_VARHint AppliesNo Type String Default Value https://127.0.0.1:8200The HashiCorp Vault server URL, for use by the
keyring_hashicorpplugin. This variable is unavailable unless that plugin is installed. The value must begin withhttps://.Command-Line Format --keyring-hashicorp-store-path=valueIntroduced 8.0.18 System Variable keyring_hashicorp_store_pathScope Global Dynamic Yes SET_VARHint AppliesNo Type String Default Value empty stringA store path within the HashiCorp Vault server that is writeable when appropriate AppRole credentials are provided by the
keyring_hashicorpplugin. This variable is unavailable unless that plugin is installed. To specify the credentials, set thekeyring_hashicorp_role_idandkeyring_hashicorp_secret_idsystem variables (for example, as shown inkeyring_hashicorp Configuration).This variable is mandatory. If not specified,
keyring_hashicorpinitialization fails.Command-Line Format --keyring-oci-ca-certificate=file_nameIntroduced 8.0.22 Deprecated 8.0.31 System Variable keyring_oci_ca_certificateScope Global Dynamic No SET_VARHint AppliesNo Type String Default Value empty stringThe path name of the CA certificate bundle file that the
keyring_ociplugin uses for Oracle Cloud Infrastructure certificate verification. This variable is unavailable unless that plugin is installed.The file contains one or more certificates for peer verification. If no file is specified, the default CA bundle installed on the system is used. If the value is
disabled(case-sensitive),keyring_ociperforms no certificate verification.Command-Line Format --keyring-oci-compartment=ocidIntroduced 8.0.22 Deprecated 8.0.31 System Variable keyring_oci_compartmentScope Global Dynamic No SET_VARHint AppliesNo Type String The OCID of the tenancy compartment that the
keyring_ociplugin uses as the location of the MySQL keys. This variable is unavailable unless that plugin is installed.Prior to using
keyring_oci, you must create a MySQL compartment or subcompartment if it does not exist. This compartment should contain no vault keys or vault secrets. It should not be used by systems other than MySQL Keyring.For information about managing compartments and obtaining the OCID, seeManaging Compartments.
This variable is mandatory. If not specified,
keyring_ociinitialization fails.keyring_oci_encryption_endpointCommand-Line Format --keyring-oci-encryption-endpoint=valueIntroduced 8.0.22 Deprecated 8.0.31 System Variable keyring_oci_encryption_endpointScope Global Dynamic No SET_VARHint AppliesNo Type String The endpoint of the Oracle Cloud Infrastructure encryption server that the
keyring_ociplugin uses for generating ciphertext for new keys. This variable is unavailable unless that plugin is installed.The encryption endpoint is vault specific and Oracle Cloud Infrastructure assigns it at vault-creation time. To obtain the endpoint OCID, view the configuration details for your
keyring_ocivault, using the instructions atManaging Vaults.This variable is mandatory. If not specified,
keyring_ociinitialization fails.Command-Line Format --keyring-oci-key-file=file_nameIntroduced 8.0.22 Deprecated 8.0.31 System Variable keyring_oci_key_fileScope Global Dynamic No SET_VARHint AppliesNo Type String The path name of the file containing the RSA private key that the
keyring_ociplugin uses for Oracle Cloud Infrastructure authentication. This variable is unavailable unless that plugin is installed.You must also upload the corresponding RSA public key using the Console. The Console displays the key fingerprint value, which you can use to set the
keyring_oci_key_fingerprintsystem variable.For information about generating and uploading API keys, seeRequired Keys and OCIDs.
This variable is mandatory. If not specified,
keyring_ociinitialization fails.Command-Line Format --keyring-oci-key-fingerprint=valueIntroduced 8.0.22 Deprecated 8.0.31 System Variable keyring_oci_key_fingerprintScope Global Dynamic No SET_VARHint AppliesNo Type String The fingerprint of the RSA private key that the
keyring_ociplugin uses for Oracle Cloud Infrastructure authentication. This variable is unavailable unless that plugin is installed.To obtain the key fingerprint while creating the API keys, execute this command:
openssl rsa -pubout -outform DER -in ~/.oci/oci_api_key.pem | openssl md5 -cAlternatively, obtain the fingerprint from the Console, which automatically displays the fingerprint when you upload the RSA public key.
