Using the keyring_vault Plugin with Percona Server for MySQL 5.7

Using the keyring_vault Plugin with Percona Server for MySQL 5.7

PREVIOUS POST
NEXT POST

keyring_vault store database encryption keysThis is the first of a two-part series on using the keyring_vault plugin with Percona Server for MySQL 5.7. The second part, Backing up Percona Server for MySQL with keyring_vault plugin enabledwalks through how to use Percona Xtrabackup to backup from this instance and restore to another server and set it up as a slave with keyring_vault plugin.

What is the keyring_vault plugin?

The keyring_vault is a plugin that allows the database to interface with a Hashicorp Vault server to store and secure encryption keys. The Vault server then acts as a centralized encryption key management solution which is critical for security and for compliance with various security standards.

Configuring Vault

Create SSL certificates to be used by Vault. You can use the sample ssl.conf template below to generate the necessary files.

Then run the two commands below to generated the cert and key files and the certificate chain:

Once the SSL certificates are created start Vault with the sample configuration below. Take note that you should follow the suggested best practices when deploying Vault in production, this example is to get us by with a simple working setup.

Assuming Vault started up fine and you are able to unseal Vault, the next step is to create the policy file. For more details on initializing and unsealing Vault please read the manual here.

Create a Vault policy named dc1-secrets using the dc1.hcl file like this:

Next, create a token associated with the newly created policy:

Setting up MySQL

The following instructions should work starting from Percona Server for MySQL 5.7.20-18 and through later versions.

Configure my.cnf with the following variables:

Create the keyring_vault.conf file in the path above with the following contents:

Here we are using the vault.pem file generated by combining the vault.crt and vault.key files. Observe that our secret_mount_point is secret/dc1/master. We want to make sure that this mount point is unique across all servers, this is in fact advised in the manual here.

Ensure that the CA certificate is owned by mysql user:

Initialize the MySQL data directory on the Master:

For production systems we do not recommend using --initialize-insecure option, this is just to skip additional steps in this tutorial.

Finally, start mysqld instance and then test the setup by creating an encrypted table.

At this point you should have Percona Server for MySQL instance with tablespace encryption using Vault.

Researching database security?

You might also enjoy this pre-recorded webinar securing your database servers from external attacks presented by my colleague Colin Charles.

PREVIOUS POST
NEXT POST

Share this post

Comments (2)

  • Toshiba Support Reply

    all the information you have shared are very much useful for all the computer user. I get to know proper ideas about the SQL. keep sharing this type of ideas.

    September 17, 2018 at 8:30 pm
  • Stud wall Reply

    We are providing best Steel wall & House stud framing services in Australia. A stud wall includes a frame of timber or metal studs secured to the floor, ceiling and walls, which is then covered with plasterboard. We are 24*7 available for the customer help. For more information just visit our site: http://www.newworldconstruction.com.au/steel-wall-and-house-stud-framing.html

    October 12, 2018 at 7:03 am

Leave a Reply