The keyring_file keyring plugin stores keyring data in a file local to the server host.keyring_file密钥环插件将密钥环数据存储在服务器主机本地的文件中。
For encryption key management, the 对于加密密钥管理,keyring_file plugin is not intended as a regulatory compliance solution. keyring_file插件不是作为监管合规解决方案。Security standards such as PCI, FIPS, and others require use of key management systems to secure, manage, and protect encryption keys in key vaults or hardware security modules (HSMs).PCI、FIPS等安全标准要求使用密钥管理系统来保护、管理和保护密钥库或硬件安全模块(HSM)中的加密密钥。
To install 要安装keyring_file, use the general instructions found in Section 6.4.4.3, “Keyring Plugin Installation”, together with the configuration information specific to keyring_file found here.keyring_file,请使用第6.4.4.3节,“keyring插件安装”中的一般说明,以及此处提供的特定于keyring _file的配置信息。
To be usable during the server startup process, 为了在服务器启动过程中可用,必须使用keyring_file must be loaded using the --early-plugin-load option. --early-plugin-load选项加载keyring_file。The keyring_file_data system variable optionally configures the location of the file used by the keyring_file plugin for data storage. keyring_file_data系统变量可选地配置keyring_file插件用于数据存储的文件的位置。The default value is platform specific. To configure the file location explicitly, set the variable value at startup. 默认值是特定于平台的。要显式配置文件位置,请在启动时设置变量值。For example, use these lines in the server 例如,在服务器my.cnf file, adjusting the .so suffix and file location for your platform as necessary:my.cnf文件中使用以下行,根据需要调整.so后缀和平台的文件位置:
[mysqld] early-plugin-load=keyring_file.so keyring_file_data=/usr/local/mysql/mysql-keyring/keyring
Keyring operations are transactional: The Keyring操作是事务性的:keyring_file plugin uses a backup file during write operations to ensure that it can roll back to the original file if an operation fails. Keyring_file插件在写入操作期间使用备份文件,以确保在操作失败时可以回滚到原始文件。The backup file has the same name as the value of the 备份文件与keyring_file_data system variable with a suffix of .backup.keyring_file_data系统变量的值同名,后缀为.backup。
For additional information about 有关keyring_file_data, see Section 6.4.4.18, “Keyring System Variables”.keyring_file_data的更多信息,请参阅第6.4.4.18节,“keyring系统变量”。
To ensure that keys are flushed only when the correct keyring storage file exists, 为确保仅在存在正确的密钥环存储文件时刷新密钥,keyring_file stores a SHA-256 checksum of the keyring in the file. Before updating the file, the plugin verifies that it contains the expected checksum.keyring_file在文件中存储密钥环的SHA-256校验和。在更新文件之前,插件会验证它是否包含预期的校验和。
The keyring_file plugin supports the functions that comprise the standard MySQL Keyring service interface. Keyring operations performed by those functions are accessible at two levels:keyring_file插件支持构成标准MySQL keyring服务接口的功能。这些功能执行的钥匙扣操作可在两个级别访问:
SQL interface: In SQL statements, call the functions described in Section 6.4.4.14, “General-Purpose Keyring Key-Management Functions”.SQL接口:在SQL语句中,调用第6.4.4.14节,“通用密钥管理函数”中描述的函数。
C interface: In C-language code, call the keyring service functions described in Section 5.6.9.2, “The Keyring Service”.C接口:在C语言代码中,调用第5.6.9.2节,“钥匙圈服务”中描述的钥匙圈服务函数。
Example (using the SQL interface):示例(使用SQL接口):
SELECT keyring_key_generate('MyKey', 'AES', 32);
SELECT keyring_key_remove('MyKey');
For information about the characteristics of key values permitted by 有关keyring_file, see Section 6.4.4.12, “Supported Keyring Key Types and Lengths”.keyring_file允许的键值特征的信息,请参阅第6.4.4.12节,“支持的密钥环密钥类型和长度”。