Automatic TDE Encryption Key Rotation Using HashiCorp Vault as the Key Management System

LukeYangJMA · May 25, 2022, 7:56pm

How can one do automatic key rotation in Percona for TDE using HashiCorp Vault as the Key Management System? We are intending to use a primary-secondary pair of Percona servers and a community edition HA cluster of HashiCorp Vault.

matthewb · May 25, 2022, 8:31pm

As far as I can tell, there is no such feature. You’d have to schedule a cron-job to run rotate the master key in MySQL, which will tell Vault to store the updated key.

https://www.percona.com/doc/percona-server/LATEST/security/rotating-master-key.html#rotating-master-key

LukeYangJMA · June 1, 2022, 11:51am

Thanks for your response,

I ended up using the event_scheduler built into the Percona MySQL server which seems to work:

mysql> SHOW PROCESSLIST;
mysql> SET GLOBAL event_scheduler = ON;
mysql> CREATE EVENT key_rotation ON SCHEDULE EVERY 3600 SECOND DO ALTER INSTANCE ROTATE INNODB MASTER KEY;

matthewb · June 1, 2022, 2:40pm

Awesome solution! I’m not a fan of the event scheduler but that’s a great way to do it!

Topic		Replies	Views
Rotating vault token and master key, and backing up the vault keys? Percona Server for MySQL 8.0 community , mysql , percona	3	1348	June 15, 2021
Best Practice for Automatic Vault Token Generation and Percona keyring_vault plugin Percona Server for MySQL 8.0	2	1737	November 14, 2022
Cron Job / Event Scheduler for Vault Token Rotation Percona Server for MySQL 8.0 closed-no-reply	0	834	June 28, 2022
Using Oracle key vault to store encryption keys for percona mysql tde encryption Percona Distribution for MySQL	1	456	September 19, 2023
Percona Server for MySQL / HashiCorp Vault plugin / replication setup Percona Server for MySQL 8.0 percona , closed-no-reply	0	515	October 2, 2023

Automatic TDE Encryption Key Rotation Using HashiCorp Vault as the Key Management System

Related Topics