Keyring service consumers require that a keyring component or plugin be installed:钥匙圈服务消费者要求安装钥匙圈组件或插件:
To use a keyring plugin, begin with the instructions here. (Also, for general information about installing plugins, see Section 5.6.1, “Installing and Uninstalling Plugins”.)要使用钥匙圈插件,请从这里的说明开始。(此外,有关安装插件的一般信息,请参阅第5.6.1节,“安装和卸载插件”。)
To use a keyring component instead, begin with Section 6.4.4.2, “Keyring Component Installation”.要使用钥匙圈组件,请从第6.4.4.2节,“钥匙圈组件安装”开始。
If you intend to use keyring functions in conjunction with the chosen keyring component or plugin, install the functions after installing that component or plugin, using the instructions in Section 6.4.4.14, “General-Purpose Keyring Key-Management Functions”.如果您打算将钥匙圈功能与所选的钥匙圈组件或插件结合使用,请在安装该组件或插件后,按照第6.4.4.14节,“通用钥匙圈钥匙管理功能”中的说明安装这些功能。
Only one keyring component or plugin should be enabled at a time. Enabling multiple keyring components or plugins is unsupported and results may not be as anticipated.一次只能启用一个密钥环组件或插件。不支持启用多个密钥环组件或插件,结果可能与预期不符。
MySQL provides these keyring plugin choices:MySQL提供了以下密钥环插件选项:
keyring_file
: Stores keyring data in a file local to the server host. Available in MySQL Community Edition and MySQL Enterprise Edition distributions.:将密钥环数据存储在服务器主机本地的文件中。提供MySQL社区版和MySQL企业版发行版。
keyring_encrypted_file
: Stores keyring data in an encrypted, password-protected file local to the server host. Available in MySQL Enterprise Edition distributions.:将密钥环数据存储在服务器主机本地的加密、密码保护的文件中。在MySQL企业版发行版中可用。
keyring_okv
: A KMIP 1.1 plugin for use with KMIP-compatible back end keyring storage products such as Oracle Key Vault and Gemalto SafeNet KeySecure Appliance. Available in MySQL Enterprise Edition distributions.:KMIP 1.1插件,用于KMIP兼容的后端密钥环存储产品,如Oracle密钥库和金雅拓SafeNet KeySecure设备。在MySQL企业版发行版中可用。
keyring_aws
: Communicates with the Amazon Web Services Key Management Service as a back end for key generation and uses a local file for key storage. Available in MySQL Enterprise Edition distributions.:与作为密钥生成后端的Amazon Web Services密钥管理服务通信,并使用本地文件进行密钥存储。在MySQL企业版发行版中可用。
keyring_hashicorp
: Communicates with HashiCorp Vault for back end storage. Available in MySQL Enterprise Edition distributions.:与HashiCorp Vault通信以进行后端存储。在MySQL企业版发行版中可用。
keyring_oci
: Communicates with Oracle Cloud Infrastructure Vault for back end storage. See Section 6.4.4.11, “Using the Oracle Cloud Infrastructure Vault Keyring Plugin”.:与Oracle Cloud Infrastructure Vault通信以进行后端存储。请参阅第6.4.4.11节,“使用Oracle云基础架构保险库密钥环插件”。
To be usable by the server, the plugin library file must be located in the MySQL plugin directory (the directory named by the 为了让服务器使用,插件库文件必须位于MySQL插件目录(由plugin_dir
system variable). plugin_dir
系统变量命名的目录)中。If necessary, configure the plugin directory location by setting the value of 如有必要,在服务器启动时通过设置plugin_dir
at server startup.plugin_dir
的值来配置插件目录位置。
A keyring component or plugin must be loaded early during the server startup sequence so that other components can access it as necessary during their own initialization. 必须在服务器启动序列的早期加载密钥环组件或插件,以便其他组件在初始化过程中可以根据需要访问它。For example, the 例如,InnoDB
storage engine uses the keyring for tablespace encryption, so a keyring component or plugin must be loaded and available prior to InnoDB
initialization.InnoDB
存储引擎使用密钥环进行表空间加密,因此必须在InnoDB
初始化之前加载密钥环组件或插件并使其可用。
Installation for each keyring plugin is similar. The following instructions describe how to install 每个钥匙圈插件的安装都是相似的。以下说明描述了如何安装keyring_file
. keyring_file
。To use a different keyring plugin, substitute its name for 要使用其他密钥环插件,请将其名称替换为keyring_file
.keyring_file
。
The keyring_file
plugin library file base name is keyring_file
. keyring_file
插件库文件基名称是keyring_file
。The file name suffix differs per platform (for example, 文件名后缀因平台而异(例如,用于Unix和类Unix系统的.so
for Unix and Unix-like systems, .dll
for Windows)..so
,用于Windows的.dll
)。
