What needs positioning
Percona Server for MySQL is adding the Keyring Encrypted File Component, an open source equivalent of a keyring component Oracle ships only in MySQL Enterprise Edition. It stores keyring data (encryption keys and secrets) in an encrypted, password-protected file local to the server host, a more secure local option than the plaintext component_keyring_file, with no external KMS dependency. Exact behavior, component name, and configuration to confirm with engineering.
What is shipping and when
- Percona Server for MySQL and Percona XtraDB Cluster 8.4.11 and 9.7.2, estimated Q3 2026 (per the MySQL Release Timeline).
- PXC: inherited from Percona Server at the same version (PXC engineering).
- Engineering owner: Catalin Beșleaga. Jira: PS-11106.
- Mechanism (to confirm): encrypted, password-protected local file (AES-256-CBC with a PBKDF2-derived key).
Why it matters (Security, Sovereignty, and Compliance)
- Enterprise parity in open source: a keyring option Oracle restricts to MySQL Enterprise Edition, available here in standard open source builds without Enterprise licensing.
- Stronger local key custody for transparent data-at-rest encryption (TDE) than the plaintext keyring file, without standing up an external KMS (HashiCorp Vault, KMIP, or AWS KMS). Useful for smaller, isolated, or air-gapped deployments.
Accuracy caveat (do not overclaim)
- This is not a standalone PCI or FIPS compliance solution on its own. For those requirements, a dedicated KMS or HSM is still needed. Position it as improved local key custody and Enterprise parity, not as a compliance certification.
Target audience
- Teams using TDE that want encrypted local key storage without an external KMS.
- Existing Percona Server for MySQL and Percona XtraDB Cluster users who want the Enterprise keyring option in open source builds.
Pillar alignment
Primary: Security, Sovereignty, and Compliance. Supporting: in-place Enterprise replacement (capability parity). Intended to slot into the pillar work rather than stand alone.
Open items before publication
- Confirm the component name and behavior with engineering before publishing specifics.
- State the capability in present tense only after GA.
Existing references
What needs positioning
Percona Server for MySQL is adding the Keyring Encrypted File Component, an open source equivalent of a keyring component Oracle ships only in MySQL Enterprise Edition. It stores keyring data (encryption keys and secrets) in an encrypted, password-protected file local to the server host, a more secure local option than the plaintext
component_keyring_file, with no external KMS dependency. Exact behavior, component name, and configuration to confirm with engineering.What is shipping and when
Why it matters (Security, Sovereignty, and Compliance)
Accuracy caveat (do not overclaim)
Target audience
Pillar alignment
Primary: Security, Sovereignty, and Compliance. Supporting: in-place Enterprise replacement (capability parity). Intended to slot into the pillar work rather than stand alone.
Open items before publication
Existing references
use-cases-value-pillars/security-sovereignty-compliance.md