component_keyring_encrypted_file is an extension included in MySQL Enterprise Edition, a commercial product. component_keyring_encrypted_file是商业产品MySQL企业版中包含的扩展。To learn more about commercial products, see https://www.mysql.com/products/.要了解有关商业产品的更多信息,请参阅https://www.mysql.com/products/。
The component_keyring_encrypted_file keyring component stores keyring data in an encrypted, password-protected file local to the server host.component_keyring_encrypted_file密钥环组件将密钥环数据存储在服务器主机本地的加密、密码保护的文件中。
For encryption key management, the 对于加密密钥管理,component_keyring_file and component_keyring_encrypted_file components, and the keyring_file and keyring_encrypted_file plugins are not intended as a regulatory compliance solution. component_keyring_file和component_keysring_encrypted_file组件以及keyring_files和keyring_encrypted_file插件不打算作为监管合规解决方案。Security standards such as PCI, FIPS, and others require use of key management systems to secure, manage, and protect encryption keys in key vaults or hardware security modules (HSMs).PCI、FIPS等安全标准要求使用密钥管理系统来保护、管理和保护密钥库或硬件安全模块(HSM)中的加密密钥。
To use 要使用component_keyring_encrypted_file for keystore management, you must:component_keyring_encrypted_file进行密钥库管理,您必须:
Write a manifest that tells the server to load 编写一个清单,告诉服务器加载component_keyring_encrypted_file, as described in Section 6.4.4.2, “Keyring Component Installation”.component_keyring_encrypted_file,如第6.4.4.2节,“keyring组件安装”所述。
Write a configuration file for 为component_keyring_encrypted_file, as described here.component_keyring_encrypted_file编写一个配置文件,如下所述。
When it initializes, 初始化时,component_keyring_encrypted_file reads either a global configuration file, or a global configuration file paired with a local configuration file:component_keyring_encrypted_file读取全局配置文件或与本地配置文件配对的全局配置文件:
The component attempts to read its global configuration file from the directory where the component library file is installed (that is, the server plugin directory).组件尝试从安装组件库文件的目录(即服务器插件目录)读取其全局配置文件。
If the global configuration file indicates use of a local configuration file, the component attempts to read its local configuration file from the data directory.如果全局配置文件指示使用本地配置文件,则组件会尝试从数据目录读取其本地配置文件。
Although global and local configuration files are located in different directories, the file name is 尽管全局和本地配置文件位于不同的目录中,但这两个位置的文件名都是component_keyring_encrypted_file.cnf in both locations.component_keyring_encrypted_file.cnf。
It is an error for no confguration file to exist. 不存在配置文件是错误的。没有有效的配置,component_keyring_encrypted_file cannot initialize without a valid configuration.component_keyring_encrypted_file无法初始化。
Local configuration files permit setting up multiple server instances to use 本地配置文件允许设置多个服务器实例以使用component_keyring_encrypted_file, such that component configuration for each server instance is specific to a given data directory instance. component_keyring_encrypted_file,这样每个服务器实例的组件配置都特定于给定的数据目录实例。This enables the same keyring component to be used with a distinct data file for each instance.这使得同一个密钥环组件可以与每个实例的不同数据文件一起使用。
component_keyring_encrypted_file configuration files have these properties:component_keyring_encrypted_file配置文件具有以下属性:
A configuration file must be in valid JSON format.配置文件必须采用有效的JSON格式。
A configuration file permits these configuration items:配置文件允许这些配置项:
"read_local_config": This item is permitted only in the global configuration file. :此项仅允许在全局配置文件中使用。If the item is not present, the component uses only the global configuration file. 如果该项不存在,则组件仅使用全局配置文件。If the item is present, its value is 如果该项存在,则其值为true or false, indicating whether the component should read configuration information from the local configuration file.true或false,指示组件是否应从本地配置文件读取配置信息。
If the 如果"read_local_config" item is present in the global configuration file along with other items, the component checks the "read_local_config" item value first:"read_local_config"项与其他项一起存在于全局配置文件中,则组件会首先检查"read_local_config"的项值:
If the value is 如果该值为false, the component processes the other items in the global configuration file and ignores the local configuration file.false,则组件将处理全局配置文件中的其他项目,并忽略本地配置文件。
If the value is 如果该值为true, the component ignores the other items in the global configuration file and attempts to read the local configuration file.true,则组件将忽略全局配置文件中的其他项目,并尝试读取本地配置文件。
"path": The item value is a string that names the file to use for storing keyring data. The file should be named using an absolute path, not a relative path. This item is mandatory in the configuration. :项值是一个字符串,用于命名用于存储密钥环数据的文件。文件应使用绝对路径命名,而不是相对路径。此项在配置中是必需的。If not specified, 如果未指定,则component_keyring_encrypted_file initialization fails.component_keyring_encrypted_file初始化失败。
