mysql 表空间加密,MySql(8.0)基于docker部署（加密存储表空间）

说明：

MySql社区版的加密方式只支持keyring_file的方式；

目前我找到的加密只能针对表来，不能针对整个库使用。

1. 宿主机创建映射目录

正常情况下，我个人喜欢创建两个目录，一个映射配置文件，一个映射存储文件。

映射配置文件

sudo mkdir -p /opt/mysql/config

映射存储文件

sudo mkdir -p /data/mysql/data

2. 创建映射配置文件

从其他地方拷贝两个映射文件my.cnf，mysql.cnf。这个建议从你自己的镜像里面拷贝。具体拷贝方法，请移步从镜像中拷贝my.cnf，mysql.cnf。

1)my.cnf文件

# Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.

#

# This program is free software; you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation; version 2 of the License.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program; if not, write to the Free Software

# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA

#

# The MySQL Server configuration file.

#

# For explanations see

# http://dev.mysql.com/doc/mysql/en/server-system-variables.html

[mysqld]

# 配置加密方式使用keyring_file

early-plugin-load=keyring_file.so

# 配置加密需要的keyring地址，如果没有会默认创建，但是需要有目录权限

keyring_file_data=/opt/mysql/mysql-keyring/keyring

# 设置表空间加密

innodb_file_per_table=1

pid-file = /var/run/mysqld/mysqld.pid

socket = /var/run/mysqld/mysqld.sock

datadir = /var/lib/mysql

secure-file-priv= ''

default-time_zone = '+8:00'

sql_mode=ONLY_FULL_GROUP_BY,STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION

# Disabling symbolic-links is recommended to prevent assorted security risks

symbolic-links=0

# Custom config should go here

!includedir /etc/mysql/conf.d/

这个文件主要修改的地方如下：

early-plugin-load=keyring_file.so # 配置加密方式使用keyring_file

keyring_file_data=/opt/mysql/mysql-keyring/keyring # 配置加密需要的keyring地址，如果没有会默认创建，但是需要有目录权限

innodb_file_per_table=1 # 设置表空间加密

2)mysql.cnf文件

# Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.

#

# This program is free software; you can redistribute it and/or modify

# it under the terms of the GNU General Public License, version 2.0,

# as published by the Free Software Foundation.

#

# This program is also distributed with certain software (including

# but not limited to OpenSSL) that is licensed under separate terms,

# as designated in a particular file or component or in included license

# documentation. The authors of MySQL hereby grant you an additional

# permission to link the program and your derivative works with the

# separately licensed software that they have included with MySQL.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License, version 2.0, for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program; if not, write to the Free Software

# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA

#

# The MySQL Client configuration file.

#

# For explanations see

# http://dev.mysql.com/doc/mysql/en/server-system-variables.html

[mysql]

#sql_mode=STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION

这个文件，主要屏蔽了#sql_mode，mysql8以上版本，本机登录会有问题。具体原因没有查找。

3. 配置启动docker容器

sudo docker run --name mysql --restart=always --privileged=true -p 3306:3306 -v /opt/mysql/config/mysql.cnf:/etc/mysql/conf.d/mysql.cnf -v /opt/mysql/config/my.cnf:/etc/mysql/my.cnf -v /data/mysql/data:/var/lib/mysql -v /etc/localtime:/etc/localtime:ro -e MYSQL_ROOT_PASSWORD="root123" -d mysql --lower_case_table_names=1

参数解释：

容器名字：--name mysql

随docker服务启动：--restart=always

给容器授权：--privileged=true

端口映射：-p 3306:3306 #前面为宿主机端口，：后面为容器内部端口

配置文件映射：-v /opt/mysql/mysql3307/config/mysql.cnf:/etc/mysql/conf.d/mysql.cnf -v /opt/mysql/mysql3307/config/my.cnf:/etc/mysql/my.cnf

存储文件映射(目录)：-v /data/mysql/data3307:/var/lib/mysql

宿主机与容器内部时间同步：-v /etc/localtime:/etc/localtime:ro

设置MySql密码：-e MYSQL_ROOT_PASSWORD="root123"

设置MySql忽略大小写：--lower_case_table_names=1

其实这个时候，MySql虽然服务已经启动，但是加密的插件没有部署好。是因为“/opt/mysql/mysql-keyring”该目录不存在，而且MySql容器内部默认使用的用户是mysql，不是root，没有目录权限。所以初始化插件失败。

1)进入容器

#查看容器运行情况,找到容器ID

sudo docker ps

NAMES

c66a9075448c mysql "docker-entrypoint.s…" 37 minutes ago

#进入容器

docker exec -it c66a9075448c /bin/bash

2)创建目录，并且更改目录所属用户

mkdir -p /opt/mysql/mysql-keyring

cd /opt/mysql

chmod 750 mysql-keyring

chown mysql mysql-keyring

chgrp mysql mysql-keyring

重启MySQL服务

sudo docker restart c66a9075448c

#查询容器是否已运行

sudo docker ps

4. 查询和配置加密方式

1)首先查询加密插件是否已正确配置

#查看容器运行情况,找到容器ID

sudo docker ps

NAMES

c66a9075448c mysql "docker-entrypoint.s…" 37 minutes ago

#进入容器

docker exec -it c66a9075448c /bin/bash

########进入容器后######

mysql -u root -p

##输入密码，进入mysql

######进入mysql后#####

#配置使用mysql库

mysql> use mysql;

