I’ve successfully managed to configure Percona Server for MySql v8 with Vault and the keyring plugin.
I do have a few questions since I could not find them anywhere in the documentation pages:
Q1: Vault unseal/seal
Should vault remain unsealed at all times while running with Percona keyring plugin? Please give any context on this from you personal experience if you can.
Q2: Token renewal
The token that I generated in vault to be used in the loose_keyring_vault_config file by default expires in 32days or less.
Do I have to renew this token at some point and if so how do you suggest to approach this in an automated or manual fashion (maybe a cron job that runs vault renew?), or should I create this token with an infinite duration (this doesn’t sound right)?
Q3: Master key rotation
Also related to Q2.
What is the procedure of rotating the master key, should percona be restarted every time the ALTER INSTANCE query is run? (https://percona.com/doc/percona-server/8.0/security/rotating-master-key.html#rotating-master-key) If so, should we make sure that the token used to access vault is valid?
Q4: Vault key backups
I’m concerned about having a backup of these generated keys in Vault. How would you go around backing up these keys (master key and other table specific keys) in Vault? Any reference would be helpful.
Thank you very much in advance for your help!