Not the answer you need?
Register and ask your own question!

Keyring_vault Encryption

tironistironis Current User Role Novice

I've been putting together a proof of concept of an architecture to make sure everything works.

OS: Centos7.8
PXC: 8.0.19 - 3 node cluster setup
Hashicorp Vault: 1.4.2 - 3 node cluster setup

I'm trying to get encryption at rest working using the keyring_vault plugin. I have my configuration below:

early-plugin-load             = "keyring_vault=keyring_vault.so"
loose-keyring_value_config    = "/etc/xtradb/keyring_vault.conf"

However, the cluster fails to start up with the following error:

2020-10-19T04:22:44.478556Z 0 [ERROR] [MY-011370] [Server] Plugin keyring_vault reported: 'File '' not found (OS errno 2 - No such file or directory)'
2020-10-19T04:22:44.479119Z 0 [System] [MY-011197] [Server] Plugin keyring_vault reported: 'Could not open file with credentials.'
2020-10-19T04:22:44.479628Z 0 [System] [MY-011197] [Server] Plugin keyring_vault reported: 'keyring_vault initialization failure. Please check that the keyring_vault_config_file points to readable keyring_vault configuration file. Please also make sure Vault is running and accessible. The keyring_vault will stay unusable until correct configuration file gets provided.'
2020-10-19T04:22:44.480595Z 0 [ERROR] [MY-010202] [Server] Plugin 'keyring_vault' init function returned error.
2020-10-19T04:22:44.482688Z 0 [ERROR] [MY-010167] [Server] Failed to initialize early plugins.
2020-10-19T04:22:44.485491Z 0 [ERROR] [MY-010119] [Server] Aborting

I'm not sure what file is missing that the plugin can't locate.

my keyring_vault.conf file looks like this:

vault_url          = https://vault.uri:8200
secret_mount_point = secrets/pxc
token              = s.sdl;fjslfjsdfods
vault_ca           = /etc/pki/tls/certs/keyring_vault.crt

Getting rid of the plugin declaration and PXC loads back up just fine

Answers

  • jriverajrivera Percona Support Engineer Percona Staff Role

    I wonder if the mysql system user can read or access the keyring_vault.conf file in /etc/xtradb directory. Maybe change /etc/xtradb to be owned by mysql user and group?

    chown -R mysql:mysql /etc/xtradb

  • tironistironis Current User Role Novice

    Thanks for the suggestion, I did check permissions and ownership is correct and owned by xtradb user.

Sign In or Register to comment.

MySQL, InnoDB, MariaDB and MongoDB are trademarks of their respective owners.
Copyright ©2005 - 2020 Percona LLC. All rights reserved.