Oracle MySQL and Entrust KeyControl Integration Guide

- Solutions
  - Strong Identities
    1. Identity Verification
      Enable high assurance identities that empower citizens.
    2. ID Issuance
      Issue safe, secure digital and physical IDs in high volumes or instantly.
    3. User Identity
      Elevate trust by protecting identities with a broad range of authenticators.
    4. Machine Identity
      Issue and manage strong machine identities to enable secure IoT and digital transformation.
    5. Digital Signature
      Use secure, verifiable signatures and seals for digital documents.
  - Secure Payments
    1. Financial Issuance
      Issue digital and physical financial identities and credentials instantly or at scale.
    2. Digital Card Solution
      Issue digital payment credentials directly to cardholders from your bank's mobile app.
  - Trusted Infrastructure
    1. Post-Quantum Cryptography
      Find, assess, and prepare your cryptographic assets for a post-quantum world.
    2. Database Security
      Secure databases with encryption, key management, and strong policy and access control.
    3. Multi-cloud Security
      Keys, data, and workload protection and compliance across hybrid and multi-cloud environments.
- Industry
- Compliance
  - 1. PSD2
    2. HIPAA
    3. GDPR
    4. Swift
  - 1. CMMC
    2. eIDAS
    3. NITES
- Featured Products
  - As a Service Products
    1. Identity Verification as a Service
      Citizen verification for immigration, border management, or eGov service delivery.
    2. Identity as a Service (IDaaS)
      Cloud-based Identity and Access Management solution.
    3. Digital Signing as a Service
      Cloud-based digital signing solutions.
    4. Instant ID as a Service
      Issue physical and mobile IDs with one secure platform.
  - 1. Digital Card Solution
      Instantly provision digital payment credentials directly to cardholder’s mobile wallet.
    2. PKI as a Service
      A highly secure PKI that’s quick to deploy, scales on-demand, and runs where you do business.
    3. nShield as a Service
      Subscription-based access to dedicated nShield HSMs for cloud-based cryptographic services.
    4. Seamless Travel as a Service
      Remote identity verification, digital travel credentials, and touchless border processes.
  - 1. Instant Financial Issuance
      In-branch and self-service kiosk issuance of debit and credit cards.
    2. Central Financial Issuance
      High volume financial card issuance with delivery and insertion options.
    3. Instant ID Issuance
      Secure issuance of employee badges, student IDs, membership cards and more.
    4. Central ID Issuance
      Passports, national IDs and driver licenses.
    5. nShield HSMs
      Securely generate encryption and signing keys, create digital signatures, encrypting data and more.
  - 1. Cloud Security, Encryption and Key Management
      Powerful encryption, policy, and access control for virtual and public, private, and hybrid cloud environments.
    2. Digital Certificates
      TLS/SSL, digital signing, and qualified certificates plus services and tools for certificate lifecycle management.
    3. Identity and Access Management (IAM)
      One Identity portfolio for all your users — workforce, consumers, and citizens.
    4. Machine Identity Management
      Centralized visibility, control, and management of machine identities.
    5. Post-Quantum
      Learn what steps to take to migrate to quantum-resistant cryptography.
- Enterprise ID & Issuance
  - Instant ID as a Service
    Issue physical and mobile IDs with one secure platform.
    Learn More
  - Instant Issuance
    1. Sigma Direct-to-Card System
    2. Artista Retransfer System
    3. System Software
      Personalization, encoding and activation.
    4. Supplies
    5. Services
- Financial ID & Issuance
  - Digital Card Solution
    Instantly provision digital payment credentials directly to cardholder’s mobile wallet.
    Learn More
  - Digital Banking
    1. Digital Account Opening
    2. Digital Card Solution
  - Instant Issuance
    1. Sigma Direct-to-Card System
    2. Artista Retransfer System
    3. System Software
      Personalization, encoding and activation.
    4. Supplies
    5. Services
  - Central Issuance
    1. Card Issuance Systems
    2. Inline Card Delivery Systems
    3. Inline Envelope Insertion Systems
    4. Standalone Card Affixing/Envelope Insertion Systems
    5. Standalone Envelope Insertion Systems
    6. System Software
      Personalization, encoding, delivery and analytics.
    7. Supplies
    8. Services
- Government ID & Issuance
  - Digital Citizen
    1. eGovernment service delivery
    2. Identity Verification as a Service
    3. Seamless Travel as a Service
    4. ePassport as a Service
  - Central Issuance
    1. Passports, national IDs and driver licenses.
    2. Passport Issuance Systems
    3. National ID and Driver License Systems
    4. Inline Delivery & Insertion
