Support for OpenBao for TDE Key Management

Percona has integrations for key management for several of its products (MySQL, MongoDB, Postgres) with the formerly open source HashiCorp Vault product (changed to a Business Source License 1.1 2023-08-10 with most coverage regarding Terraform) and is no longer releasing security or other patches for the Mozilla Public License version after 2023-12-31.

IBM and a number of other companies have announced an OpenBao fork of Vault from its last open source MPL Community Edition release to be managed under the Linux Foundation. The incubating project is deciding what plugins will be supported and which will be community supported. Proposal: Supported Plugins - Internal & External · openbao · Discussion #64 · GitHub

It seems that there may be two plugins associated with Percona’s MySQL TDE integration, one from Vault and one from Percona. There is a suggestion from an OpenBao member that an improved approach to the integration would avoid having the key reside in Percona as a text blob with no access control limitations, and instead be reference to a key that it can retrieve Proposal: Supported Plugins - Internal & External · openbao · Discussion #64 · GitHub. I don’t have an opinion on how it is actually implemented or if the suggested change that would allow for the needed performance for encryption during every write, or whether the key is safe in memory.

However, I’m wondering if Percona could provide a policy statement that it will continue to support an open source TDE solution for MySQL (and presumably other products) by providing support for OpenBao going forward. This doesn’t preclude offering continued HashiCorp Vault support, though there is an expectation that the projects may diverge and at most have drop-in replacement compatibility for the last MPL version from HashiCorp.

1 Like

Hi @JoeMurray

Thank you for this suggestion.

We are currently working on an enhancement of the encryption plugin for Percona Server for MySQL. Once this work is finished (we are close to wrapping up the development phase) we will take a look at the OpenBao fork of Vault. If it is indeed a natural progression of HashiCorp Vault, we do not envision any problems supporting it.

That being said, let’s wait with the official policy statement until we have the research completed. I will update this thread then.

In the meantime, if you have any other comments on this topic, please let me know. I am also open to a quick video call if that works better for you.

Warm regards,
Group PM at Percona.

Thanks very much for the update, @Bartosz_Gatz .

Although I am not close to them, I would be happy to facilitate an introduction to leaders in the OpenBao community at a time of your choosing if that is ever of interest.

I don’t have more to add at this point beyond appreciation for your work and reply.

I look forward to an update.