MySQL Server supports a keyring that enables internal server components and plugins to securely store sensitive information for later retrieval. The implementation comprises these elements:MySQL Server支持一个密钥环,使内部服务器组件和插件能够安全地存储敏感信息以供以后检索。实施包括以下要素:
Keyring components and plugins that manage a backing store or communicate with a storage back end. Keyring use involves installing one from among the available components and plugins. 管理后备存储或与存储后端通信的密钥环组件和插件。使用密钥环需要从可用组件和插件中安装一个。Keyring components and plugins both manage keyring data but are configured differently and may have operational differences (see Section 6.4.4.1, “Keyring Components Versus Keyring Plugins”).密钥环组件和插件都管理密钥环数据,但配置不同,可能存在操作差异(参阅第6.4.4.1节,“密钥环组件与密钥环插件”)。
These keyring components are available:这些密钥环组件可用:
component_keyring_file: Stores keyring data in a file local to the server host. Available in MySQL Community Edition and MySQL Enterprise Edition distributions as of MySQL 8.0.24. :将密钥环数据存储在服务器主机本地的文件中。MySQL社区版和MySQL企业版从MySQL 8.0.24开始提供。See Section 6.4.4.4, “Using the component_keyring_file File-Based Keyring Component”.请参阅第6.4.4.4节,“使用基于component_keyring_file文件的密钥环组件”。
component_keyring_encrypted_file: Stores keyring data in an encrypted, password-protected file local to the server host. Available in MySQL Enterprise Edition distributions as of MySQL 8.0.24. :将密钥环数据存储在服务器主机本地的加密、密码保护的文件中。从MySQL 8.0.24开始,在MySQL企业版发行版中可用。See Section 6.4.4.5, “Using the component_keyring_encrypted_file Encrypted File-Based Keyring Component”.请参阅第6.4.4.5节,“使用基于component_keyring_encrypted_file加密文件的密钥环组件”。
These keyring plugins are available:这些密钥环插件可用:
keyring_file: Stores keyring data in a file local to the server host. Available in MySQL Community Edition and MySQL Enterprise Edition distributions. :将密钥环数据存储在服务器主机本地的文件中。提供MySQL社区版和MySQL企业版发行版。See Section 6.4.4.6, “Using the keyring_file File-Based Keyring Plugin”.请参阅第6.4.4.6节,“使用基于keyring_file文件的密钥环插件”。
keyring_encrypted_file: Stores keyring data in an encrypted, password-protected file local to the server host. Available in MySQL Enterprise Edition distributions. :将密钥环数据存储在服务器主机本地的加密、密码保护的文件中。在MySQL企业版发行版中可用。See Section 6.4.4.7, “Using the keyring_encrypted_file Encrypted File-Based Keyring Plugin”.请参阅第6.4.4.7节,“使用基于keyring_encrypted_file加密文件的密钥环插件”。
keyring_okv: A KMIP 1.1 plugin for use with KMIP-compatible back end keyring storage products such as Oracle Key Vault and Gemalto SafeNet KeySecure Appliance. Available in MySQL Enterprise Edition distributions. :KMIP 1.1插件,用于KMIP兼容的后端密钥环存储产品,如Oracle密钥库和金雅拓SafeNet KeySecure设备。在MySQL企业版发行版中可用。See Section 6.4.4.8, “Using the keyring_okv KMIP Plugin”.请参阅第6.4.4.8节,“使用keyring_okv KMIP插件”。
keyring_aws: Communicates with the Amazon Web Services Key Management Service for key generation and uses a local file for key storage. :与Amazon Web Services密钥管理服务通信以生成密钥,并使用本地文件进行密钥存储。Available in MySQL Enterprise Edition distributions. 在MySQL企业版发行版中可用。See Section 6.4.4.9, “Using the keyring_aws Amazon Web Services Keyring Plugin”.请参阅第6.4.4.9节,“使用keyring_aws亚马逊网络服务密钥环插件”。
keyring_hashicorp: Communicates with HashiCorp Vault for back end storage. Available in MySQL Enterprise Edition distributions as of MySQL 8.0.18. :与HashiCorp Vault通信以进行后端存储。从MySQL 8.0.18开始,在MySQL企业版发行版中可用。See Section 6.4.4.10, “Using the HashiCorp Vault Keyring Plugin”.请参阅第6.4.4.10节,“使用HashiCorp保险库密钥环插件”。
keyring_oci: Communicates with Oracle Cloud Infrastructure Vault for back end storage. :与Oracle Cloud Infrastructure Vault通信以进行后端存储。Available in MySQL Enterprise Edition distributions as of MySQL 8.0.22. 从MySQL 8.0.22开始,在MySQL企业版发行版中可用。See Section 6.4.4.11, “Using the Oracle Cloud Infrastructure Vault Keyring Plugin”.请参阅第6.4.4.11节,“使用Oracle云基础架构保险库密钥环插件”。
A keyring service interface for keyring key management. This service is accessible at two levels:用于密钥环密钥管理的密钥环服务接口。此服务可在两个级别访问:
SQL interface: In SQL statements, call the functions described in Section 6.4.4.14, “General-Purpose Keyring Key-Management Functions”.SQL接口:在SQL语句中,调用第6.4.4.14节,“通用密钥管理函数”中描述的函数。
