Possible to use data-at-rest encryption without Hashicorp Vault?

Is it possible to just provide the encryption key manually? We don’t want to use Hashicorp Vault.

1 Like

Hello @Tatu_Pesonen,
Absolutely! There is no requirement whatsoever to use vault to manage encryption keys in MySQL. You can enable the keyring_file plugin. Use the keyring component or keyring plugin - Percona Server for MySQL

@matthewb Great! And this also works with the Kubernetes Operator?

Yes. The keyring_file plugin is a native plugin and works with all/any flavor of MySQL.

I couldn’t find any documentation regarding the configuration of data-at-rest without HashiCorp Vault - could you guide me towards some resources that show how you can configure keyring_file in an environment that uses XtraDB Cluster operator?

You just need to enable the plugin in my.cnf. I believe this is done in cr.yml?

early-plugin-load = keyring_file.so
keyring_file_data = /var/lib/mysql-keyring/keyring
1 Like