Bug #84668 Can't configure keyring_file_data on new install
Submitted: 25 Jan 2017 15:19 Modified: 31 Jan 2017 13:29
Reporter: Chris Fidao Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Security: Encryption Severity:S2 (Serious)
Version:5.7.17 OS:Ubuntu (16.04)
Assigned to: Georgi Kodinov CPU Architecture:Any

[25 Jan 2017 15:19] Chris Fidao 
Description:
On a fresh installation of MySQL 5.7.17, setting the `keyring_file_data` variable creates an error on startup:

```
[ERROR] Plugin keyring_file reported: 'File '/opt/mysql/keyring' not found (Errcode: 13 - Permission denied)'
[ERROR] Plugin keyring_file reported: 'keyring_file initialization failure. Please check if the keyring_file_data points 
```

This runs counter to the documentation on setting up table encryption on MySQL community edition, which states that the key file and the master key is generated when you create your first encrypted table.

How to repeat:
On Ubuntu 16.04:

Install

```
# Install mysql 5.7.17 on ubuntu 16.04
sudo apt-get update
sudo apt-key adv --keyserver ha.pool.sks-keyservers.net --recv A4A9406876FCBD3C456770C88C718D3B5072E1F5
echo "deb http://repo.mysql.com/apt/ubuntu/ trusty mysql-5.7" | sudo tee /etc/apt/sources.list.d/mysql.list
echo "deb http://repo.mysql.com/apt/ubuntu/ trusty mysql-apt-config" | sudo tee -a /etc/apt/sources.list.d/mysql.list
sudo apt-get update
sudo apt-get install -y mysql-server
```

Configure & Start:

```
sudo mkdir /opt/mysql
sudo chown mysql:mysql /opt/mysql

echo "early-plugin-load=keyring_file.so" | sudo tee -a /etc/mysql/mysql.conf.d/mysqld.cnf
echo "keyring_file_data=/opt/mysql/keyring" | sudo tee -a /etc/mysql/mysql.conf.d/mysqld.cnf

sudo service mysql start
```

Attempt to create a table

```
create table testdb;
use testdb;
create table users (
    id int not null auto_increment,
    username varchar(255) not null,
    primary key (id)
) ENCRYPTION='Y';

-- ERROR 3185 (HY000): Can't find master key from keyring, please check keyring plugin is loaded.
```

Suggested fix:
Not setting the `keyring_file_data` variable defaults to `/var/lib/mysql/mysql-keyring/keyring`, which appears to work.

I'm not sure if this is a bug or a documentation issue, it depends on what expected behavior is  as of 5.7.17.

If it's just a documentation issue, I hope that information can get updated - hopefully along with a working way to change the location of the keyring, if that functionality is intended to exist.
[27 Jan 2017 13:17] Georgi Kodinov 
What is the exact error you're getting ? 
Can you please check your SElinux configuration ? 
FYI our regression tests contain starting the server with a non-standard keyring_file_data tests in the following file: suite\auth_sec\t\keyring_file_data.test
I've tried on my windows and it worked too.

Please also check your plugin directory (SELECT @@plugin_dir) and whether it actually contains a keyring_file.so.

Also check if the plugin is actually loaded: select plugin_status from information_schema.plugins where plugin_name = 'keyring_file';
[31 Jan 2017 13:29] Chris Fidao 
Thanks, the question on SELinux drove me to find the issue.

While Ubuntu does not have SELinux, it does have AppArmor.

The official mysql package for Ubuntu installs an AppArmor profile for Ubuntu 16.04.

This limits directory access, specifically /var/lib/mysql-keyring is meant to be used for the keyring.