Documentation Home
MySQL 9.4 Reference Manual
Related Documentation Download this Manual
PDF (US Ltr) - 41.2Mb
PDF (A4) - 41.3Mb
Man Pages (TGZ) - 262.8Kb
Man Pages (Zip) - 368.8Kb
Info (Gzip) - 4.1Mb
Info (Zip) - 4.1Mb


MySQL 9.4 Reference Manual  / ...  / Security  / Security Components and Plugins  / The MySQL Keyring  /  Using the keyring_aws Amazon Web Services Keyring Plugin

8.4.5.7 Using the keyring_aws Amazon Web Services Keyring Plugin

Note

Thekeyring_aws plugin is an extension included in MySQL Enterprise Edition, a commercial product. To learn more about commercial products, seehttps://www.mysql.com/products/.

Important

Thekeyring_aws keyring plugin is deprecated, and is being replaced by the AWS Keyring component (component_aws_keyring). Deprecation of the plugin means that you should expect the plugin to be removed in a future version of MySQL. For more information, including information about migrating from thekeyring_aws plugin tocomponent_aws_keyring, seeSection 8.4.5.8, “Using the component_keyring_aws AWS Keyring Component”.

Thekeyring_aws keyring plugin communicates with the Amazon Web Services Key Management Service (AWS KMS) as a back end for key generation and uses a local file for key storage. All keyring material is generated exclusively by the AWS server, not bykeyring_aws.

MySQL Enterprise Edition can work withkeyring_aws on Red Hat Enterprise Linux, SUSE Linux Enterprise Server, Debian, Ubuntu, macOS, and Windows. MySQL Enterprise Edition does not support the use ofkeyring_aws on these platforms:

  • EL6

  • Generic Linux (glibc2.12)

  • SLES 12 (with versions after MySQL Server 5.7)

  • Solaris

The discussion here assumes that you are familiar with AWS in general and KMS in particular. Some pertinent information sources:

The following sections provide configuration and usage information for thekeyring_aws keyring plugin:

keyring_aws Configuration

To installkeyring_aws, use the general instructions found inSection 8.4.5.3, “Keyring Plugin Installation”, together with the plugin-specific configuration information found here.

The plugin library file contains thekeyring_aws plugin and two loadable functions,keyring_aws_rotate_cmk() andkeyring_aws_rotate_keys().

To configurekeyring_aws, you must obtain a secret access key that provides credentials for communicating with AWS KMS and write it to a configuration file:

  1. Create an AWS KMS account.

  2. Use AWS KMS to create a secret access key ID and secret access key. The access key serves to verify your identity and that of your applications.

  3. Use the AWS KMS account to create a KMS key ID. At MySQL startup, set thekeyring_aws_cmk_id system variable to the CMK ID value. This variable is mandatory and there is no default. (Its value can be changed at runtime if desired usingSET GLOBAL.)

  4. If necessary, create the directory in which the configuration file should be located. The directory should have a restrictive mode and be accessible only to the account used to run the MySQL server. For example, on many Unix and Unix-like systems, such as Oracle Enterprise Linux, to use/usr/local/mysql/mysql-keyring/keyring_aws_conf as the file name, the following commands (executed asroot) create its parent directory and set the directory mode and ownership:

    $> cd /usr/local/mysql$> mkdir mysql-keyring$> chmod 750 mysql-keyring$> chown mysql mysql-keyring$> chgrp mysql mysql-keyring

    At MySQL startup, set thekeyring_aws_conf_file system variable to/usr/local/mysql/mysql-keyring/keyring_aws_conf to indicate the configuration file location to the server.

    The location of the configuration file may vary according to Linux distribution; the directory for this file may also already be provided by a system module or other application such as AppArmor. For example, under AppArmor on recent editions of Ubuntu Linux, the keyring directory is specified as/var/lib/mysql-keyring. SeeUbuntu Server: AppArmor for more information about using AppArmor on Ubuntu systems; see alsothis example MySQL configuration file. For other operating platforms, see the system documentation for guidance.

  5. Prepare thekeyring_aws configuration file, which should contain two lines:

    • Line 1: The secret access key ID

    • Line 2: The secret access key

    For example, if the key ID iswwwwwwwwwwwwwEXAMPLE and the key isxxxxxxxxxxxxx/yyyyyyy/zzzzzzzzEXAMPLEKEY, the configuration file looks like this:

    wwwwwwwwwwwwwEXAMPLExxxxxxxxxxxxx/yyyyyyy/zzzzzzzzEXAMPLEKEY

To be usable during the server startup process,keyring_aws must be loaded using the--early-plugin-load option. Thekeyring_aws_cmk_id system variable is mandatory and configures the KMS key ID obtained from the AWS KMS server. Thekeyring_aws_conf_file andkeyring_aws_data_file system variables optionally configure the locations of the files used by thekeyring_aws plugin for configuration information and data storage. The file location variable default values are platform specific. To configure the locations explicitly, set the variable values at startup. For example, use these lines in the servermy.cnf file, adjusting the.so suffix and file locations for your platform as necessary:

