Configuring the Component Keyring in Percona Server and PXC … | Percona Community

Community website
1

(Or: how to make MySQL encryption boring, which is the goal)

Encryption is one of those things everyone agrees is important, right up until MySQL refuses to start and you’re staring at a JSON file wondering which brace ruined your evening.

This is a companion discussion topic for the original entry at https://percona.community/blog/2026/01/13/configuring-the-component-keyring-in-percona-server-and-pxc-8.4
2

Hi @daniil.bazhenov

Thanx for the post. I’ve configured keyring using “component_keyring_file” . Works as expected with global manifest configuration. However when I switch to local manfest configuration (“read_local_manifest”: true)” master key isnt accessible.

I was able to successfully do both global and local manifest configuration with oracle mysql 8.4.6

Does percona support local manifest configuration though I dont see any restrictions in technical doc

Cheers

Mohan

3

Thank you for your question. I suggest calling @Wayne_Leutwyler for help.

4

Hi @pkm2112,

Can you share the steps you’ve taken and the error log you received?

Below are my steps to configure the keyring with a global manifest, then switching to a local one, and it works without issue:

# create the global manifest file
cat <<EOF > /usr/sbin/mysqld.my
{
  "components": "file://component_keyring_file"
}
EOF

# create component_keyring_file config
cat <<EOF > /usr/lib64/mysql/plugin/component_keyring_file.cnf
{
  "path": "/var/lib/mysql-keyring/component_keyring_file",
  "read_only": true
}
EOF

# create enc keys dir
cd /var/lib
sudo mkdir mysql-keyring
sudo chown mysql:mysql mysql-keyring
sudo chmod 750 mysql-keyring

# restart service 
systemctl restart mysqld

# verify the component is loaded
mysql -pxxxxx -e 'SELECT * FROM performance_schema.keyring_component_status;'
mysql: [Warning] Using a password on the command line interface can be insecure.
+---------------------+-----------------------------------------------+
| STATUS_KEY          | STATUS_VALUE                                  |
+---------------------+-----------------------------------------------+
| Component_name      | component_keyring_file                        |
| Author              | Oracle Corporation                            |
| License             | GPL                                           |
| Implementation_name | component_keyring_file                        |
| Version             | 1.0                                           |
| Component_status    | Active                                        |
| Data_file           | /var/lib/mysql-keyring/component_keyring_file |
| Read_only           | Yes                                           |
+---------------------+-----------------------------------------------+
 

# create local manifest file
cp /usr/sbin/mysqld.my /var/lib/mysql/mysqld.my

# update global manifest to read local file
cat <<EOF > /usr/sbin/mysqld.my
{
  "read_local_manifest": true
}
EOF

# restart and check component load 
systemctl restart mysqld
mysql -pxxxxx -e 'SELECT * FROM performance_schema.keyring_component_status;'
mysql: [Warning] Using a password on the command line interface can be insecure.
+---------------------+-----------------------------------------------+
| STATUS_KEY          | STATUS_VALUE                                  |
+---------------------+-----------------------------------------------+
| Component_name      | component_keyring_file                        |
| Author              | Oracle Corporation                            |
| License             | GPL                                           |
| Implementation_name | component_keyring_file                        |
| Version             | 1.0                                           |
| Component_status    | Active                                        |
| Data_file           | /var/lib/mysql-keyring/component_keyring_file |
| Read_only           | Yes                                           |
+---------------------+-----------------------------------------------+
5

It appears to me your configuration isn’t complete

component kerying file cnf located under lib/plugin shouldn’t contain path of keystore.

cnf file containing path of keystore is supposed to b under datadir

Objective : u could run multiple instances from same home each with different keystore

Stuff works for me as expected if I run “oracle” mysql . Currently I’m supporting '“oracle” mysql instances in production

Cheers

6

hi @pkm2112,

Below is my deployment with the local keyring config file, and it still works:

cat <<EOF > /usr/sbin/mysqld.my
{
  "read_local_manifest": true
}
EOF
cat <<EOF > /usr/lib64/mysql/plugin/component_keyring_file.cnf
{
  "read_local_config": true 
}
EOF

for i in {1..2}
do 
cat <<EOF > "/usr/local/mysql${i}/data/mysqld.my"
{
  "components": "file://component_keyring_file"
}
EOF
cat <<EOF > "/usr/local/mysql${i}/data/component_keyring_file.cnf"
{
  "path": "/var/lib/mysql-keyring/component_keyring_file-${i}",
  "read_only": true
}
EOF
done

Retarting and querying each instance shows them using different keyring Data_file

for i in {6..7}
do 
  mysql --host=127.0.0.1 --port=330${i} -pxxxxx -e 'SELECT * FROM performance_schema.keyring_component_status;'
done 
mysql: [Warning] Using a password on the command line interface can be insecure.
+---------------------+-------------------------------------------------+
| STATUS_KEY          | STATUS_VALUE                                    |
+---------------------+-------------------------------------------------+
| Component_name      | component_keyring_file                          |
| Author              | Oracle Corporation                              |
| License             | GPL                                             |
| Implementation_name | component_keyring_file                          |
| Version             | 1.0                                             |
| Component_status    | Active                                          |
| Data_file           | /var/lib/mysql-keyring/component_keyring_file-1 |
| Read_only           | Yes                                             |
+---------------------+-------------------------------------------------+
mysql: [Warning] Using a password on the command line interface can be insecure.
+---------------------+-------------------------------------------------+
| STATUS_KEY          | STATUS_VALUE                                    |
+---------------------+-------------------------------------------------+
| Component_name      | component_keyring_file                          |
| Author              | Oracle Corporation                              |
| License             | GPL                                             |
| Implementation_name | component_keyring_file                          |
| Version             | 1.0                                             |
| Component_status    | Active                                          |
| Data_file           | /var/lib/mysql-keyring/component_keyring_file-2 |
| Read_only           | Yes                                             |
+---------------------+-------------------------------------------------+

I’m testing with Percona’s MySQL Server 8.4.6 (percona-server-server-8.4.s6-6.1.el9.aarch64), and the instance’s config file is pretty bare-bones:

[mysqld]
basedir=/usr/local/mysql2
datadir=/usr/local/mysql2/data
socket=/usr/local/mysql2/mysql.sock
port=3307
log-error=/usr/local/mysql2/mysqld.log
pid-file=/usr/local/mysql2/mysqld.pid
7

I’ve been able to switch back and fourth between the global and local manifest files. I’ve not encountered any issues. I’m currently running Percona Server 8.4.8. Just as a sanity check I followed the steps that @hieu.nguyen shared.

8

Thanx for the information. My configuration is same as yours. I’m runnin percona 8.4.6 unpacked from tarball. I’ll try 8.4.8

Cheers