C interface: In C-language code, call the keyring service functions described in Section 5.6.9.2, “The Keyring Service”.C接口:在C语言代码中,调用第5.6.9.2节,“密钥环服务”中描述的密钥环服务函数。
Key metadata access:关键元数据访问:
The Performance Schema 性能模式keyring_keys table exposes metadata for keys in the keyring. keyring_keys表公开了密钥环中密钥的元数据。Key metadata includes key IDs, key owners, and backend key IDs. 密钥元数据包括密钥ID、密钥所有者和后端密钥ID。The keyring_keys table does not expose any sensitive keyring data such as key contents. keyring_keys表不公开任何敏感的密钥环数据,如密钥内容。Available as of MySQL 8.0.16. See Section 27.12.18.2, “The keyring_keys table”.从MySQL 8.0.16开始可用。请参阅第27.12.18.2节,“keyring_keys表”。
The Performance Schema 性能模式keyring_component_status table provides status information about the keyring component in use, if one is installed. keyring_component_status表提供有关正在使用的密钥环组件的状态信息(如果已安装)。Available as of MySQL 8.0.24. See Section 27.12.18.1, “The keyring_component_status Table”.从MySQL 8.0.24开始可用。请参阅第27.12.18.1节,“密钥环组件状态表”。
A key migration capability. MySQL supports migration of keys between keystores, enabling DBAs to switch a MySQL installation from one keystore to another. See Section 6.4.4.13, “Migrating Keys Between Keyring Keystores”.关键的迁移能力。MySQL支持密钥存储库之间的密钥迁移,使DBA能够将MySQL安装从一个密钥存储库切换到另一个。请参阅第6.4.4.13节,“在密钥环密钥库之间迁移密钥”。
The implementation of keyring plugins is revised as of MySQL 8.0.24 to use the component infrastructure. 从MySQL 8.0.24开始,密钥环插件的实现进行了修订,以使用组件基础设施。This is facilitated using the built-in plugin named 使用名为daemon_keyring_proxy_plugin that acts as a bridge between the plugin and component service APIs. daemon_keyring_proxy_plugin的内置插件可以促进这一点,该插件充当插件和组件服务API之间的桥梁。See Section 5.6.8, “The Keyring Proxy Bridge Plugin”.请参阅第5.6.8节,“密钥环代理网桥插件”。
For encryption key management, the 对于加密密钥管理,component_keyring_file and component_keyring_encrypted_file components, and the keyring_file and keyring_encrypted_file plugins are not intended as a regulatory compliance solution. component_keyring_file和component_keysring_encrypted_file组件以及keyring_files和keyring_encrypted_file插件不打算作为监管合规解决方案。Security standards such as PCI, FIPS, and others require use of key management systems to secure, manage, and protect encryption keys in key vaults or hardware security modules (HSMs).PCI、FIPS等安全标准要求使用密钥管理系统来保护、管理和保护密钥库或硬件安全模块(HSM)中的加密密钥。
Within MySQL, keyring service consumers include:在MySQL中,密钥环服务消费者包括:
The InnoDB storage engine uses the keyring to store its key for tablespace encryption. InnoDB存储引擎使用密钥环来存储其表空间加密密钥。See Section 15.13, “InnoDB Data-at-Rest Encryption”.请参阅第15.13节,“InnoDB静态数据加密”。
MySQL Enterprise Audit uses the keyring to store the audit log file encryption password. See Encrypting Audit Log Files.MySQL Enterprise Audit使用密钥环存储审计日志文件加密密码。请参阅加密审核日志文件。
Binary log and relay log management supports keyring-based encryption of log files. With log file encryption activated, the keyring stores the keys used to encrypt passwords for the binary log files and relay log files. 二进制日志和中继日志管理支持基于密钥环的日志文件加密。激活日志文件加密后,密钥环存储用于加密二进制日志文件和中继日志文件密码的密钥。See Section 17.3.2, “Encrypting Binary Log Files and Relay Log Files”.请参阅第17.3.2节,“加密二进制日志文件和中继日志文件”。
For general keyring installation instructions, see Section 6.4.4.2, “Keyring Component Installation”, and Section 6.4.4.3, “Keyring Plugin Installation”. 有关钥匙圈的一般安装说明,请参阅第6.4.4.2节,“钥匙圈组件安装”和第6.4.4.3节,“钥匙环插件安装”。For installation and configuration information specific to a given keyring component or plugin, see the section describing it.有关特定于给定密钥环组件或插件的安装和配置信息,请参阅描述它的部分。
For information about using the keyring functions, see Section 6.4.4.14, “General-Purpose Keyring Key-Management Functions”.有关使用钥匙圈功能的信息,请参阅第6.4.4.14节,“通用钥匙圈钥匙管理功能”。
Keyring components, plugins, and functions access a keyring service that provides the interface to the keyring. 钥匙圈组件、插件和函数访问提供钥匙圈接口的钥匙圈服务。For information about accessing this service and writing keyring plugins, see Section 5.6.9.2, “The Keyring Service”, and Writing Keyring Plugins.有关访问此服务和编写钥匙圈插件的信息,请参阅第5.6.9.2节,“钥匙圈服务”和编写钥匙环插件。