Install the keyring_okv KMIP plugin on MySQL Enterprise

6min
MySQL Enterprise TDE works through a system of plugins that accommodate many backends for key storage and management, known as keyrings. A keyring is essentially a storage area for cryptographic keys, managed by keyring plugins. MySQL includes several keyring plugins by default, one of which is keyring_okv.
The keyring_okv plugin integrates MySQL with an Oracle Key Vault, but you can configure the Key Vault to operate with the KMIP standard, thus enabling integration with many KMIP-compatible backend solutions.
Refer to the MySQL documentation for more general information on Keyring Plugin Installation.
The following high-level overview describes how the keyring_okv plugin integrates MySQL Enterprise TDE with a KMIP backend:
Initialization: When the MySQL server starts, the keyring_okv plugin initiates a connection with the KMIP backend. This loads any necessary libraries and establishes secure communication with the backend server, identifying the KMIP backend server is identified by its IP address and port.
Authentication: The plugin then authenticates with the backend by using the KMIP protocol. This usually involves presenting a certificate and private key, and sometimes also a username and password, all of which you configure when you set up the KMIP server.
Key fetching: After authentication occurs, the keyring_okv plugin can retrieve encryption keys from the backend as needed. The plugin maintains a cache of keys to improve performance and sends a request to the KMIP backend to retrieve requested keys that are not in the cache.
Key generation and storage: When you need a new encryption key (such as when you create a new table with encryption enabled), the plugin can request key generation from the KMIP server. The plugin then stores the key in the keyring in the KMIP backend.
Key rotation: KMIP also supports key rotation, which is a crucial aspect of maintaining secure data encryption. MySQL TDE can request a new version of a key, use it to re-encrypt the data, and then retire the old version of the key. This process is transparent to the applications using the MySQL server.
Termination: When you stop the MySQL server, the keyring_okv plugin ends its session with the KMIP server and securely discards any keys held in the cache. The keyring_okv plugin provides an important mechanism for securing data at rest, providing a transparent layer of security that integrates seamlessly with applications that use MySQL for data storage.
General keyring_okv configuration
Regardless of which KMIP backend the keyring_okv plugin uses for keyring storage, the keyring_okv_conf_dir system variable configures the location of the directory that keyring_okv uses for its support files. The default value is empty, so you must set the variable to name a properly configured directory before the plugin can communicate with the KMIP backend. Unless you do so, keyring_okv writes the following message to the error log during server startup that it cannot communicate:
Text
[Warning] Plugin keyring_okv reported: 'For keyring_okv to be
initialized, please point the keyring_okv_conf_dir variable to a directory
containing Oracle Key Vault configuration file and ssl materials'
[Warning] Plugin keyring_okv reported: 'For keyring_okv to be
initialized, please point the keyring_okv_conf_dir variable to a directory
containing Oracle Key Vault configuration file and ssl materials'
﻿
The keyring_okv_conf_dir variable must name a directory that contains the following items:
Item
Description
﻿
okvclient.ora
A file that contains details of the KMIP backend with which keyring_okv communicates. The following example shows how this file might look:
Text
SERVER=10.0.5.101:5696
SERVER=10.0.5.101:5696
﻿
﻿
ssl
A directory that contains the certificate and key files required to establish a secure connection with the KMIP backend: CA.pem, cert.pem, and key.pem. 
The CA.pem file should contain the root CA certificate and all other CA certificates in the chain, if applicable. The cert.pem file should contain the signed MySQL Server TLS certificate. The key.pem file should be the private key you generated for MySQL Server by using OpenSSL.
﻿
You need both the okvclient.ora file and ssl directory with the certificate and key files for keyring_okv to work properly. The procedure that populates the configuration directory with these files depends on the KMIP backend used with keyring_okv.
The configuration directory used by keyring_okv as the location for its support files should have a restrictive mode and be accessible only to the account that runs the MySQL server. For example, on Unix and Unix-like sy(callstems, to use the /usr/local/mysql/mysql-keyring-okv directory, run the following commands (executed as root) to create the directory and set its mode and ownership:
Shell
cd /usr/local/mysql
mkdir mysql-keyring-okv
chmod 750 mysql-keyring-okv
chown mysql mysql-keyring-okv
chgrp mysql mysql-keyring-okv
cd /usr/local/mysql
mkdir mysql-keyring-okv
chmod 750 mysql-keyring-okv
chown mysql mysql-keyring-okv
chgrp mysql mysql-keyring-okv
﻿
To be usable during the server startup process, you must load keyring_okv by using the --early-plugin-load option. Also, set the keyring_okv_conf_dir system variable to tell keyring_okv where to find its configuration directory. For example, use the following lines in the server my.cnf file, adjusting the .so suffix and directory location for your platform:
Text
[mysqld]
early-plugin-load=keyring_okv.so
keyring_okv_conf_dir=/usr/local/mysql/mysql-keyring-okv
[mysqld]
early-plugin-load=keyring_okv.so
keyring_okv_conf_dir=/usr/local/mysql/mysql-keyring-okv
﻿
You need to restart the MySQL service for these changes to take effect
For additional information about keyring_okv_conf_dir, see https://dev.mysql.com/doc/refman/8.0/en/keyringsystem-variables.html.
﻿
Updated 27 Feb 2024
Did this page help you?
Create a role and identity on the KMES Series 3 for MySQL Server
Enable and test TDE in MySQL Workbench