Install the keyring_okv KMIP plugin in MySQL Enterprise

6min
MySQL Enterprise TDE works through a system of plugins that accommodate many backends for key storage and management, known as keyrings. A keyring is essentially a storage area for cryptographic keys managed by keyring plugins. MySQL includes several keyring plugins by default, one of which is keyring_okv.
The keyring_okv plugin integrates MySQL with an Oracle Key Vault, but you can configure the Key Vault to operate with the KMIP standard, thus enabling integration with many KMIP-compatible backend solutions.
Refer to the MySQL documentation for more general information on Keyring Plugin Installation.
The following high-level overview describes how the keyring_okv plugin integrates MySQL Enterprise TDE with a KMIP backend:
Initialization: When the MySQL server starts, the keyring_okv plugin initiates a connection with the KMIP backend. This loads any necessary libraries and establishes secure communication with the backend server, identifying the KMIP backend server by its IP address and port.
Authentication: The plugin then authenticates with the backend by using the KMIP protocol. This usually involves presenting a certificate and private key, and sometimes also a username and password, all of which you configure when you set up the KMIP server.
Key fetching: After authentication occurs, the keyring_okv plugin can retrieve encryption keys from the backend as needed. The plugin maintains a cache of keys to improve performance and sends a request to the KMIP backend to retrieve requested keys that are not in the cache.
Key generation and storage: When you need a new encryption key (such as when you create a new table with encryption enabled), the plugin can request key generation from the KMIP server. The plugin then stores the key in the keyring in the KMIP backend.
Key rotation: KMIP also supports key rotation, which is a crucial aspect of maintaining secure data encryption. MySQL TDE can request a new version of a key, use it to re-encrypt the data, and then retire the old version of the key. This process is transparent to the applications using the MySQL server.
Termination: When you stop the MySQL server, the keyring_okv plugin ends its session with the KMIP server and securely discards any keys held in the cache. The keyring_okv plugin provides an important mechanism for securing data at rest, providing a transparent layer of security that integrates seamlessly with applications that use MySQL for data storage.
General keyring_okv configuration
Regardless of which KMIP backend the keyring_okv plugin uses for keyring storage, the keyring_okv_conf_dir system variable configures the location of the directory that keyring_okv uses for its support files. The default value is empty, so you must set the variable to name a properly configured directory before the plugin can communicate with the KMIP backend. Unless you do so, keyring_okv writes the following message to the error log during server startup that it cannot communicate:
Text
[Warning] Plugin keyring_okv reported: 'For keyring_okv to be
initialized, please point the keyring_okv_conf_dir variable to a directory
containing Oracle Key Vault configuration file and ssl materials'
[Warning] Plugin keyring_okv reported: 'For keyring_okv to be
initialized, please point the keyring_okv_conf_dir variable to a directory
containing Oracle Key Vault configuration file and ssl materials'
﻿
The keyring_okv_conf_dir variable must name a directory that contains the following items:
Item
Description
﻿
okvclient.ora
A file that contains details of the KMIP backend with which keyring_okv communicates. The following example shows how this file might look:
Text
SERVER=10.0.5.101:5696
SERVER=10.0.5.101:5696
﻿
﻿
ssl
A directory that contains the certificate and key files required to establish a secure connection with the KMIP backend: ca-chain.pem, client-cert.pem, and client-privatekey.pem. 
The ca-chain.pem file contains the root CA certificate and all other CA certificates in the chain. The client-cert.pem file is the signed MySQL Server TLS certificate. The client-privatekey.pem file is the client private key extracted from the endpoint PKCS #12 file using OpenSSL in the previous section.
﻿
You need both the okvclient.ora file and ssl directory with the certificate and key files for keyring_okv to work properly. The procedure that populates the configuration directory with these files depends on the KMIP backend used with keyring_okv.
The configuration directory used by keyring_okv as the location for its support files should have a restrictive mode and be accessible only to the account that runs the MySQL server. For example, on Unix and Unix-like systems, to use the /usr/local/mysql/mysql-keyring-okv directory, run the following commands (executed as root) to create the directory and set its mode and ownership:
Shell
cd /usr/local/mysql
mkdir mysql-keyring-okv
chmod 750 mysql-keyring-okv
chown mysql mysql-keyring-okv
chgrp mysql mysql-keyring-okv
cd /usr/local/mysql
mkdir mysql-keyring-okv
chmod 750 mysql-keyring-okv
chown mysql mysql-keyring-okv
chgrp mysql mysql-keyring-okv
﻿
To be usable during the server startup process, you must load keyring_okv by using the --early-plugin-load option. Also, set the keyring_okv_conf_dir system variable to tell keyring_okv where to find its configuration directory. For example, use the following lines in the server my.cnf file, adjusting the .so suffix and directory location for your platform:
Text
[mysqld]
early-plugin-load=keyring_okv.so
keyring_okv_conf_dir=/usr/local/mysql/mysql-keyring-okv
[mysqld]
early-plugin-load=keyring_okv.so
keyring_okv_conf_dir=/usr/local/mysql/mysql-keyring-okv
﻿
You need to restart the MySQL service for these changes to take effect
For additional information about keyring_okv_conf_dir, see https://dev.mysql.com/doc/refman/8.0/en/keyringsystem-variables.html.
﻿
Updated 03 Feb 2025
Did this page help you?
Extract the client private key from the endpoint PKCS #12 file
Enable and test TDE in MySQL Workbench