Possible to use data-at-rest encryption without Hashicorp Vault?

Is it possible to just provide the encryption key manually? We don’t want to use Hashicorp Vault.

1 Like

Hello @Tatu_Pesonen,
Absolutely! There is no requirement whatsoever to use vault to manage encryption keys in MySQL. You can enable the keyring_file plugin. Use the keyring component or keyring plugin - Percona Server for MySQL

@matthewb Great! And this also works with the Kubernetes Operator?

Yes. The keyring_file plugin is a native plugin and works with all/any flavor of MySQL.

I couldn’t find any documentation regarding the configuration of data-at-rest without HashiCorp Vault - could you guide me towards some resources that show how you can configure keyring_file in an environment that uses XtraDB Cluster operator?

You just need to enable the plugin in my.cnf. I believe this is done in cr.yml?

early-plugin-load = keyring_file.so
keyring_file_data = /var/lib/mysql-keyring/keyring
1 Like

What if I have multiple nodes? Will they have to share the keyring_file_data secret, and if they do, how can I accomplish that?

Edit: Also, if I want to manually generate the keyring file, how can I do that?

Each MySQL pod can use its own keyring file, unless you are clustering using the PXC Operator.
You can’t generate the keyring file and populate it manually; it is a binary file.

I am using the PXC operator. Does this mean I’ll have to use Vault?

No. You can still use keyring file. Each PXC pod will have it’s own, unique keyring file initially. If a pod is recreated, the SST process will copy the keyring from the donor node and then those two PXCs will have the same keyring file. This has no impact at all on performance/security.

1 Like