XtraBackup fails when using keyring vault for encryption

xtrabackup version 2.4.24
MySQL 5.7.35

Hello - I’m trying to set up a keyring using vault and the server and vault works and I can encrypt tables. But xtrabackup isn’t working with a “keyring_vault initialization failure”. I’ve tried setting the plugin dir with --xtrabackup-plugin-dir=/usr/lib/xtrabackup/plugin but that gives me the same error. I’ve also made sure the keyring vault config is readable.
Any ideas on what to look at next?

220202 09:10:17 Added plugin ‘keyring_vault.so’ to load list.
Plugin keyring_vault reported: ‘keyring_vault initialization failure. Please check that the keyring_vault_config_file points to readable keyring_vault configuration file. Please also make sure Vault is running and accessible. The keyring_vault will stay unusable until correct configuration file gets provided.’

1 Like

I take it that you’ve gone through the examples on our documentation pages?

1 Like

Hi @limeaway .

Please ensure your Percona Server is using vault keyring V1 ( it cannot be configured as auto nor v2).
Currently vault support for PXB is v1 only.
We have [PXB-2608] Upgrade Vault API to V2 - Percona JIRA to upgrade pxb 2.4 support to v2 but it is not released yet.

1 Like

Hi @matthewb - Yes I’ve gone through that documentation. I’m running into the issue just during the backup phase. It seems like the keyring plugin doesn’t get loaded running xtrabackup?

InnoDB: Encryption can’t find master key, please check the keyring plugin is loaded.
InnoDB: Encryption information in datafile: ./dev/wips.ibd can’t be decrypted, please check if a keyring plugin is loaded and initialized successfully.

HI @Marcelo_Altmann - Yes the server runs fine with the keyring vault and encryption
I have “secret_mount_point_version = 1” in the keyring vault config

1 Like