To load the plugin, use the 要加载插件,请使用--early-plugin-load
option to name the plugin library file that contains it. --early-plugin-load
选项来命名包含它的插件库文件。For example, on platforms where the plugin library file suffix is 例如,在插件库文件后缀为.so
, use these lines in the server my.cnf
file, adjusting the .so
suffix for your platform as necessary:.so
的平台上,在服务器my.cnf
文件中使用以下行,根据需要为您的平台调整.so
后缀:
[mysqld] early-plugin-load=keyring_file.so
Before starting the server, check the notes for your chosen keyring plugin for configuration instructions specific to that plugin:在启动服务器之前,请查看所选密钥环插件的注释,了解该插件的特定配置说明:
keyring_file
: Section 6.4.4.6, “Using the keyring_file File-Based Keyring Plugin”.:第6.4.4.6节,“使用基于keyring_file文件的密钥环插件”。
keyring_encrypted_file
: Section 6.4.4.7, “Using the keyring_encrypted_file Encrypted File-Based Keyring Plugin”.:第6.4.4.7节,“使用基于keyring_encrypted_file加密文件的密钥环插件”。
keyring_okv
: Section 6.4.4.8, “Using the keyring_okv KMIP Plugin”.:第6.4.4.8节,“使用keyring_okv KMIP插件”。
keyring_aws
: Section 6.4.4.9, “Using the keyring_aws Amazon Web Services Keyring Plugin”:第6.4.4.9节,“使用keyring_aws亚马逊网络服务密钥环插件”。
keyring_hashicorp
: Section 6.4.4.10, “Using the HashiCorp Vault Keyring Plugin”:第6.4.4.10节,“使用HashiCorp保险库钥匙圈插件”。
keyring_oci
: Section 6.4.4.11, “Using the Oracle Cloud Infrastructure Vault Keyring Plugin”:第6.4.4.11节,“使用Oracle云基础设施保险库密钥环插件”。
After performing any plugin-specific configuration, start the server. 执行任何特定于插件的配置后,启动服务器。Verify plugin installation by examining the 通过检查INFORMATION_SCHEMA.PLUGINS
table or use the SHOW PLUGINS
statement (see Section 5.6.2, “Obtaining Server Plugin Information”). For example:INFORMATION_SCHEMA.PLUGINS
表或使用SHOW PLUGINS
语句来验证插件安装(请参阅第5.6.2节,“获取服务器插件信息”)。例如:
mysql>SELECT PLUGIN_NAME, PLUGIN_STATUS
FROM INFORMATION_SCHEMA.PLUGINS
WHERE PLUGIN_NAME LIKE 'keyring%';
+--------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +--------------+---------------+ | keyring_file | ACTIVE | +--------------+---------------+
If the plugin fails to initialize, check the server error log for diagnostic messages.如果插件初始化失败,请检查服务器错误日志中的诊断消息。
Plugins can be loaded by methods other than 插件可以通过早期插件加载以外的方法加载,例如--early-plugin-load
, such as the --plugin-load
or --plugin-load-add
option or the INSTALL PLUGIN
statement. --plugin-load
或--plugin-load-add
选项或INSTALL PLUGIN
语句。However, keyring plugins loaded using those methods may be available too late in the server startup sequence for certain components that use the keyring, such as 但是,对于使用密钥环的某些组件(如InnoDB
:InnoDB
),使用这些方法加载的密钥环插件可能在服务器启动序列中太晚才可用:
Plugin loading using 在--plugin-load
or --plugin-load-add
occurs after InnoDB
initialization.InnoDB
初始化后,使用--plugin-load
或--plugin-load-add
加载插件。
Plugins installed using 使用INSTALL PLUGIN
are registered in the mysql.plugin
system table and loaded automatically for subsequent server restarts. INSTALL PLUGIN
安装的插件在mysql.plugin
系统表中注册,并在后续服务器重启时自动加载。However, because 但是,由于mysql.plugin
is an InnoDB
table, any plugins named in it can be loaded during startup only after InnoDB
initialization.mysql.plugin
是一个InnoDB
表,因此其中命名的任何插件都只能在InnoDB
初始化后在启动期间加载。
If no keyring component or plugin is available when a component tries to access the keyring service, the service cannot be used by that component. 如果组件尝试访问密钥环服务时没有可用的密钥环组件或插件,则该组件无法使用该服务。As a result, the component may fail to initialize or may initialize with limited functionality. 因此,组件可能无法初始化,或者初始化时功能有限。For example, if 例如,如果InnoDB
finds that there are encrypted tablespaces when it initializes, it attempts to access the keyring. InnoDB
在初始化时发现有加密的表空间,它会尝试访问密钥环。If the keyring is unavailable, 如果密钥环不可用,InnoDB
can access only unencrypted tablespaces. InnoDB
只能访问未加密的表空间。To ensure that 为了确保InnoDB
can access encrypted tablespaces as well, use --early-plugin-load
to load the keyring plugin.InnoDB
也可以访问加密的表空间,请使用--early-plugin-load
加载密钥环插件。