    5. Standalone Delivery & Insertion
    6. System Software
      ID Personalization, encoding and delivery.
    7. Supplies
    8. Services
  - Instant Issuance
    1. Other citizen IDs and licenses.
    2. Sigma Direct-to-Card System
    3. Artista Retransfer System
    4. System Software
      Personalization, encoding, delivery and analytics.
    5. Supplies
    6. Services
  - Identity Verification as a Service
    Our IDVaaS solution allows remote verification of an individual’s claimed identity for immigration, border management, or digital services delivery.
    Learn More
- Cloud Security Posture Management
  - 1. CloudControl Enterprise for AWS
      Secure and ensure compliance for AWS configurations across multiple accounts, regions and availability zones.
    2. CloudControl Enterprise for Containers
      Security compliance and environmental hardening solution for contains and Kubernetes using VMware Tanzu and RedHat OpenShift platforms.
    3. CloudControl Enterprise for Swift
      Meet the compliance requirements for Swift’s Customer Security Program while protecting virtual infrastructure and data.
    4. CloudControl Enterprise for vSphere and NSX
      Comprehensive compliance, multi-factor authentication, secondary approval, RBAC for VMware vSphere NSX-T and VCF.
    5. CloudControl Foundation for vSphere
      Comprehensive compliance for VMware vSphere, NSX-T and SDDC and associated workload and management domains
  - CloudControl 30-Day Free Trial
    Entrust CloudControl offers comprehensive security and automated compliance across virtualization, public cloud, and container platforms while increasing visibility and decreasing risks that can lead to unintended downtime or security exposure.
    Start Free Trial
- Key Management and Encryption
  - 1. KeyControl for KMIP and Secrets
      Manage all your secrets and encryption keys, including how often you rotate and share them, securely at scale.
    2. KeyControl BYOK
      Create and manage encryption keys on premises and in the cloud. Manage your key lifecycle while keeping control of your cryptographic keys.
    3. KeyControl for Database Encryption
      Integrates with your database for secure lifecycle management of your TDE encryption keys.
    4. KeyControl for Backup and Recovery
      Integrates with your backup and recovery solution for secure lifecycle management of your encryption keys.
  - 1. DataControl for Azure
      Data encryption, multi-cloud key management, and workload security for Azure.
    2. DataControl for AWS
      Data encryption, multi-cloud key management, and workload security for AWS.
    3. DataControl for IBM Cloud
      Data encryption, multi-cloud key management, and workload security for IBM Cloud.
  - KeyControl 30-Day Free Trial
    VMware vSphere and vSAN encryption require an external key manager, and KeyControl is VMware Ready certified and recommended. KeyControl enables enterprises to easily manage all their encryption keys at scale, including how often keys are rotated, and how they are shared securely.
    Start Free Trial
- Hardware Security Modules (HSM)
  - nShield as a Service
    1. Subscription-based access to dedicated nShield Cloud HSMs.
  - nShield HSMs
    1. nShield Connect
      Networked appliances that deliver cryptographic key services to distributed applications.
    2. nShield Solo
      PCI-Express card-based HSMs.
    3. nShield Edge
      Personal, USB-connected desktop HSMs.
  - Management and Monitoring
    1. nShield Monitor
    2. nShield Remote Administration
  - CodeSafe
    1. SDK for securing sensitive code within a FIPS 140-2 Level 3 certified nShield HSM.
    2. Post-Quantum SDK
  - Software Option Packs
  - Compliance and Certification
    1. FIPS 140-2/140-3
    2. Common Criteria
    3. eIDAS
    4. NIST 800-53
    5. GDPR
    6. PSD2
    7. HIPAA
    8. PCI-DSS
    9. NITES
  - Why you need an HSM
    1. Learn about all the details related to what hardware security modules offer you in security and cost savings...
    2. Learn More
  - Use Cases
- TLS/SSL Certificates
  - BUY NOW
    1. Buy Certificates
    2. Renew Certificates
  - TLS/SSL Certificates
  - Qualified Certificates
  - Sales and Services
- Identity and Access Management (IAM)
  - Products
    1. Identity as a Service
      Cloud-Based IAM
    2. Identity Enterprise
      On-prem IAM
    3. Identity Essentials
      On-prem MFA solution for Windows users
    4. APIs and SDKs
  - Integrations
  - Testimonials
  - Workforce
  - Consumer and Citizen
  - Get Entrust Identity as a Service Free for 60 Days
    Explore the Identity as a Service platform that gives you access to best-in-class MFA, SSO, adaptive risk-based authentication, and a multitude of advanced features that not only keep users secure, but also contribute to an optimal experience.
    Start Free Trial
- Electronic and Digital Signing
  - EU Qualified Trust Services
