We've recently been upgrading our MySQL servers from 8.0 to 8.4.
We use a keyring file to encrypt our table data.
This option has been removed in 8.4, and the migration docs to move from keyring files to component aren't particularly clear.
There's a few quirks that are worth knowing about, but below is our process from migration!
cat >> /etc/yum.repos.d/mysql-community.repo
[mysql84-community]
name=MySQL 8.4 Community Server
baseurl=http://repo.mysql.com/yum/mysql-8.4-community/el/8/$basearch/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-mysql-2023
file:///etc/pki/rpm-gpg/RPM-GPG-KEY-mysql-2022
file:///etc/pki/rpm-gpg/RPM-GPG-KEY-mysql"path": "/var/lib/mysql-keyring/component_keyring_datafile",
"read_only": false
}
Now, don't create the /usr/sbin/mysqld.my file else the migration will fail
You may need to temporarily edit your /etc/my.cnf to remove unknown entries that the migration process doesn't understand (but you can keep the leave server running).
You won't get a success message, just no fatal error messages
mysqld --user=root --keyring-migration-to-component --keyring-migration-source=keyring_file.so --keyring-migration-destination=component_keyring_file.so --keyring-migration-socket=/var/lib/mysql/mysql.sock --keyring-migration-user=root --keyring-migration-password=PASSWORDThis will enable the new component
cat > /usr/sbin/mysqld.my
{
"read_local_manifest": false,
"components": "file://component_keyring_file"
}Now disable the keyring options in your my.cnf and reboot the server
You should be able to still read your data, and check that the component status is active:
SELECT * FROM performance_schema.keyring_component_status;yum updateIf you're still using the old MySQL native password, you now need to explicity turn it back on:
mysql_native_password=ONAnd you may want to check that you're on the version you expect to be:
SELECT VERSION()Anyway, hope that all helps :)
