← Back to team overview

maria-discuss team mailing list archive

On-premise Encryption key-rotation solution for MDB? Works with Hashicorp Vault?


I'm working on Encryption at Rest in MDB 10.4, looking for an on-premise key rotation solution.

Back in 2016, there was a discussion on ML,


	Another possibility would be to add key rotation support to the

	file_key_management plugin.

	It is easier than it sounds - this plugin is quite simple.



	Chief Architect MariaDB

which referenced

	Vault as MariaDB encryption plugin -- alternative to AWS?

AFAICT, there's still no key rotation support of any kind in MariaDB's file_management plugin.

OTOH, it seems that Percona has a plugin


that works with Hashicorp Vault's KV (old) v1 engine,

	KV Secrets Engine - Version 1

There's also a v2,

	KV Secrets Engine - Version 2

and, encryption with rotation can be deployed as a service

	Encryption as a Service: Transit Secrets Engine

but I haven't found examples of either of the latter two options working with Percona.

Is there a modern/current key-rotation solution for MDB other than AWS?
Similar in capability to Percona's, and preferably, self-hosted/on-premise?