Encryption questions regarding token and keys for hashicorp vault

Hi all,
I have a couple of questions.
I have setup the database to use hashicorp vault for the encryption keys and it appears that the encryption key is cached or stored somewhere in the database server.
The database wont start if vault is down but once it is up you can select from encrypted tables and create tables with encryption.
Does anyone know where those keys are cached or stored once the db is up?

Second, there is a config file you need to put in the mysql keyring directory that points to the vault.
In that file is a token in plain text.
Will someone who gets access to that token be able to connect to the vault directly if they know where the vault is located?

1 Like

In memory. You wouldn’t want to fetch the keys and then persist them somewhere on disk where an attacker could read them.

I’m not 100% sure on that, but it looks like they could. Thus is it important that this file be accessible only by the mysql OS user.

Thanks @matthewb
Was hoping it was just stored in memory. Thanks for the reply.