Encryption questions regarding token and keys for hashicorp vault

ipcmlr · October 19, 2023, 5:47pm

Hi all,
I have a couple of questions.
I have setup the database to use hashicorp vault for the encryption keys and it appears that the encryption key is cached or stored somewhere in the database server.
The database wont start if vault is down but once it is up you can select from encrypted tables and create tables with encryption.
Does anyone know where those keys are cached or stored once the db is up?

Second, there is a config file you need to put in the mysql keyring directory that points to the vault.
In that file is a token in plain text.
Will someone who gets access to that token be able to connect to the vault directly if they know where the vault is located?
thanks,

matthewb · October 19, 2023, 8:55pm

In memory. You wouldn’t want to fetch the keys and then persist them somewhere on disk where an attacker could read them.

I’m not 100% sure on that, but it looks like they could. Thus is it important that this file be accessible only by the mysql OS user.

ipcmlr · October 19, 2023, 9:22pm

Thanks @matthewb
Was hoping it was just stored in memory. Thanks for the reply.

Topic		Replies	Views
Storing HashiCorp Vault token used by Percona keyring_vault Percona Server for MySQL 8.0	2	655	June 10, 2022
Percona Hashicorp Encryption Token Renewal MySQL & MariaDB mysql , percona	1	749	April 6, 2023
Possible to use data-at-rest encryption without Hashicorp Vault? Percona Operator for MySQL	9	955	April 12, 2023
How to provide a high available keyring remote server? MySQL & MariaDB mysql , percona	2	474	May 27, 2021
Percona Server for MySQL / HashiCorp Vault plugin / replication setup Percona Server for MySQL 8.0 percona , closed-no-reply	0	534	October 2, 2023

Encryption questions regarding token and keys for hashicorp vault

Related Topics