    In addition to our long-standing Adobe Approved Trust List (AATL) membership, we are a European Qualified Trust Service Provider for the issuance of eIDAS qualified certificates for qualified signatures and advanced seals, for PSD2 certificates and for QWACs
    Learn More
  - Digital Signing as a Service
  - Digital Signing Certificates
  - Digital Signing Infrastructure
- Public Trust Certificates
  - Verified Mark Certificates (VMCs) for BIMI
    Show your official logo on email communications. Download our white paper to learn all you need to know about VMCs and the BIMI standard.
    Learn More
  - Buy and Renew TLS/SSL Certificates
    1. Buy Certificates
    2. Renew Certificates
  - Signing Certificates
  - Qualified Certificates
    1. PSD2 Qualified Electronic Seal Certificates
  - Sales and Services
- Public Key Infrastructure (PKI)
  - PKI as a Service
    1. Use Cases
    2. Post-Quantum PKIaaS
  - PKI Products
  - Managed Services
  - Certificate Lifecycle Management
  - Cryptographic Center of Excellence
    1. PKI Health Check
    2. Cryptographic Health Check
  - Try Post-Quantum PKI as a Service Now
    Get PQ Ready. PKIaaS PQ provides customers with composite and pure quantum Certificate Authority hierarchies.
    Try Now
- Internet of Things (IoT) Security
  - Credentialing and Provisioning
  - Machine Identity Management
  - Global PKI IoT Trends Study
    Find out how organizations are using PKI and if they’re prepared for the possibilities of a more secure, connected world.
    Learn More
- Machine Identity Management
  - Lifecycle Management
  - Credentialing and Provisioning
  - The State of Machine Identity Management
    A recent survey by IDG uncovered the complexities around machine identities and the capabilities that IT leaders are seeking from a management solution.
    Get the White Paper
- Post-Quantum
  - Issuance and Provisioning
    1. PKI as a Service PQ
    2. PQ Standards and Research
  - Cryptographic Center of Excellence
    1. Crypto Health Check
    2. PKI Health Check
  - Are you ready for the threat of post-quantum computing?
    Know where your path to post-quantum readiness begins by taking our assessment.
    Begin Assessment
- Partners
  - Become an Entrust Partner
    Our partner programs can help you differentiate your business from the competition, increase revenues, and drive customer loyalty. Consider joining one or more of our Entrust partner programs and strategically position your company and brand in front of as many potential customers as possible.
    Learn More
  - Partner Directory
    Search for partners based on location, offerings, channel or technology.
    Search for a Partner
  - Programs
  - Partner Logins
- Support & Services
  - Contact Support
  - TrustedCare
    Product downloads, technical support, marketing development funds.
    Learn More
  - Digital Security Knowledge Base
    Guides, white papers, installation help, FAQs and certificate services tools.
    Learn More
  - Issuance Systems Knowledge Base
    Technotes, product bulletins, user guides, product registration, error codes and more.
    Learn More
  - PKI Professional Services
  - Cryptographic Center of Excellence
    Construct best practices and define strategies that work across your unique IT environment.
    Learn More
  - Custom Cryptographic Solutions
    1. Code Signing
    2. HSM Application Integration
  - Product Deployment Services
  - Packaged Services
  - Training
- Resources
  - Issuance Systems Knowledge Base
    Technotes, product bulletins, user guides, product registration, error codes and more.
    Learn More
  - Digital Security Knowledge Base
    Guides, white papers, installation help, FAQs and certificate services tools.
    Learn More
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- About Entrust
  - Securing a World in Motion Since 1969
    We’ve established secure connections across the planet and even into outer space. We’ve enabled reliable debit and credit card purchases with our card printing and issuance technologies. Protected international travel with our border control solutions. Created secure experiences on the internet with our SSL technologies. And safeguarded networks and devices with our suite of authentication products.
    Explore Our History
  - 1. Leadership
    2. Blog
    3. Careers
    4. Events
    5. Webinars
    6. Podcasts
    7. News Articles
    8. Press Releases
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Shop
  - Entrust Certificate Services Portal
    Existing Entrust Certificate Services customers can login to issue and manage certificates or buy additional services.
    Learn More
  - Entrust Certificate Services Retail
    Shop for new single certificate purchases.
    Learn More
  - Entrust Certificate Services Partner Portal
    Existing partners can provision new customers and manage inventory.
    Learn More
  - Instant Financial Card Issuance Supplies
    1. Registered Customer Login
    2. Request Access
- Search Entrust
  - Search:

