How to protect vault token for MySQL TDE

Hi, we are planning to use MySQL Transparent Data Encryption with HashiCorp Vault server. From https://www.percona.com/doc/percona-server/8.0/security/using-keyring-plugin.html#using-keyring-plugin, it seems MySQL TDE only support vault authentication through token (not sure if this is true?). We are concerned that if the token is acquired by someone having access to the harddisk (and assuming in the same network as the vault server), the master key will be compromised in this case.
I can assume it would be better if the token can be rotated frequently (maybe using Vault Agent). But still there are security risk as long as the token resides on the hard disk.

Just wondering if anyone has experience on this, especially HashiCorp vault server. What is the best practice to configure this type of environment.

Thanks