For information about obtaining key fingerprints, seeRequired Keys and OCIDs.
This variable is mandatory. If not specified,
keyring_ociinitialization fails.keyring_oci_management_endpointCommand-Line Format --keyring-oci-management-endpoint=valueIntroduced 8.0.22 Deprecated 8.0.31 System Variable keyring_oci_management_endpointScope Global Dynamic No SET_VARHint AppliesNo Type String The endpoint of the Oracle Cloud Infrastructure key management server that the
keyring_ociplugin uses for listing existing keys. This variable is unavailable unless that plugin is installed.The key management endpoint is vault specific and Oracle Cloud Infrastructure assigns it at vault-creation time. To obtain the endpoint OCID, view the configuration details for your
keyring_ocivault, using the instructions atManaging Vaults.This variable is mandatory. If not specified,
keyring_ociinitialization fails.Command-Line Format --keyring-oci-master-key=ocidIntroduced 8.0.22 Deprecated 8.0.31 System Variable keyring_oci_master_keyScope Global Dynamic No SET_VARHint AppliesNo Type String The OCID of the Oracle Cloud Infrastructure master encryption key that the
keyring_ociplugin uses for encryption of secrets. This variable is unavailable unless that plugin is installed.Prior to using
keyring_oci, you must create a cryptographic key for the Oracle Cloud Infrastructure compartment if it does not exist. Provide a MySQL-specific name for the generated key, and do not use it for other purposes.For information about key creation, seeManaging Keys.
This variable is mandatory. If not specified,
keyring_ociinitialization fails.Command-Line Format --keyring-oci-secrets-endpoint=valueIntroduced 8.0.22 Deprecated 8.0.31 System Variable keyring_oci_secrets_endpointScope Global Dynamic No SET_VARHint AppliesNo Type String The endpoint of the Oracle Cloud Infrastructure secrets server that the
keyring_ociplugin uses for listing, creating, and retiring secrets. This variable is unavailable unless that plugin is installed.The secrets endpoint is vault specific and Oracle Cloud Infrastructure assigns it at vault-creation time. To obtain the endpoint OCID, view the configuration details for your
keyring_ocivault, using the instructions atManaging Vaults.This variable is mandatory. If not specified,
keyring_ociinitialization fails.Command-Line Format --keyring-oci-tenancy=ocidIntroduced 8.0.22 Deprecated 8.0.31 System Variable keyring_oci_tenancyScope Global Dynamic No SET_VARHint AppliesNo Type String The OCID of the Oracle Cloud Infrastructure tenancy that the
keyring_ociplugin uses as the location of the MySQL compartment. This variable is unavailable unless that plugin is installed.Prior to using
keyring_oci, you must create a tenancy if it does not exist. To obtain the tenancy OCID from the Console, use the instructions atRequired Keys and OCIDs.This variable is mandatory. If not specified,
keyring_ociinitialization fails.Command-Line Format --keyring-oci-user=ocidIntroduced 8.0.22 Deprecated 8.0.31 System Variable keyring_oci_userScope Global Dynamic No SET_VARHint AppliesNo Type String The OCID of the Oracle Cloud Infrastructure user that the
keyring_ociplugin uses for cloud connections. This variable is unavailable unless that plugin is installed.Prior to using
keyring_oci, this user must exist and be granted access to use the configured Oracle Cloud Infrastructure tenancy, compartment, and vault resources.To obtain the user OCID from the Console, use the instructions atRequired Keys and OCIDs.