Introduction
Procedures

Introduction

This document describes the integration of Oracle MySQL Enterprise Server with the Entrust KeyControl Key Management Solution (KMS). Entrust KeyControl can serve as a KMS in Oracle MySQL using the open standard Key Management Interoperability Protocol (KMIP).

Documents to read first

This guide describes how to configure the Entrust KeyControl server as a KMS in Oracle MySQL.

To install and configure the Entrust KeyControl server as a KMIP server, see the Entrust KeyControl nshield HSM Integration Guide . You can access this in the Entrust Document Library.

Also refer to the Oracle MySQL online documentation .

Requirements

Entrust KeyControl version 5.5 or later.

An Entrust KeyControl license is required for the installation. You can obtain this license from your Entrust KeyControl and Oracle MySQL account team or through Entrust KeyControl customer support.
MySQL Enterprise Server 8.0.29 or later.

High-availability considerations

The Entrust KeyControl solution uses an active-active deployment, which provides high-availability capability to manage encryption keys. Entrust recommends this deployment configuration. In an active-active cluster, changes made to any KeyControl node in the cluster are automatically reflected on all nodes in the cluster. For information about the Entrust KeyControl solution, see the Entrust KeyControl Product Overview .

Product configuration

The integration between the Oracle MySQL Enterprise Server, Entrust KeyControl, and nshield HSM has been successfully tested in the following configurations:

Product	Version
CentOS Linux 8	4.18.0-383.el8.x86_64
Oracle MySQL Enterprise Server	8.0.29
Entrust KeyControl	5.5
MySQL Keyring_okv library	1.10

Procedures

Installation overview

Follow these steps to integrate Oracle MySQL Enterprise Server with Entrust KeyControl.

