| Bug #111915 | Fail to configurate Component keyring in windows 11 and 10 | ||
|---|---|---|---|
| Submitted: | 28 Jul 2023 16:57 | Modified: | 9 Aug 2023 16:21 |
| Reporter: | Lesly Campo | Email Updates: | |
| Status: | Verified | Impact on me: | |
| Category: | MySQL Server: Security: Encryption | Severity: | S3 (Non-critical) |
| Version: | 8.0 | OS: | Windows (10) |
| Assigned to: | CPU Architecture: | Other (8th Gen Intel(R) Core(TM) i7-1165G7) | |
[31 Jul 2023 12:50]
MySQL Verification Team
Hi Mr. Campo, Thank you for your bug report. We were able to repeat the steps that you describe on other Operating System. This is now a verified bug. It is quite possible that this bug will be resolved by better documentation in our Reference Manual.
[9 Aug 2023 16:21]
Lesly Campo
I was able to reproduce it in windows 10 also with the same result. Waiting to a way to use the feature in windows.
[10 Aug 2023 12:11]
MySQL Verification Team
Thank you, Mr. Campo.
[4 Nov 2024 5:31]
MySQL Verification Team
When you tried absolute path with:
"path": "component_keyring_file",
Did you make sure the absolute path wasn't under or in the datadir.
Did the directory exist first?
e.g. If I have:
{
"path": "c:/keys/component_keyring_file.key",
"read_only": false
}
the c:\keys directory must exist and the OS user the service runs as should have read/write access to it.
Description: When trying to follow the installation documentation of the component_keyring_file to be able to encrypt data at rest, in window just relative path activate the keyring. But the server never can initialize the component. Making inaccessible the tables after a re-start of the server. Expected behaviour. Be able to encrypt and decrypt the data every restart of the service. How to repeat: Please do the following in a window 11 pro with 8.0.31 server version. STEP BY STEP TO Encryption at DATA-REST 1. Activate Keyring component of mysql a. In the bin directory installation of MySQL Server create a manifest file called mysqld.my with the following information in JSON format: { "read_local_manifest": false, "components": "file://component_keyring_file" } b. In the plugin directory (normally C:\Program Files\MySQL\MySQL Server 8.0\lib\plugin) create a configuration file called component_keyring_file.cnf with the following information { "read_local_config": false, "path": "component_keyring_file", "read_only": false } Note: Even if the instructions tell to use absolute path only relative path worked to activate the component in the server. c. Use ALTER INSTANCE RELOAD KEYRING in mysql query to update the component configuration. 2. To alter the encryption of an existing file-per-table tablespace, an ENCRYPTION clause must be specified. mysql> ALTER TABLE t1 ENCRYPTION = 'Y'; 3. When we restart the service and even if we use the ALTER INSTANCE RELOAD KEYRING command, we are still not able to access the encrypted data. Suggested fix: The documentation about the path of the configuration path is not logical of the steps needed it in windows to be able to encrypt the data. Maybe is creating conflict in the initialization of the component at start the service. Please update the steps to be able to use the functionality.