[mysqld]early-plugin-load=keyring_aws.sokeyring_aws_cmk_id='arn:aws:kms:us-west-2:111122223333:key/abcd1234-ef56-ab12-cd34-ef56abcd1234'keyring_aws_conf_file=/usr/local/mysql/mysql-keyring/keyring_aws_confkeyring_aws_data_file=/usr/local/mysql/mysql-keyring/keyring_aws_data
Note

--early-plugin-load is deprecated as of MySQL 9.4.0, and produces a warning whenever it is used. See the description of this option for more information.

For thekeyring_aws plugin to start successfully, the configuration file must exist and contain valid secret access key information, initialized as described previously. The storage file need not exist. If it does not,keyring_aws attempts to create it (as well as its parent directory, if necessary).

Important

The default AWS region isus-east-1. For any other region, you must also setkeyring_aws_region explicitly inmy.cnf.

For additional information about the system variables used to configure thekeyring_aws plugin, seeSection 8.4.5.18, “Keyring System Variables”.

Start the MySQL server and install the functions associated with thekeyring_aws plugin. This is a one-time operation, performed by executing the following statements, adjusting the.so suffix for your platform as necessary:

CREATE FUNCTION keyring_aws_rotate_cmk RETURNS INTEGER  SONAME 'keyring_aws.so';CREATE FUNCTION keyring_aws_rotate_keys RETURNS INTEGER  SONAME 'keyring_aws.so';

For additional information about thekeyring_aws functions, seeSection 8.4.5.15, “Plugin-Specific Keyring Key-Management Functions”.

keyring_aws Operation

At plugin startup, thekeyring_aws plugin reads the AWS secret access key ID and key from its configuration file. It also reads any encrypted keys contained in its storage file into its in-memory cache.

During operation,keyring_aws maintains encrypted keys in the in-memory cache and uses the storage file as local persistent storage. Each keyring operation is transactional:keyring_aws either successfully changes both the in-memory key cache and the keyring storage file, or the operation fails and the keyring state remains unchanged.

To ensure that keys are flushed only when the correct keyring storage file exists,keyring_aws stores a SHA-256 checksum of the keyring in the file. Before updating the file, the plugin verifies that it contains the expected checksum.

Thekeyring_aws plugin supports the functions that comprise the standard MySQL Keyring service interface. Keyring operations performed by these functions are accessible at two levels:

Example (using the SQL interface):

SELECT keyring_key_generate('MyKey', 'AES', 32);SELECT keyring_key_remove('MyKey');

In addition, thekeyring_aws_rotate_cmk() andkeyring_aws_rotate_keys() functionsextend the keyring plugin interface to provide AWS-related capabilities not covered by the standard keyring service interface. These capabilities are accessible only by calling these functions using SQL. There are no corresponding C-language key service functions.

For information about the characteristics of key values permitted bykeyring_aws, seeSection 8.4.5.12, “Supported Keyring Key Types and Lengths”.

keyring_aws Credential Changes

Assuming that thekeyring_aws plugin has initialized properly at server startup, it is possible to change the credentials used for communicating with AWS KMS:

  1. Use AWS KMS to create a new secret access key ID and secret access key.

  2. Store the new credentials in the configuration file (the file named by thekeyring_aws_conf_file system variable). The file format is as described previously.

  3. Reinitialize thekeyring_aws plugin so that it re-reads the configuration file. Assuming that the new credentials are valid, the plugin should initialize successfully.

    There are two ways to reinitialize the plugin:

    • Restart the server. This is simpler and has no side effects, but is not suitable for installations that require minimal server downtime with as few restarts as possible.

    • Reinitialize the plugin without restarting the server by executing the following statements, adjusting the.so suffix for your platform as necessary:

      UNINSTALL PLUGIN keyring_aws;INSTALL PLUGIN keyring_aws SONAME 'keyring_aws.so';
      Note

      In addition to loading a plugin at runtime,INSTALL PLUGIN has the side effect of registering the plugin it in themysql.plugin system table. Because of this, if you decide to stop usingkeyring_aws, it is not sufficient to remove the--early-plugin-load option from the set of options used to start the server. That stops the plugin from loading early, but the server still attempts to load it when it gets to the point in the startup sequence where it loads the plugins registered inmysql.plugin.

      Consequently, if you execute theUNINSTALL PLUGIN plusINSTALL PLUGIN sequence just described to change the AWS KMS credentials, then to stop usingkeyring_aws, it is necessary to executeUNINSTALL PLUGIN again to unregister the plugin in addition to removing the--early-plugin-load option.