Rotating vault token and master key, and backing up the vault keys?

Altin_Ukshini · April 15, 2021, 11:57am

Hi there,

I’ve successfully managed to configure Percona Server for MySql v8 with Vault and the keyring plugin.

I do have a few questions since I could not find them anywhere in the documentation pages:

Q1: Vault unseal/seal

Should vault remain unsealed at all times while running with Percona keyring plugin? Please give any context on this from you personal experience if you can.

Q2: Token renewal

The token that I generated in vault to be used in the loose_keyring_vault_config file by default expires in 32days or less.

Do I have to renew this token at some point and if so how do you suggest to approach this in an automated or manual fashion (maybe a cron job that runs vault renew?), or should I create this token with an infinite duration (this doesn’t sound right)?

Q3: Master key rotation

Also related to Q2.

What is the procedure of rotating the master key, should percona be restarted every time the ALTER INSTANCE query is run? (Rotating the Master Key — Percona Server 8.0 Documentation) If so, should we make sure that the token used to access vault is valid?

Q4: Vault key backups

I’m concerned about having a backup of these generated keys in Vault. How would you go around backing up these keys (master key and other table specific keys) in Vault? Any reference would be helpful.

Thank you very much in advance for your help!

iamwel · June 3, 2021, 5:26pm

Great questions, Altin!

I am looking for some official guidance on this as well, so hoping the Percona team can point us to an article or some docs. I’m doing a few different kinds of backups of my PXC and Vault (RAFT backend) clusters, but I’m sure there’s a solution that makes better use of resources. Until there is official guidance, I’m defaulting to the “Backup all the things in all the possible ways.” philosophy

Nehemia · June 7, 2021, 4:47pm

I must say that I have the same questions myself
It would be great if someone will supply and the official best practices

Nehemia · June 15, 2021, 8:22am

I found the following links it relates more to K8S but I guess it can be done on other environments
I still would like to hear if this is the best way to go
Basically, the idea is to install a Vault agent that will be responsible for the vault token rotation
As to the master key, could not find how to do it with vault and automatically

https://www.percona.com/doc/percona-server/8.0/security/rotating-master-key.html

Topic		Replies	Views
Best Practice for Automatic Vault Token Generation and Percona keyring_vault plugin Percona Server for MySQL 8.0	2	1729	November 14, 2022
Percona Hashicorp Encryption Token Renewal MySQL & MariaDB mysql , percona	1	741	April 6, 2023
Cron Job / Event Scheduler for Vault Token Rotation Percona Server for MySQL 8.0 closed-no-reply	0	832	June 28, 2022
Storing HashiCorp Vault token used by Percona keyring_vault Percona Server for MySQL 8.0	2	634	June 10, 2022
Automatic TDE Encryption Key Rotation Using HashiCorp Vault as the Key Management System Percona XtraDB Cluster 8.x	3	717	June 1, 2022

Rotating vault token and master key, and backing up the vault keys?

Related Topics