MySQL cannot retrieve the audit log encryption password from the configured keyring plugin, so it keeps using the in-memory password and logs error 3209.
ER_AUDIT_LOG_ENCRYPTION_PASSWORD_CANNOT_BE_FETCHED appears when MySQL cannot read the audit log encryption key from its keyring plugin, leaving logs encrypted with the previous password. Load or reconfigure the keyring plugin and ensure the key file is accessible to resolve the issue.
ER_AUDIT_LOG_ENCRYPTION_PASSWORD_CANNOT_BE_FETCHED
MySQL raises error 3209 when the audit_log plugin asks the active keyring plugin for its encryption password and the keyring fails to return it. The server keeps the old in-memory password, encrypts new audit events with that key, and logs this error to warn administrators.
The condition ER_AUDIT_LOG_ENCRYPTION_PASSWORD_CANNOT_BE_FETCHED was introduced in MySQL 5.7.22 alongside encrypted audit logs. The error signals a weak security posture because the server cannot rotate keys, and it may stop the audit_log plugin if secure_file_priv restrictions are enabled.
The keyring plugin is not loaded at startup, so no provider exists when the audit_log plugin requests the key. This happens if --early-plugin-load omits keyring_file.so or keyring_encrypted_file.so.
The keyring data file specified by --keyring_file_data is missing, corrupted, or owned by a different user, preventing the plugin from opening it and supplying the key.
File-system permissions or SELinux/AppArmor rules may block mysqld from reading the keyring file, leading to error 3209 during plugin initialization.
Confirm a keyring plugin is loaded first. Use SHOW PLUGINS to verify keyring_file or keyring_encrypted_file status. If missing, add it to my.cnf under early-plugin-load and restart MySQL.
Check the keyring file path. Make sure the file exists, belongs to the mysql OS user, and has 600 permissions. Restore the file from backup if it is missing or corrupted.
If the key itself was deleted, generate a new password with mysql_keyring, store it, and rotate audit_log_encryption_password with SET GLOBAL audit_log_encryption_password = 'new_key';.
Upgrading from MySQL 5.7.21 to 5.7.22 without deploying a keyring plugin is the most frequent scenario. Installing and loading the keyring plugin resolves the error instantly.
Moving the data directory to new servers without copying the keyring data file triggers the error. Copy the keyring file and fix permissions to solve it.
Always deploy a keyring plugin in the early-plugin-load list and test it during CI/CD database provisioning.
Store the keyring data file on encrypted storage, back it up with the same cadence as data files, and verify restores quarterly.
Stream mysqld error logs to Galaxy and configure alerts for error codes 3208-3210 to catch audit_log encryption issues immediately.
ER_AUDIT_LOG_ENCRYPTION_PASSWORD_HAS_NOT_BEEN_SET (3208) arises when no password exists at all. Set audit_log_encryption_password in the keyring to fix.
ER_AUDIT_LOG_TABLE_CANNOT_BE_OPENED (3206) indicates the audit log table is corrupt or missing. Repair or recreate the log table.
MySQL starts without keyring_file.so or keyring_encrypted_file.so in the early-plugin-load list, so the audit_log plugin cannot fetch its key.
The path defined by --keyring_file_data is wrong, the file was deleted, or permissions prevent mysqld from opening it.
SELinux or AppArmor profiles restrict mysqld from accessing the directory that stores the keyring file.
The keyring file became corrupted during a crash or disk issue, so the plugin fails to parse it and returns no password.
No password configured in the keyring. Create one with mysql_keyring and set audit_log_encryption_password.
The audit log table is missing or corrupted. Repair or recreate the table to resume logging.
The keyring password changed while the audit_log plugin was active. Restart MySQL or reload the plugin to pick up the new key.
No, the server continues running but audit logs stay encrypted with the previous key, weakening compliance.
Yes, set audit_log_encryption = 'OFF' and restart, but this reduces security and is not recommended in regulated environments.
Galaxy surface log streams let you create alerts on error code 3209, so teams can fix keyring issues quickly.
Run SHOW PLUGINS and ensure keyring_file or keyring_encrypted_file is ACTIVE before starting audit_log.
.avif)
.avif){kind=logo}
