Using Vault to Store the Master Key for Data at Rest Encryption on Percona Server for MongoDB

Percona Server MongoDB EncryptionSince the release of Percona Server MongoDB 3.6.13 (PSMDB), you have been able to use Vault to store the encryption keys for data at rest encryption. Here’s how to set it up.

First, you need to have a Vault server up and running. My colleague, Jericho, has an article on setting up Vault for Percona Server titled Using the keyring_vault Plugin with Percona Server for MySQL 5.7. In this post, I will provide the same instructions for installing and setting up Hashicorp Vault for testing (Thank you Jericho!).

Vault Installation(run as root or use sudo):

1. Download, extract and install Vault:

Make sure to place it somewhere on your PATH

2. Place initial vault configuration in /etc/vault

You can use a port different than 8200. disable-mlock=true  is needed if you want to start the Vault server as a non-root user.

3. Generate SSL certificates. To be able to create SSL certificates without going through prompts, we will place those entries in a configuration file:

4. Run the commands below to generate the certificates and store them in /etc/vault.

5. Ensure that the keys are only accessible by the owner.

6. Set environment variables needed to access the vault.

7. Start Vault in the background.

8. Initialize Vault and store the unseal keys and the initial root token generated in this step:

9. Unseal the Vault by supplying the three unseal keys generated above. You need to unseal Vault every time the Vault server is started.

10. Now it’s time to log in to Vault and use the initial root token.