Rotating vault token and master key, and backing up the vault keys?

Hi there,

I’ve successfully managed to configure Percona Server for MySql v8 with Vault and the keyring plugin.

I do have a few questions since I could not find them anywhere in the documentation pages:

Q1: Vault unseal/seal

Should vault remain unsealed at all times while running with Percona keyring plugin? Please give any context on this from you personal experience if you can.

Q2: Token renewal

The token that I generated in vault to be used in the loose_keyring_vault_config file by default expires in 32days or less.

Do I have to renew this token at some point and if so how do you suggest to approach this in an automated or manual fashion (maybe a cron job that runs vault renew?), or should I create this token with an infinite duration (this doesn’t sound right)?

Q3: Master key rotation

Also related to Q2.

What is the procedure of rotating the master key, should percona be restarted every time the ALTER INSTANCE query is run? (https://percona.com/doc/percona-server/8.0/security/rotating-master-key.html#rotating-master-key) If so, should we make sure that the token used to access vault is valid?

Q4: Vault key backups

I’m concerned about having a backup of these generated keys in Vault. How would you go around backing up these keys (master key and other table specific keys) in Vault? Any reference would be helpful.

Thank you very much in advance for your help!

3 Likes

Great questions, Altin!

I am looking for some official guidance on this as well, so hoping the Percona team can point us to an article or some docs. I’m doing a few different kinds of backups of my PXC and Vault (RAFT backend) clusters, but I’m sure there’s a solution that makes better use of resources. Until there is official guidance, I’m defaulting to the “Backup all the things in all the possible ways.” philosophy :slight_smile:

1 Like

I must say that I have the same questions myself
It would be great if someone will supply and the official best practices

1 Like

I found the following links it relates more to K8S but I guess it can be done on other environments
I still would like to hear if this is the best way to go
Basically, the idea is to install a Vault agent that will be responsible for the vault token rotation
As to the master key, could not find how to do it with vault and automatically

https://www.percona.com/doc/percona-server/8.0/security/rotating-master-key.html

1 Like