{"id":2687,"date":"2022-12-10T00:00:25","date_gmt":"2022-12-10T00:00:25","guid":{"rendered":"http:\/\/kedar.nitty-witty.com\/?p=2687"},"modified":"2024-01-27T17:27:23","modified_gmt":"2024-01-27T17:27:23","slug":"encryption-mysql-encryption-percona-vault-virtual-days-slides-video","status":"publish","type":"post","link":"https:\/\/kedar.nitty-witty.com\/blog\/encryption-mysql-encryption-percona-vault-virtual-days-slides-video","title":{"rendered":"Securing MySQL: Data Encryption with Percona Server and Vault"},"content":{"rendered":"\n<p><strong>Percona Tech Days<\/strong> are free, half-day events dedicated to the most popular open source database technologies: PostgreSQL, MongoDB and MySQL. <\/p>\n\n\n\n<p>This talk for MySQL was related to <strong>MySQL Encryption with Percona Server for MySQL Using Vault<\/strong> streamed on <strong>December 7th, 2022<\/strong>.<em> (I understand this post is delayed a lot but better late than never.)<\/em><\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe title=\"Encryption with Percona Server for MySQL - Percona Virtual Tech Days\" width=\"500\" height=\"281\" src=\"https:\/\/www.youtube.com\/embed\/Nut7jN0o7Rs?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>In today&#8217;s world, data security is more important than ever. With cyber attacks becoming increasingly common, it&#8217;s essential to ensure that sensitive information is protected from unauthorized access. One way to do this is through data encryption, which involves transforming data into a format that can only be read by authorized parties. <\/p>\n\n\n\n<p>In the realm of open source database technologies, Percona Server for MySQL is a popular choice for many organizations. In this blog, we&#8217;ll take a closer look at a recent Percona Tech Days talk that focused on MySQL encryption with Percona Server for MySQL using Vault. <\/p>\n\n\n\n<p>Specifically, we&#8217;ll explore encrypting data in transit and at rest, with a particular focus on the latter. We&#8217;ll cover the basics of transparent data encryption and walk you through the setup of encryption using the keyring_vault plugin in Percona Server. We&#8217;ll also touch on other aspects of data encryption for MySQL database objects, such as backups, logs, and tuple. So if you&#8217;re interested in learning more about how to secure your MySQL data, watch the recording!<\/p>\n\n\n\n<p>Review the talk and do comment if you need further information on this subject.<\/p>\n\n\n\n<p>Subscribe to Percona Blogs to stay up-to-date.<\/p>\n\n\n\n<p>Work Log for the Demo included in above talk is included below.<\/p>\n\n\n\n<p>Link: <a href=\"https:\/\/www.percona.com\/events\" target=\"_blank\" rel=\"noopener nofollow\" title=\"\">https:\/\/www.percona.com\/events<\/a><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Install Vault\n\n&#91;root@ip-172-31-86-35 ~]# sudo yum install -y yum-utils epel-release\nLoaded plugins: fastestmirror\nDetermining fastest mirrors\n * base: download.cf.centos.org\n * extras: download.cf.centos.org\n * updates: download.cf.centos.org\nbase                       | 3.6 kB  00:00:00\nextras                     | 2.9 kB  00:00:00\npercona-release-noarch     | 1.5 kB  00:00:00\npercona-release-x86_64     | 2.9 kB  00:00:00\nprel-release-noarch        | 1.5 kB  00:00:00\nupdates                    | 2.9 kB  00:00:00\n(1\/2): updates\/7\/x86_64\/primary_db            |  18 MB  00:00:00\n(2\/2): percona-release-x86_64\/7\/primary_db    | 1.3 MB  00:00:02\nPackage yum-utils-1.1.31-54.el7_8.noarch already installed and latest version\nResolving Dependencies\n--&gt; Running transaction check\n---&gt; Package epel-release.noarch 0:7-11 will be installed\n--&gt; Finished Dependency Resolution\n\nDependencies Resolved\n\n====================================================================================================================================================\n Package                                 Arch                              Version                          Repository                         Size\n====================================================================================================================================================\nInstalling:\n epel-release                            noarch                            7-11                             extras                             15 