Hello!
I’m trying to configure the keyring as a component (not a plugin) in Percona XtraDB Cluster 8.4.4-4.1 on Debian, following the MySQL 8.4 documentation. The component does not activate, and there are no related errors in the logs.
Environment:
- Percona XtraDB Cluster 8.4.4-4.1
- OS: Debian 11
basedir = /usr/datadir = /var/lib/mysql/
What I’ve done:
- Created a global manifest file at
/usr/mysqld.my (this is the correct basedir, not /usr/sbin/!):
json
{
"components": "file://component_keyring_file"
}
- Added to
/etc/mysql/my.cnf:
[mysqld]
early-plugin-load=""
component_keyring_file_data=/var/lib/mysql/keyring/component_keyring
- Confirmed that
component_keyring_file.so exists in the plugin directory:
/usr/lib/mysql/plugin/component_keyring_file.so
- Created the keyring path:
mkdir -p /var/lib/mysql/keyring/
touch /var/lib/mysql/keyring/component_keyring
chown -R mysql:mysql /var/lib/mysql/keyring/
- Set permissions on the manifest:
chown root:root /usr/mysqld.my
chmod 644 /usr/mysqld.my
- MySQL starts successfully, no errors in the logs.
The problem:
SELECT * FROM performance_schema.keyring_component_status;
returns empty — the component is not loaded.SHOW PLUGINS does not show it (as expected for components).
Questions:
- Does Percona XtraDB Cluster 8.4.4 support loading keyring as a component (via manifest), or should I use the plugin (
keyring_file.so) via early-plugin-load?
- Has anyone successfully used
component_keyring_file specifically as a component in Percona?
- Is it possible Percona is ignoring the manifest at
/usr/, even if the basedir is correct?
Any help or guidance is appreciated. I can provide configs and logs if needed. Thank you!
I have the same issue with keyring component and can not resolve it. Could community help to fix the issue?
I was able to successfully activate the keyring file component for Percona Server 8.4.4. I followed the same steps for PS 8.0.X
- Create mysqld.my inside basedir
$ cat ~/dbdeployer/opt/mysql/ps8.4.4/bin/mysqld.my
{ "components": "file://component_keyring_file" }
- Create component config inside plugins dir
$ cat ~/dbdeployer/opt/mysql/ps8.4.4/lib/plugin/component_keyring_file.cnf
{ "path": "/home/user/dbdeployer/sandboxes/msb_ps8_4_4/keyring/component_keyring_file", "read_only": false }
- Ensure keyring dir
$ mkdir -p /home/user/dbdeployer/sandboxes/msb_ps8_4_4/keyring
-
Start mysql.
There is nothing you need to add to my.cnf, so remove those two lines you say you added.
-
Evidence:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 9
Server version: 8.4.4-4 Percona Server (GPL), Release 4, Revision 844fde07
Copyright (c) 2009-2025 Percona LLC and/or its affiliates
Copyright (c) 2000, 2025, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql [localhost:8404] {msandbox} ((none)) > SELECT * FROM performance_schema.keyring_component_status;
+---------------------+-----------------------------------------------------------------------------+
| STATUS_KEY | STATUS_VALUE |
+---------------------+-----------------------------------------------------------------------------+
| Component_name | component_keyring_file |
| Author | Oracle Corporation |
| License | GPL |
| Implementation_name | component_keyring_file |
| Version | 1.0 |
| Component_status | Active |
| Data_file | /home/user/dbdeployer/sandboxes/msb_ps8_4_4/keyring/component_keyring_file |
| Read_only | No |
+---------------------+-----------------------------------------------------------------------------+
8 rows in set (0.00 sec)
mysql [localhost:8404] {msandbox} ((none)) > INSTALL PLUGIN keyring_udf SONAME 'keyring_udf.so';
Query OK, 0 rows affected (0.01 sec)
mysql [localhost:8404] {msandbox} ((none)) > use test;
Database changed
mysql [localhost:8404] {msandbox} (test) > CREATE FUNCTION keyring_key_generate RETURNS INTEGER SONAME 'keyring_udf.so';
Query OK, 0 rows affected (0.01 sec)
mysql [localhost:8404] {msandbox} (test) > SELECT keyring_key_generate('MyKey', 'DSA', 256);
+-------------------------------------------+
| keyring_key_generate('MyKey', 'DSA', 256) |
+-------------------------------------------+
| 1 |
+-------------------------------------------+
1 row in set (0.00 sec)
mysql [localhost:8404] {msandbox} (test) > CREATE FUNCTION keyring_key_fetch RETURNS STRING SONAME 'keyring_udf.so';
Query OK, 0 rows affected (0.01 sec)
mysql [localhost:8404] {msandbox} (test) > SELECT LEFT(HEX(keyring_key_fetch('MyKey')), 100);
+------------------------------------------------------------------------------------------------------+
| LEFT(HEX(keyring_key_fetch('MyKey')), 100) |
+------------------------------------------------------------------------------------------------------+
| F2C5CE04AA32A00264ACF72D5262C31033F4FB242B36D034A4193CE0E96D0FD0A8887AC296BBF17CF39CDC851B4D530E388D |
+------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
mysql [localhost:8402] {msandbox} (test) > ALTER TABLE foo ENCRYPTION='Y';
Query OK, 3 rows affected (0.08 sec)
Records: 3 Duplicates: 0 Warnings: 0
mysqld.my should be in the same directory as the mysqld binary, which I doubt is located at /usr/mysqld
Hi matthewb! Ty so musch!!!Correct, that my misstake…
mysql> SHOW VARIABLES LIKE ‘basedir’;
±--------------±------+
| Variable_name | Value |
±--------------±------+
| basedir | /usr/ |
±--------------±------+
1 row in set (0.02 sec)
not actual info