Install and configure Entrust KeyControl .
Create the KMIP Tenant for Oracle MySQL in KeyControl .
Create the KMIP Certificates .
Install the Oracle MySQL server .
Install the keyring_okv plugin .
Import the KeyControl KMIP Certificates to the keyring_okv plugin .
Verify that the keyring_okv plugin is working .
Use keyring_okv plugin to create encrypted tables .
Test that encryption KeyControl is working .
Secure the MySQL database .

Install and configure Entrust KeyControl

Follow the installation and setup instructions in the Entrust KeyControl nshield HSM Integration Guide . You can access this in the Entrust Document Library.

Make sure the Entrust KeyControl tenant gets created and KMIP certificates are generated for OracleMySQL. These certificates are used in the configuration of the KMS described below.

Create the KMIP Tenant for Oracle MySQL in KeyControl

To use external key management, MySQL requires an external key management server such as the Entrust KeyControl server. Certificates are required to facilitate the KMIP communications from the KeyControl server to Oracle MySQL and conversely. To be able to create these certificates, you need to have the KMIP tenant for the application in KeyControl.

Now that Entrust KeyControl is installed, create a KMIP Tenant in KeyControl for Oracle MySQL:

Log in to the KeyControl instance.

Point your browser to the KeyControl administration URL: http://xx.xxx.xx.xxx
Log in as secroot and go to the KMIP page of the application:
Select Actions > Create a KMIP Tenant .

The Create a KMIP Tenant dialog appears.
In the About tab, enter the tenant name information:
1. For Name , enter OracleMySQL .
2. Optionally, enter a Description .
Select Next .
In the Admin tab, provide an Active Directory:
1. For Active Directory , select Other Active Directory .
2. In Active Directory Domain , select "+" .
  
  The KMIP Active Directory Domain dialog appears.
3. For Domain Name , enter the name of the domain. For example, : example.com .
4. In Domain Controllers , select "+" .
  
  The Add Domain Controller dialog appears.
  
  For Server URL , select LDAP and enter the FQDN/IP of the Active directory server: xx.xxx.xx.xx .
  
  Then select Save and Close .
5. Select Save and Close on the KMIP Active Directory Domain dialog.
6. For Admin , select User .
7. For Name , enter the name of the Active Directory user that will be the administrator of the tenant: [email protected] .
8. For Email , enter the email of the administrator user.
9. Select Create .
  
  The new KMIP tenant is created and appears in the list of tenants.
Select the tenant to see its details.
Copy the Tenant Login URL.

The tenant login URL will be used to log in to the Tenant Administration page in KeyControl.

Create the KMIP Certificates

To be able to establish trust between the KeyControl and Oracle MySQL, you must create certificates in KeyControl and upload/import them into the configuration of Oracle MySQL.

Important

Entrust tested using certificates without password protection. The MySQL online documentation describes the steps needed to use a password-protected keyring_okv key, see Password-Protecting the keyring_okv Key File .

Access the KeyControl web interface using the Tenant Administration URL you copied in the previous section.
Log in using the Tenant administrator user that you configured during the tenant creation process: [email protected] . Provide the user Active Directory password.
Select Security > Client Certificates .

The Manage Client Certificate dialog appears.
Select "+" on the right to create a new certificate.

The Create Client Certificate dialog appears.
In the Create Client Certificate dialog, enter the following information:
1. For Certificate Name , enter a name for the certificate: keyringokv .
2. For Certificate Expiration , set the date on which you want the certificate to expire.
3. Select Create .
The new certificate appears in the Manage Client Certificate dialog.
Select the certificate and select Download to download the certificate.

The certname_<datetimestamp>.zip downloads. This file contains a user certification/key file called certname.pem and a server certification file called cacert.pem .
Unzip the file so that you have these files available to upload to the MySQL server.

After you create and download these certificates, you need to upload or import them into the MySQL server. First, Install the Oracle MySQL server .

Install the Oracle MySQL server

The process for installing the Oracle MySQL Enterprise Edition depends on the operating system on which you are installing it. See the Oracle online documentation for details on how to install Oracle MySQL Enterprise Edition in your environment.

