Storing HashiCorp Vault token used by Percona keyring_vault

We are currently using Percona keyring_vault to enable TDE on the database while storing the encryption key in HashiCorp Vault. According to the keyring_vault documentation, one will need to generate a token in Vault set with specific policies and place it within the token parameter of keyring_vault.conf.

First question: Since the token is stored in a file directly on the server, is restricting the access of the configuration file to the mysql user (using chown) sufficient in terms of security? If someone were to take a copy of the hard disk, it is possible that they could have access to the token and, thus, decrypt the data stored in Percona.

Second question: What is the best practice when providing tokens generated from HashiCorp Vault to Percona? According to this blog post in 2018, a token is generated manually in HashiCorp Vault. However, HashiCorp seems to suggest using an authentication to verify a client which then allows a token to be generated.

They would have access to the token only, not the decryption key. The token simply allows the keyring_vault plugin to talk to Vault. The key is fetched from Vault using the token and is never stored on disk.

Provided the policies on Vault are up to standard, someone with the token from another machine would not be able to fetch the encryption key and read your data. If you discover a data breach, you can revoke the token as well on the Vault side.

Thanks for your quick response @matthewb,

I’m assuming that you might be referring to an authentication method such as AppRole, which can restrict IP addresses that are allowed to log in using the role_id (secret_id_bound_cidrs) and use tokens to access vault (token_bound_cidrs)?