"password": The item value is a string that specifies the password for accessing the data file. :项值是一个字符串,指定访问数据文件的密码。This item is mandatory in the configuration. If not specified, 此项在配置中是必需的。如果未指定,则component_keyring_encrypted_file initialization fails.component_keyring_encrypted_file初始化失败。
"read_only": The item value indicates whether the keyring data file is read only. :项值指示密钥环数据文件是否为只读。The item value is 项目值为true (read only) or false (read/write). true(只读)或false(读/写)。This item is mandatory in the configuration. If not specified, 此项在配置中是必需的。如果未指定,则component_keyring_encrypted_file initialization fails.component_keyring_encrypted_file初始化失败。
The database administrator has the responsibility for creating any configuration files to be used, and for ensuring that their contents are correct. If an error occurs, server startup fails and the administrator must correct any issues indicated by diagnostics in the server error log.数据库管理员有责任创建要使用的任何配置文件,并确保其内容正确。如果发生错误,服务器启动失败,管理员必须纠正服务器错误日志中诊断指示的任何问题。
Any configuration file that stores a password should have a restrictive mode and be accessible only to the account used to run the MySQL server.任何存储密码的配置文件都应该具有限制模式,并且只能由用于运行MySQL服务器的帐户访问。
Given the preceding configuration file properties, to configure 给定前面的配置文件属性,要配置component_keyring_encrypted_file, create a global configuration file named component_keyring_encrypted_file.cnf in the directory where the component_keyring_encrypted_file library file is installed, and optionally create a local configuration file, also named component_keyring_encrypted_file.cnf, in the data directory. component_keyring_encrypted_file,请在安装component_keysring_encrypted_file库文件的目录中创建一个名为component_kelring_encrycted_file.cnf的全局配置文件,并在数据目录中可选地创建一个本地配置文件,也名为compound_keyring-encrypted_file.cnf。The following instructions assume that a keyring data file named 以下说明假设以读/写方式使用名为/usr/local/mysql/keyring/component_keyring_encrypted_file is to be used in read/write fashion. You must also choose a password./usr/local/mysql/keyring/component_keyring_encrypted_file的密钥环数据文件。您还必须选择密码。
To use a global configuration file only, the file contents look like this:要仅使用全局配置文件,文件内容如下:
{
"path": "/usr/local/mysql/keyring/component_keyring_encrypted_file",
"password": "password",
"read_only": false
}
Create this file in the directory where the 在安装component_keyring_encrypted_file library file is installed.component_keyring_encrypted_file库文件的目录中创建此文件。
Alternatively, to use a global and local configuration file pair, the global file looks like this:或者,要使用全局和本地配置文件对,全局文件看起来像这样:
{
"read_local_config": true
}
Create this file in the directory where the 在安装component_keyring_encrypted_file library file is installed.component_keyring_encrypted_file库文件的目录中创建此文件。
The local file looks like this:本地文件看起来像这样:
{
"path": "/usr/local/mysql/keyring/component_keyring_encrypted_file",
"password": "password",
"read_only": false
}
Create this file in the data directory.在数据目录中创建此文件。
Keyring operations are transactional: 密钥环操作是事务性的:component_keyring_encrypted_file uses a backup file during write operations to ensure that it can roll back to the original file if an operation fails. component_Keyring_encrypted_file在写入操作期间使用备份文件,以确保在操作失败时可以回滚到原始文件。The backup file has the same name as the data file with a suffix of 备份文件与数据文件同名,后缀为.backup..backup。
component_keyring_encrypted_file supports the functions that comprise the standard MySQL Keyring service interface. component_keyring_encrypted_file支持构成标准MySQL密钥环服务接口的函数。Keyring operations performed by those functions are accessible at two levels:这些功能执行的钥匙扣操作可在两个级别访问:
SQL interface: In SQL statements, call the functions described in Section 6.4.4.14, “General-Purpose Keyring Key-Management Functions”.SQL接口:在SQL语句中,调用第6.4.4.14节,“通用密钥管理函数”中描述的函数。
C interface: In C-language code, call the keyring service functions described in Section 5.6.9.2, “The Keyring Service”.C接口:在C语言代码中,调用第5.6.9.2节,“钥匙圈服务”中描述的钥匙圈服务函数。
Example (using the SQL interface):示例(使用SQL接口):
SELECT keyring_key_generate('MyKey', 'AES', 32);
SELECT keyring_key_remove('MyKey');
For information about the characteristics of key values permitted by 有关component_keyring_encrypted_file, see Section 6.4.4.12, “Supported Keyring Key Types and Lengths”.component_keyring_encrypted_file允许的键值特征的信息,请参阅第6.4.4.12节,“支持的密钥环密钥类型和长度”。