Install the keyring_okv plugin

The keyring_okv plugin is a KMIP 1.1 plugin for KMIP-compatible back-end keyring storage products, such as Entrust KeyControl. It is available in MySQL Enterprise Edition distributions.

The configuration directory used by keyring_okv as the location for its support files should have a restrictive mode and be accessible only to the account used to run the MySQL server. For example, on Unix and Unix-like systems, to use the /usr/local/mysql/mysql-keyring-okv directory, the following commands, executed as root , create the directory and set its mode and ownership:

cd /usr/local
sudo mkdir -p mysql/mysql-keyring-okv/ssl
sudo chmod -R 750 mysql
sudo chown -R mysql mysql
sudo chgrp -R mysql mysql

To be usable during the server startup process, the keyring_okv plugin must be loaded using the --early-plugin-load option. Also, set the keyring_okv_conf_dir system variable to tell keyring_okv where to find its configuration directory. Edit the /etc/my.cnf file and add the plugin into the mysqld section:

[mysqld]
early-plugin-load=keyring_okv.so
keyring_okv_conf_dir=/usr/local/mysql/mysql-keyring-okv

Import the KeyControl KMIP Certificates to the keyring_okv plugin

The certificates must be installed before running the keyring_okv plugin, so that the plugin can be initialized.

Import the certificates into the configuration directory for the keyring_okv plugin.

The following files need to be imported:
- A <cert_name>.pem file that includes both the client certificate and private key. The administrator needs to open this single file and paste the two sections of the file into the cert.pem and key.pem files in the /usr/local/mysql/mysql-keyring-okv/ssl directory.
  The client certificate section of the <cert_name>.pem file includes the lines "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" and all text between them.
  
  Open or create /usr/local/mysql/mysql-keyring-okv/ssl/cert.pem and paste "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" and all text between them into this file. Make sure it has a carriage return at the end of the file.
  
  The private key section of the <cert_name>.pem file includes the lines "-----BEGIN PRIVATE KEY-----" and "-----END PRIVATE KEY-----" and all text in between them.
  
  Open or create /usr/local/mysql/mysql-keyring-okv/ssl/key.pem and paste "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" and all text between them into this file. Make sure it has a carriage return at the end of the file.
- A cacert.pem file, which is the root certificate for the KMS cluster. It is always named cacert.pem .
  
  This file needs to be copied to /usr/local/mysql/mysql-keyring-okv/ssl/CA.pem .
In the configuration directory, create a file named okvclient.ora . It should have following format:
```
SERVER=xxx.xxx.xxx.xxx:5696
STANDBY_SERVER=xxx.xxx.xxx.xxx:5696
```
STANDBY_SERVER is optional.

For example:
```
SERVER=198.51.100.20:5696
STANDBY_SERVER=198.51.100.21:5696
```

Set the permissions on these files:

cd /usr/local/mysql/mysql-keyring-okv
sudo chmod -R 750 mysql .
sudo chown -R mysql .
sudo chgrp -R mysql .

If the firewall is running open up the firewall for port 5696.

As the root user on the mysql server:

% firewall-cmd --zone=public --add-port=5696/tcp --permanent
% firewall-cmd --zone=public --add-port=5696/udp --permanent
% firewall-cmd --reload

Disable selinux the next time the server reboots.

To do this, in the /etc/selinux/config file set SELINUX=disabled .

To disable on the current shell:
```
% sudo setenforce 0
```
After completing the preceding procedure, restart the MySQL server:
```
% sudo systemctl restart mysqld
% sudo systemctl status mysqld
```
It loads the keyring_okv plugin, which uses the files in its configuration directory to communicate with KeyControl.

