maria-discuss team mailing list archive

Thread
Date

On-premise Encryption key-rotation solution for MDB? Works with Hashicorp Vault?

To: maria-discuss@xxxxxxxxxxxxxxxxxxx
From: PGNet Dev <pgnet.dev@xxxxxxxxx>
Date: Thu, 25 Jul 2019 21:54:00 -0700
Reply-to: pgnet.dev@xxxxxxxxx
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0

I'm working on Encryption at Rest in MDB 10.4, looking for an on-premise key rotation solution.

Back in 2016, there was a discussion on ML,

https://lists.launchpad.net/maria-discuss/msg05031.html

	Another possibility would be to add key rotation support to the

	file_key_management plugin.

	It is easier than it sounds - this plugin is quite simple.

	 
	Regards,

	Sergei

	Chief Architect MariaDB

which referenced

	Vault as MariaDB encryption plugin -- alternative to AWS?
	 https://github.com/hashicorp/vault/issues/4041

AFAICT, there's still no key rotation support of any kind in MariaDB's file_management plugin.

OTOH, it seems that Percona has a plugin

	https://www.percona.com/doc/percona-server/5.7/management/data_at_rest_encryption.html#keyring-vault-plugin

that works with Hashicorp Vault's KV (old) v1 engine,

	KV Secrets Engine - Version 1
	https://www.vaultproject.io/docs/secrets/kv/kv-v1.html

There's also a v2,

	KV Secrets Engine - Version 2
	https://www.vaultproject.io/docs/secrets/kv/kv-v2.html

and, encryption with rotation can be deployed as a service

	Encryption as a Service: Transit Secrets Engine
	 https://learn.hashicorp.com/vault/encryption-as-a-service/eaas-transit

but I haven't found examples of either of the latter two options working with Percona.

Is there a modern/current key-rotation solution for MDB other than AWS?
Similar in capability to Percona's, and preferably, self-hosted/on-premise?