#查询插件

mysql> SELECT PLUGIN_NAME, PLUGIN_STATUS

FROM INFORMATION_SCHEMA.PLUGINS

WHERE PLUGIN_NAME LIKE 'keyring%';

+--------------+---------------+

| PLUGIN_NAME | PLUGIN_STATUS |

+--------------+---------------+

| keyring_file | ACTIVE |

+--------------+---------------+

看到上图，表示插件已经正确加载，如果没有加载成功，可以参考MySql的官网文件进行配置。

2)配置加密表

正确的使用方法为：在CREATE TABLE 后面加 ENCRYPTION='Y'，如下图所示：

/*

1. 为新表加密

2. 插入数据至新表

3. 取消表加密

4. 开启表加密

5. 查看加密表

*/

mysql> CREATE TABLE mydata.test_1 (id INT primary key,age int) ENCRYPTION='Y';

Query OK, 0 rows affected (0.02 sec)

mysql> insert into test_1 select 9,9;

Query OK, 1 row affected (0.00 sec)

Records: 1 Duplicates: 0 Warnings: 0

mysql> ALTER TABLE mydata.test_1 ENCRYPTION='N';

Query OK, 0 rows affected (0.03 sec)

Records: 0 Duplicates: 0 Warnings: 0

mysql> ALTER TABLE mydata.test_1 ENCRYPTION='Y';

Query OK, 0 rows affected (0.02 sec)

Records: 0 Duplicates: 0 Warnings: 0

mysql> show create table mydata.test_1;select * from mydata.test_1;

+--------+------------------------------------------------------------------------------------------------------------------------------------------------------------+

| Table | Create Table |

+--------+------------------------------------------------------------------------------------------------------------------------------------------------------------+

| test_1 | CREATE TABLE `test_1` (

`id` int(11) NOT NULL,

`age` int(11) DEFAULT NULL,

PRIMARY KEY (`id`)

) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ENCRYPTION='Y' |

+--------+------------------------------------------------------------------------------------------------------------------------------------------------------------+

1 row in set (0.11 sec)

+----+------+

| id | age |

+----+------+

| 9 | 9 |

+----+------+

1 row in set (0.00 sec)

/*

删除当前的 keyring，使用备份的 keyring 恢复到原路径并重启，此时再查看 mydata.test_1 会查看成功。因为 mydata.test_1 加密解密用的 keyring 一样

*/

[root@localhost ~]# rm -rf /opt/mysql/keyring/3306/keyring

[root@localhost ~]# mv /root/keyring /opt/mysql/keyring/3306/

[root@localhost ~]# systemctl restart mysqld_3306

[root@localhost ~]# mysql -h10.186.63.90 -uroot -p -P3306 -e"show create table mydata.test_1;select * from mydata.test_1;"

Enter password:

+--------+------------------------------------------------------------------------------------------------------------------------------------------------------------+

| Table | Create Table |

+--------+------------------------------------------------------------------------------------------------------------------------------------------------------------+

| test_1 | CREATE TABLE `test_1` (

`id` int(11) NOT NULL,

`age` int(11) DEFAULT NULL,

PRIMARY KEY (`id`)

) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ENCRYPTION='Y' |

+--------+------------------------------------------------------------------------------------------------------------------------------------------------------------+

+----+------+

| id | age |

+----+------+

| 9 | 9 |

+----+------+

3)查询加密表

-- 查看加密的表：

SELECT TABLE_SCHEMA, TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES WHERE CREATE_OPTIONS LIKE '%ENCRYPTION%';

-- 查看未加密的表：

select concat(TABLE_SCHEMA,".",TABLE_NAME) from INFORMATION_SCHEMA.TABLES where (TABLE_SCHEMA,TABLE_NAME) not in (SELECT TABLE_SCHEMA,TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE CREATE_OPTIONS LIKE '%ENCRYPTION%' and table_schema not in ('information_schema','performance_schema','sys','mysql','universe')) and TABLE_SCHEMA in ('mydata');

5. 采坑较多的问题

问题1：加密插件无论如何配置都不好用？

解答： 我的解决思路如下：

1) 通过 sudo docker logs mysql 查看启动日志，发现如下问题

2020-06-17T06:22:55.048648Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.20) starting as process 1

2020-06-17T06:22:55.055447Z 0 [ERROR] [MY-011370] [Server] Plugin keyring_file reported: 'File '/opt/mysql/mysql-keyring/keyring' not found (OS errno 2 - No such file or directory)'

2020-06-17T06:22:55.055506Z 0 [ERROR] [MY-011355] [Server] Plugin keyring_file reported: 'keyring_file initialization failure. Please check if the keyring_file_data points to readable keyring file or keyring file can be created in the specified location. The keyring_file will stay unusable until correct path to the keyring file gets provided'

2020-06-17T06:22:55.055543Z 0 [ERROR] [MY-010202] [Server] Plugin 'keyring_file' init function returned error.

2)很明显文件和文件夹都没有，按理说应该自动创建，为什么没有创建？是不是权限问题？可以手动创建并授权吗？

然后我手动创建目录/opt/mysql/mysql-keyring/，并授权，解决问题。

问题2：MySql的大小写忽略不好用

1)我已在my.cnf文件中配置 lower_case_table_names=1，但是大小写忽略，就是不能使用。而且服务启动经常失败。我也不知道具体原因。

2) 后面通过服务启动时设置 --lower_case_table_names=1 来解决问题。