Verify that the keyring_okv plugin is working

After configuration is complete and you restarted MySQL to load the keyring_okv plugin, look in the /varlog/mysqld.log logs to make sure there are no errors when connecting to KeyControl. To verify the plugin installation, with the MySQL server running, examine the INFORMATION_SCHEMA.PLUGINS table or use the SHOW PLUGINS statement. For example:

mysql> SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'keyring%';
+-------------+---------------+
| PLUGIN_NAME | PLUGIN_STATUS |
+-------------+---------------+
| keyring_okv | ACTIVE        |
+-------------+---------------+
1 row in set (0.00 sec)

Use keyring_okv plugin to create encrypted tables

When you create the first encrypted table, InnoDB will ask keyring_okv to generate the primary key (AES-256) in KeyControl. This primary key is used to encrypt tablespace keys. You can check the primary key in the Tenant KeyControl web interface using the Objects page.

InnoDB also asks KeyControl to generate a key (AES-256) for the encrypting table. The tablespace key is wrapped using the primary key and stored alongside the encrypted table. For subsequent encrypted tables, only the tablespace key is generated and the same primary key is used to wrap the tablespace key.

With KeyControl, you will see a complete audit trail if every time the primary key or tablespace key is retrieved. You will have complete control on these keys. You can revoke access to a key or disable it, to lock down your data at rest.

To create an encrypted table:

Log in into the MySQL database:
```
% mysql -u root -p<password>
```
Create the encrypted table with the following SQL:
```
CREATE DATABASE MySQL_TDE_Test;
USE MySQL_TDE_Test;
CREATE TABLE `test_encryption` (
   `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
   `name` varchar(15) NOT NULL,
   PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=1 DEFAULT CHARSET=latin1 ENCRYPTION = 'Y';
```
The Objects tab in Tenant KeyControl shows the that the key was created. For example:

You can also check the Audit Logs tab. You should see all the KMIP operations that happened during that key creation process and retrieval. For example:

Test that encryption KeyControl is working

Insert a record to the table that was created earlier:

mysql> USE MySQL_TDE_Test;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed

mysql> INSERT INTO test_encryption VALUES (1, 'cleandro');
Query OK, 1 row affected (0.00 sec)

mysql> select * from test_encryption;
+----+----------+
| id | name     |
+----+----------+
|  1 | cleandro |
+----+----------+
1 row in set (0.00 sec)

Edit the MySQL configuration file and disable the keyring_okv plugin:

% sudo vi /etc/my.cnf
#early-plugin-load=keyring_okv.so
#keyring_okv_conf_dir=/usr/local/mysql/mysql-keyring-okv

Restart MySQL:
```
% sudo systemctl restart mysqld
```

Check if you can read the encrypted table:

% mysql -u root -p<password>

mysql> use MySQL_TDE_Test;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed

mysql> select * from test_encryption;
ERROR 3185 (HY000): Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully.

The table is not accessible because MySQL cannot get to the master key from the keyring.

Re-enable the keyring in the MySQL configuration file and remove the comments you added previously:

% sudo vi /etc/my.cnf
early-plugin-load=keyring_okv.so
keyring_okv_conf_dir=/usr/local/mysql/mysql-keyring-okv

Restart MySQL:
```
% sudo systemctl restart mysqld
```

Check you can view the encrypted table:

% mysql -u root -p<password>

mysql> use MySQL_TDE_Test;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> select * from test_encryption;
+----+----------+
| id | name     |
+----+----------+
|  1 | cleandro |
+----+----------+
1 row in set (0.00 sec)

This shows that the configuration of the keyring_okv plugin using Entrust KeyControl is working.

Secure the MySQL database

The information below was taken from the following Security Technical Implementation Guides (STIG) page and can be used as guideline to address confidentiality and integrity of all information at rest in a MySQL database.

Group Title: SRG-APP-000231-DB-000154
Rule Title: The MySQL Database Server 8.0 must protect the confidentiality and integrity of all information at rest.
Discussion: This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive, tape drive) within an organizational information system. Applications and application users generate information throughout the course of their application use.

For more information, see InnoDB Data-at-Rest Encryption in the MySQL online documentation.

User-generated data, as well as application-specific configuration data, must be protected. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate.

