Data at rest Encryption issue - MySQL 8.0.23

Adithya · June 8, 2021, 9:08am

Hi,

I am trying to enable Data at rest Encryption for mysql 8.0.23 version percona server innodb cluster.

used below hashicorp vault details in keyring_vault.conf for all the 3 nodes with diff secret_mount_point details.

**vault_url = <vaulturl>**
**secret_mount_point = secret/mysql/poc**
**secret_mount_point_version = 2**
**token = *********************
**vault_ca = /mysql/ca.pem**

getting below errors in logfile when i try to start

2021-06-08T08:58:07.161680Z 0 [Warning] [MY-011197] [Server] Plugin keyring_vault reported: 'Probing secret for being a mount point unsuccessful - skipped.'
2021-06-08T08:58:07.177507Z 0 [Warning] [MY-011197] [Server] Plugin keyring_vault reported: 'Probing secret/mysql for being a mount point unsuccessful - skipped.'
2021-06-08T08:58:07.192492Z 0 [Warning] [MY-011197] [Server] Plugin keyring_vault reported: 'Probing secret/mysql/poc for being a mount point unsuccessful - skipped.'
2021-06-08T08:58:07.192547Z 0 [System] [MY-011197] [Server] Plugin keyring_vault reported: 'Auto-detected mount point version is not the same as specified in 'secret_mount_point_version'.'
2021-06-08T08:58:07.192603Z 0 [System] [MY-011197] [Server] Plugin keyring_vault reported: 'keyring_vault initialization failure. Please check that the keyring_vault_config_file points to readable keyring_vault configuration file. Please also make sure Vault is running and accessible. The keyring_vault will stay unusable until correct configuration file gets provided.'

config option:

**[mysqld]**
**early-plugin-load="keyring_vault=keyring_vault.so"**
**loose-keyring_vault_config=/mysql/keyring_vault.conf**

Any inputs on how to use vault config properly for engine version2.

Note: Namespace is enabled in vault . when i try to get keys from API  *<vault_url>/v1/secret/metadata/mysql/poc?list=True* works fine.

with same details
~Adithya

Adithya · June 8, 2021, 9:10am

Vault config:

vault_url = <vault_url>
secret_mount_point = secret/mysql/poc
secret_mount_point_version = 2
token = *********************
vault_ca = /mysql/ca.pem

eshmh · October 30, 2022, 1:54am

Adithya or anyone, I just started to use Vault. I am wondering if you have solved or know the correct format of secret_mount_point for kv version 2. I am having the same issue. I’ve tried secret, secret/kv, kv prefixes and nothing. Each resulted in the error message.

Also the token is much longer than the one in the tutorial provided by Percona, in the format of hvs.xxxxx–xxxxxxxxxxxxxxxxxx. I suppose I just put the whole thing for the token value.

Corresponding policy:

path “kv/” {
capabilities = [“list”]
}

path “kv/data/pxc/*” {
capabilities = [“create”, “read”, “update”, “delete”, “list”]
}

I tested in UI that the token can access pxc/keying1, pxc/keyring2 and so on. CLI, such as vault kv get -mount=kv pxc/keyring2 works too.

Thanks.

DanyUP84 · November 13, 2022, 5:53pm

Hi! I think that with Key Value v2 the correct policy is this (considering secret_mount_point=kv/pxc/keyring1):

path "kv/config" {
  capabilities = ["read"]
}

path "kv/metadata/pxc/*" {
  capabilities = ["list"]
}

path "kv/data/pxc/*" {
  capabilities = ["create", "read", "delete", "update", "list"]
}

eshmh · November 14, 2022, 12:56am

@DanyUP84, thanks a lot for the reply. It works now.

Topic		Replies	Views
Percona Server for MySQL / HashiCorp Vault plugin / replication setup Percona Server for MySQL 8.0 percona , closed-no-reply	0	696	October 2, 2023
Unrecoverable encrypted data corruption if key vault mount point ends with a slash. Percona Server for MySQL 5.7	1	454	June 7, 2018
Data at REST encryption with Percona Server for MySQL 8.0.16-7 Other MySQL® Questions	1	553	November 7, 2019
[PXC 8.0.34] Keyring Vault plugin issue Percona Server for MySQL 8.0 closed-no-reply	0	450	December 4, 2023
XtraDB + HashiCorp Vault integration Percona Operator for MySQL mysql , percona	2	653	November 29, 2021

Data at rest Encryption issue - MySQL 8.0.23

Related topics