The keyring_file keyring plugin stores keyring data in a file local to the server host.

To install keyring_file, use the general instructions found in Section 6.4.4.3, “Keyring Plugin Installation”, together with the configuration information specific to keyring_file found here.

To be usable during the server startup process, keyring_file must be loaded using the --early-plugin-load option. The keyring_file_data system variable optionally configures the location of the file used by the keyring_file plugin for data storage. The default value is platform specific. To configure the file location explicitly, set the variable value at startup. For example, use these lines in the server my.cnf file, adjusting the .so suffix and file location for your platform as necessary:

[mysqld]
early-plugin-load=keyring_file.so
keyring_file_data=/usr/local/mysql/mysql-keyring/keyring

Keyring operations are transactional: The keyring_file plugin uses a backup file during write operations to ensure that it can roll back to the original file if an operation fails. The backup file has the same name as the value of the keyring_file_data system variable with a suffix of .backup.

For additional information about keyring_file_data, see Section 6.4.4.18, “Keyring System Variables”.

To ensure that keys are flushed only when the correct keyring storage file exists, keyring_file stores a SHA-256 checksum of the keyring in the file. Before updating the file, the plugin verifies that it contains the expected checksum.

The keyring_file plugin supports the functions that comprise the standard MySQL Keyring service interface. Keyring operations performed by those functions are accessible at two levels:

Example (using the SQL interface):

SELECT keyring_key_generate('MyKey', 'AES', 32);
SELECT keyring_key_remove('MyKey');

For information about the characteristics of key values permitted by keyring_file, see Section 6.4.4.12, “Supported Keyring Key Types and Lengths”.