Support for OpenBao for TDE Key Management

Percona has integrations for key management for several of its products (MySQL, MongoDB, Postgres) with the formerly open source HashiCorp Vault product (changed to a Business Source License 1.1 2023-08-10 with most coverage regarding Terraform) and is no longer releasing security or other patches for the Mozilla Public License version after 2023-12-31.

IBM and a number of other companies have announced an OpenBao fork of Vault from its last open source MPL Community Edition release to be managed under the Linux Foundation. The incubating project is deciding what plugins will be supported and which will be community supported. Proposal: Supported Plugins - Internal & External · openbao · Discussion #64 · GitHub

It seems that there may be two plugins associated with Percona’s MySQL TDE integration, one from Vault and one from Percona. There is a suggestion from an OpenBao member that an improved approach to the integration would avoid having the key reside in Percona as a text blob with no access control limitations, and instead be reference to a key that it can retrieve Proposal: Supported Plugins - Internal & External · openbao · Discussion #64 · GitHub. I don’t have an opinion on how it is actually implemented or if the suggested change that would allow for the needed performance for encryption during every write, or whether the key is safe in memory.

However, I’m wondering if Percona could provide a policy statement that it will continue to support an open source TDE solution for MySQL (and presumably other products) by providing support for OpenBao going forward. This doesn’t preclude offering continued HashiCorp Vault support, though there is an expectation that the projects may diverge and at most have drop-in replacement compatibility for the last MPL version from HashiCorp.

1 Like