How to provide a high available keyring remote server?

Hi all,
We are in need of encrypting MySQL data at rest. Came across the community edition keyring plugin where master key information are stored locally. Maintaining keyring and data files in same location wouldn’t be an ideal solution. So we are forced to have it in some remote server but won’t it cause single point of failure?

Could be of great help if some one could share how they are ensuring high availability(HA) of remote servers where key details are maintained especially in production environment?
i.e 100% availability as DB is the base for all application working.

How do MySQL entreprise edition achieve this as few vault server options are provided?

Thanks ahead!

Hi @preethi11,
Percona Server for MySQL comes with keyring_vault, which stores encryption keys in a Hashicorp Vault. You can connect several vault servers together to make this HA. Check out the blog post where Jericho goes through the setup process: Using the keyring_vault Plugin with Percona Server for MySQL 5.7 - Percona Database Performance Blog


Read the blog post. For an ultimate HA/secure setup, first create a multi-node HA Vault topology. Then configure mysql to use this HA Vault setup. With this setup, MySQL will not use a keyring file on disk. All encryption keys are stored in Vault and mysql fetches remotely.