Possible to use data-at-rest encryption without Hashicorp Vault?

Tatu_Pesonen · March 17, 2023, 1:33pm

Is it possible to just provide the encryption key manually? We don’t want to use Hashicorp Vault.

matthewb · March 17, 2023, 7:28pm

Hello @Tatu_Pesonen,
Absolutely! There is no requirement whatsoever to use vault to manage encryption keys in MySQL. You can enable the keyring_file plugin. Use the keyring component or keyring plugin - Percona Server for MySQL

Tatu_Pesonen · March 20, 2023, 7:31am

@matthewb Great! And this also works with the Kubernetes Operator?

matthewb · March 20, 2023, 2:32pm

Yes. The keyring_file plugin is a native plugin and works with all/any flavor of MySQL.

Tatu_Pesonen · March 22, 2023, 8:49am

I couldn’t find any documentation regarding the configuration of data-at-rest without HashiCorp Vault - could you guide me towards some resources that show how you can configure keyring_file in an environment that uses XtraDB Cluster operator?

matthewb · March 22, 2023, 4:47pm

You just need to enable the plugin in my.cnf. I believe this is done in cr.yml?

early-plugin-load = keyring_file.so
keyring_file_data = /var/lib/mysql-keyring/keyring