Install the keyring_okv KMIP plugin on MySQL Enterprise

mysql enterprise tde works through a system of plugins that accommodate many backends for key storage and management, known as keyrings a keyring is essentially a storage area for cryptographic keys, managed by keyring plugins mysql includes several keyring plugins by default, one of which is keyring okv the keyring okv plugin integrates mysql with an oracle key vault, but you can configure the key vault to operate with the kmip standard, thus enabling integration with many kmip compatible backend solutions refer to the mysql documentation for more general information on keyring plugin installation the following high level overview describes how the keyring okv plugin integrates mysql enterprise tde with a kmip backend initialization when the mysql server starts, the keyring okv plugin initiates a connection with the kmip backend this loads any necessary libraries and establishes secure communication with the backend server, identifying the kmip backend server is identified by its ip address and port authentication the plugin then authenticates with the backend by using the kmip protocol this usually involves presenting a certificate and private key, and sometimes also a username and password, all of which you configure when you set up the kmip server key fetching after authentication occurs, the keyring okv plugin can retrieve encryption keys from the backend as needed the plugin maintains a cache of keys to improve performance and sends a request to the kmip backend to retrieve requested keys that are not in the cache key generation and storage when you need a new encryption key (such as when you create a new table with encryption enabled), the plugin can request key generation from the kmip server the plugin then stores the key in the keyring in the kmip backend key rotation kmip also supports key rotation, which is a crucial aspect of maintaining secure data encryption mysql tde can request a new version of a key, use it to re encrypt the data, and then retire the old version of the key this process is transparent to the applications using the mysql server termination when you stop the mysql server, the keyring okv plugin ends its session with the kmip server and securely discards any keys held in the cache the keyring okv plugin provides an important mechanism for securing data at rest, providing a transparent layer of security that integrates seamlessly with applications that use mysql for data storage general keyring okv configuration regardless of which kmip backend the keyring okv plugin uses for keyring storage, the keyring okv conf dir system variable configures the location of the directory that keyring okv uses for its support files the default value is empty, so you must set the variable to name a properly configured directory before the plugin can communicate with the kmip backend unless you do so, keyring okv writes the following message to the error log during server startup that it cannot communicate \[warning] plugin keyring okv reported 'for keyring okv to be initialized, please point the keyring okv conf dir variable to a directory containing oracle key vault configuration file and ssl materials' the keyring okv conf dir variable must name a directory that contains the following items item description okvclient ora a file that contains details of the kmip backend with which keyring okv communicates the following example shows how this file might look server=10 0 5 101 5696 ssl a directory that contains the certificate and key files required to establish a secure connection with the kmip backend ca pem , cert pem , and key pem the ca pem file should contain the root ca certificate and all other ca certificates in the chain, if applicable the cert pem file should contain the signed mysql server tls certificate the key pem file should be the private key you generated for mysql server by using openssl you need both the okvclient ora file and ssl directory with the certificate and key files for keyring okv to work properly the procedure that populates the configuration directory with these files depends on the kmip backend used with keyring okv the configuration directory used by keyring okv as the location for its support files should have a restrictive mode and be accessible only to the account that runs the mysql server for example, on unix and unix like sy(callstems, to use the /usr/local/mysql/mysql keyring okv directory, run the following commands (executed as root) to create the directory and set its mode and ownership cd /usr/local/mysql mkdir mysql keyring okv chmod 750 mysql keyring okv chown mysql mysql keyring okv chgrp mysql mysql keyring okv to be usable during the server startup process, you must load keyring okv by using the early plugin load option also, set the keyring okv conf dir system variable to tell keyring okv where to find its configuration directory for example, use the following lines in the server my cnf file, adjusting the so suffix and directory location for your platform \[mysqld] early plugin load=keyring okv so keyring okv conf dir=/usr/local/mysql/mysql keyring okv you need to restart the mysql service for these changes to take effect for additional information about keyring okv conf dir , see https //dev mysql com/doc/refman/8 0/en/keyringsystem variables html