Automatic TDE Encryption Key Rotation Using HashiCorp Vault as the Key Management System

How can one do automatic key rotation in Percona for TDE using HashiCorp Vault as the Key Management System? We are intending to use a primary-secondary pair of Percona servers and a community edition HA cluster of HashiCorp Vault.

1 Like

As far as I can tell, there is no such feature. You’d have to schedule a cron-job to run rotate the master key in MySQL, which will tell Vault to store the updated key.

2 Likes

Thanks for your response,

I ended up using the event_scheduler built into the Percona MySQL server which seems to work:

mysql> SHOW PROCESSLIST;
mysql> SET GLOBAL event_scheduler = ON;
mysql> CREATE EVENT key_rotation ON SCHEDULE EVERY 3600 SECOND DO ALTER INSTANCE ROTATE INNODB MASTER KEY;
1 Like

Awesome solution! I’m not a fan of the event scheduler but that’s a great way to do it!

1 Like