If the confidentiality and integrity of application data is not protected, the data will be open to compromise and unauthorized modification.

Apply appropriate controls to protect the confidentiality and integrity of data at rest in the database.

Using SQL, determine if all data-at-rest is encrypted:

Check audit_log_encryption :

SELECT VARIABLE_NAME, VARIABLE_VALUE
FROM performance_schema.global_variables where variable_name = 'audit_log_encryption';

If audit_log_encryption is not set to AES , this is important.

Check binlog_encryption :

SELECT VARIABLE_NAME, VARIABLE_VALUE
FROM performance_schema.global_variables where variable_name = 'binlog_encryption';

If binlog_encrypt is not set to ON , this is important.

Check innodb_redo_log_encrypt :

SELECT VARIABLE_NAME, VARIABLE_VALUE
FROM performance_schema.global_variables where variable_name = 'innodb_redo_log_encrypt';

If innodb_redo_log_encrypt is not set to ON , this is important.

Check innodb_undo_log_encrypt :

SELECT VARIABLE_NAME, VARIABLE_VALUE
FROM performance_schema.global_variables where variable_name = 'innodb_undo_log_encrypt';

If innodb_undo_log_encrypt is not set to ON , this is important.

Check general_log :

SELECT VARIABLE_NAME, VARIABLE_VALUE
FROM performance_schema.global_variables
WHERE VARIABLE_NAME like 'general_log';

If general_log is not OFF , this is important.

Using SQL, find the encryption status for all MySQL table and tablespaces:

Check tablespaces:

SELECT
`INNODB_TABLESPACES`.`NAME`,
`INNODB_TABLESPACES`.`ENCRYPTION`
FROM `information_schema`.`INNODB_TABLESPACES`;

If any tablespace does not have ENCRYPTION set to Y (yes) , this is important.

Check innodb_redo_log_encrypt :

SELECT VARIABLE_NAME, VARIABLE_VALUE
FROM performance_schema.global_variables where variable_name = 'table_encryption_privilege_check';

If innodb_redo_log_encrypt is not set to ON , this is important.

Apply appropriate MySQL Database 8.0 controls to protect the confidentiality and integrity of data at rest in the database:

sudo vi /etc/my.cnf
[mysqld]
audit-log=FORCE_PLUS_PERMANENT
audit-log-format=JSON
audit-log-encryption=AES

#Turn on binlog encryption
set persist binlog_encryption=ON;

#Turn on undo and redo log encryption
set persist innodb_redo_log_encrypt=ON;
set persist innodb_undo_log_encrypt=ON;

Enable encryption for a new file-per-table tablespace, ENCRYPTION option in a CREATE TABLE statement. The following example assumes that innodb_file_per_table is enabled:

mysql> CREATE TABLE t1 (c1 INT) ENCRYPTION='Y';

To enable encryption for an existing file-per-table tablespace, specify the ENCRYPTION option in an ALTER TABLE statement:

mysql> ALTER TABLE t1 ENCRYPTION='Y';

To disable encryption for file-per-table tablespace, set ENCRYPTION='N' using ALTER TABLE :

mysql> ALTER TABLE t1 ENCRYPTION='N';

To disable general_log :

SET PERSIST general_log = 'OFF';

Table of Contents
Introduction
Procedures

RESOURCES

Integration Guide
Oracle MySQL and Entrust KeyControl Integration Guide

Table of Contents

Introduction

Documents to read first

Requirements

High-availability considerations

Product configuration

Procedures

Installation overview

Install and configure Entrust KeyControl

Create the KMIP Tenant for Oracle MySQL in KeyControl

Create the KMIP Certificates

Install the Oracle MySQL server

Install the keyring_okv plugin

Import the KeyControl KMIP Certificates to the keyring_okv plugin

Verify that the keyring_okv plugin is working

Use keyring_okv plugin to create encrypted tables

Test that encryption KeyControl is working

Secure the MySQL database