Automatic TDE Encryption Key Rotation Using HashiCorp Vault as the Key Management System

LukeYangJMA · May 25, 2022, 7:56pm

How can one do automatic key rotation in Percona for TDE using HashiCorp Vault as the Key Management System? We are intending to use a primary-secondary pair of Percona servers and a community edition HA cluster of HashiCorp Vault.

matthewb · May 25, 2022, 8:31pm

As far as I can tell, there is no such feature. You’d have to schedule a cron-job to run rotate the master key in MySQL, which will tell Vault to store the updated key.

https://www.percona.com/doc/percona-server/LATEST/security/rotating-master-key.html#rotating-master-key

LukeYangJMA · June 1, 2022, 11:51am

Thanks for your response,

I ended up using the event_scheduler built into the Percona MySQL server which seems to work:

mysql> SHOW PROCESSLIST;
mysql> SET GLOBAL event_scheduler = ON;
mysql> CREATE EVENT key_rotation ON SCHEDULE EVERY 3600 SECOND DO ALTER INSTANCE ROTATE INNODB MASTER KEY;

matthewb · June 1, 2022, 2:40pm

Awesome solution! I’m not a fan of the event scheduler but that’s a great way to do it!

Topic		Replies	Views
How to protect vault token for MySQL TDE MySQL & MariaDB mysql , percona , closed-no-reply	0	680	March 22, 2022
Rotating vault token and master key, and backing up the vault keys? Percona Server for MySQL 8.0 community , mysql , percona	3	1440	June 15, 2021
Cron Job / Event Scheduler for Vault Token Rotation Percona Server for MySQL 8.0 closed-no-reply	0	925	June 28, 2022
Best Practice for Automatic Vault Token Generation and Percona keyring_vault plugin Percona Server for MySQL 8.0	2	2014	November 14, 2022
Support for OpenBao for TDE Key Management Percona Server for MySQL 8.0	5	541	October 4, 2024

Automatic TDE Encryption Key Rotation Using HashiCorp Vault as the Key Management System

Related topics