The audit log plugin needs a keyring plugin for encryption, but none is loaded, so MySQL raises error 3206.
ER_AUDIT_LOG_NO_KEYRING_PLUGIN_INSTALLED happens when MySQL's audit log encryption is turned on but no keyring plugin is active; load and configure a keyring plugin such as keyring_file and restart MySQL to resolve it.
ER_AUDIT_LOG_NO_KEYRING_PLUGIN_INSTALLED
The message No keyring plugin installed means MySQL started the audit log plugin with audit_log_encryption=AES but no keyring plugin is active to supply encryption keys. Since MySQL 5.7.22, the audit log refuses to run without a key provider and throws error 3206 at startup or when you load the plugin dynamically.
The failure stops the audit log from recording events, breaking security and compliance audits. Production teams often discover it after an upgrade or configuration change, so fixing it quickly prevents data-governance gaps.
Setting audit_log_encryption to AES without loading a keyring plugin during server startup is the leading cause. If the keyring shared library is missing, mis-named, or lacks read permissions, MySQL silently skips it and later raises error 3206.
The error can also appear in container images where the keyring path is read-only, or when --early-plugin-load omits any keyring plugin while audit logging is encrypted.
Install a supported keyring plugin and make sure it loads before the audit log plugin. The built-in keyring_file plugin is the quickest fix for on-prem setups.
After editing my.cnf, restart MySQL or execute INSTALL PLUGIN keyring_file to activate it, then re-enable the audit log. Verify with SHOW PLUGINS that KEYRING is ACTIVE and AUDIT is ACTIVE.
Upgrades from 5.7.21 to 5.7.22 often inherit audit_log_encryption=AES yet lack keyring configuration. Adding early-plugin-load=keyring_file.so and setting keyring_file_data resolves the error.
In cloud environments, switch to keyring_aws or keyring_okv to store keys in KMS or Oracle Key Vault instead of local disk.
Always pair audit_log_encryption=AES with an early-loaded keyring plugin in configuration management templates. Include startup checks using mysqld --validate-config to catch missing plugins before deployment.
Monitor the MySQL error log for plugin status and alert when AUDIT or KEYRING is DISABLED. Galaxy users can set up health checks that surface these alerts directly in the SQL editor workspace.
Error 3180 ER_KEYRING_UDF_KEYRING_SERVICE_ERROR appears when the keyring plugin fails internally; reinstall or correct permissions. Error 3185 ER_KEYRING_ACCESS_DENIED signals that MySQL cannot open the keyring data file; fix ownership and path settings.
audit_log_encryption is set to AES but no keyring plugin is listed in early-plugin-load or in the plugin directory.
The keyring shared library exists but mysqld cannot read it due to wrong path or OS permissions.
keyring_file_data points to a location mounted read-only, preventing the plugin from creating the key file.
Upgrading to 5.7.22+ deactivates an old keyring plugin that was compiled for a prior version, leaving none active.
Indicates the keyring plugin failed internally. Fix library path or reinstall plugin.
MySQL cannot open or write the keyring file. Adjust filesystem ownership and SELinux or AppArmor policies.
Raised when attempting to uninstall or configure a plugin that never loaded, often preceding error 3206.
No. If audit_log_encryption=NONE, MySQL will not look for a keyring plugin and error 3206 will not appear.
keyring_file is bundled with MySQL Community and only requires a writable path. It is the fastest way to resolve error 3206 in lab or on-prem servers.
Yes. Run INSTALL PLUGIN keyring_file SONAME 'keyring_file.so', then enable or restart the audit log. A server restart is still recommended for production.
Galaxy highlights critical MySQL errors in its log panel and can trigger alerts when the audit log plugin is disabled, helping teams address compliance issues quickly.
.avif)
.avif){kind=logo}