This variable is mandatory. If not specified,
keyring_ociinitialization fails.Command-Line Format --keyring-oci-vaults-endpoint=valueIntroduced 8.0.22 Deprecated 8.0.31 System Variable keyring_oci_vaults_endpointScope Global Dynamic No SET_VARHint AppliesNo Type String The endpoint of the Oracle Cloud Infrastructure vaults server that the
keyring_ociplugin uses for obtaining the value of secrets. This variable is unavailable unless that plugin is installed.The vaults endpoint is vault specific and Oracle Cloud Infrastructure assigns it at vault-creation time. To obtain the endpoint OCID, view the configuration details for your
keyring_ocivault, using the instructions atManaging Vaults.This variable is mandatory. If not specified,
keyring_ociinitialization fails.Command-Line Format --keyring-oci-virtual-vault=ocidIntroduced 8.0.22 Deprecated 8.0.31 System Variable keyring_oci_virtual_vaultScope Global Dynamic No SET_VARHint AppliesNo Type String The OCID of the Oracle Cloud Infrastructure Vault that the
keyring_ociplugin uses for encryption operations. This variable is unavailable unless that plugin is installed.Prior to using
keyring_oci, you must create a new vault in the MySQL compartment if it does not exist. (Alternatively, you can reuse an existing vault that is in a parent compartment of the MySQL compartment.) Compartment users can see and use only the keys in their respective compartments.For information about creating a vault and obtaining the vault OCID, seeManaging Vaults.
This variable is mandatory. If not specified,
keyring_ociinitialization fails.Command-Line Format --keyring-okv-conf-dir=dir_nameSystem Variable keyring_okv_conf_dirScope Global Dynamic Yes SET_VARHint AppliesNo Type Directory name Default Value empty stringThe path name of the directory that stores configuration information used by the
keyring_okvplugin. This variable is unavailable unless that plugin is installed. The location should be a directory considered for use only by thekeyring_okvplugin. For example, do not locate the directory under the data directory.The default
keyring_okv_conf_dirvalue is empty. For thekeyring_okvplugin to be able to access Oracle Key Vault, the value must be set to a directory that contains Oracle Key Vault configuration and SSL materials. For instructions on setting up this directory, seeSection 8.4.4.8, “Using the keyring_okv KMIP Plugin”.The directory should have a restrictive mode and be accessible only to the account used to run the MySQL server. For example, on Unix and Unix-like systems, to use the
/usr/local/mysql/mysql-keyring-okvdirectory, the following commands (executed asroot) create the directory and set its mode and ownership:cd /usr/local/mysqlmkdir mysql-keyring-okvchmod 750 mysql-keyring-okvchown mysql mysql-keyring-okvchgrp mysql mysql-keyring-okvIf the value assigned to
keyring_okv_conf_dirspecifies a directory that does not exist, or that does not contain configuration information that enables a connection to Oracle Key Vault to be established,keyring_okvwrites an error message to the error log. If an attempted runtime assignment tokeyring_okv_conf_dirresults in an error, the variable value and keyring operation remain unchanged.System Variable keyring_operationsScope Global Dynamic Yes SET_VARHint AppliesNo Type Boolean Default Value ONWhether keyring operations are enabled. This variable is used during key migration operations. SeeSection 8.4.4.14, “Migrating Keys Between Keyring Keystores”. The privileges required to modify this variable are
ENCRYPTION_KEY_ADMINin addition to eitherSYSTEM_VARIABLES_ADMINor the deprecatedSUPERprivilege.
PDF (A4) - 43.4Mb
Man Pages (TGZ) - 297.2Kb
Man Pages (Zip) - 402.4Kb
Info (Gzip) - 4.3Mb
Info (Zip) - 4.3Mb
MySQL Globalization
MySQL Information Schema
MySQL Installation Guide
Security in MySQL
Starting and Stopping MySQL
MySQL and Linux/Unix
MySQL and Windows
MySQL and macOS
MySQL and Solaris
Building MySQL from Source
MySQL Restrictions and Limitations
MySQL Partitioning
MySQL Tutorial
MySQL Performance Schema
MySQL Replication
Using the MySQL Yum Repository
MySQL NDB Cluster 8.0