k\n\nTransaction Summary\n====================================================================================================================================================\nInstall  1 Package\n\nTotal download size: 15 k\nInstalled size: 24 k\nDownloading packages:\nepel-release-7-11.noarch.rpm                                                                                                 |  15 kB  00:00:00\nRunning transaction check\nRunning transaction test\nTransaction test succeeded\nRunning transaction\n  Installing : epel-release-7-11.noarch         1\/1\n  Verifying  : epel-release-7-11.noarch         1\/1\n\nInstalled:\n  epel-release.noarch 0:7-11\n\nComplete!\n&#91;root@ip-172-31-86-35 ~]# sudo yum-config-manager --add-repo https:\/\/rpm.releases.hashicorp.com\/RHEL\/hashicorp.repo\nLoaded plugins: fastestmirror\nadding repo from: https:\/\/rpm.releases.hashicorp.com\/RHEL\/hashicorp.repo\ngrabbing file https:\/\/rpm.releases.hashicorp.com\/RHEL\/hashicorp.repo to \/etc\/yum.repos.d\/hashicorp.repo\nrepo saved to \/etc\/yum.repos.d\/hashicorp.repo\n&#91;root@ip-172-31-86-35 ~]# sudo yum -y install vault jq\nLoaded plugins: fastestmirror\nLoading mirror speeds from cached hostfile\nepel\/x86_64\/metalink                                                                                                         |  22 kB  00:00:00\n * base: download.cf.centos.org\n * epel: dl.fedoraproject.org\n * extras: download.cf.centos.org\n * updates: download.cf.centos.org\nhttp:\/\/mirror.es.its.nyu.edu\/epel\/7\/x86_64\/repodata\/repomd.xml: &#91;Errno 12] Timeout on http:\/\/mirror.es.its.nyu.edu\/epel\/7\/x86_64\/repodata\/repomd.xml: (28, 'Connection timed out after 30001 milliseconds')\nTrying other mirror.\nepel                                                                                                                         | 4.7 kB  00:00:00\nhashicorp                                                                                                                    | 1.4 kB  00:00:00\n(1\/4): hashicorp\/7\/x86_64\/primary                                                                                            | 134 kB  00:00:00\n(2\/4): epel\/x86_64\/group_gz                                                                                                  |  98 kB  00:00:00\n(3\/4): epel\/x86_64\/updateinfo                                                                                                | 1.0 MB  00:00:00\n(4\/4): epel\/x86_64\/primary_db                                                                                                | 7.0 MB  00:00:00\nhashicorp                                                                                                                                   948\/948\nResolving Dependencies\n--&gt; Running transaction check\n---&gt; Package jq.x86_64 0:1.6-2.el7 will be installed\n--&gt; Processing Dependency: libonig.so.5()(64bit) for package: jq-1.6-2.el7.x86_64\n---&gt; Package vault.x86_64 0:1.12.1-1 will be installed\n--&gt; Running transaction check\n---&gt; Package oniguruma.x86_64 0:6.8.2-2.el7 will be installed\n--&gt; Finished Dependency Resolution\n\nDependencies Resolved\n\n====================================================================================================================================================\n Package                            Arch                            Version                                Repository                          Size\n====================================================================================================================================================\nInstalling:\n jq                                 x86_64                          1.6-2.el7                              epel                               167 k\n vault                              x86_64                          1.12.1-1                               hashicorp                           81 M\nInstalling for dependencies:\n oniguruma                          x86_64                          6.8.2-2.el7                            epel                               181 k\n\nTransaction Summary\n====================================================================================================================================================\nInstall  2 Packages (+1 Dependent package)\n\nTotal download size: 81 M\nInstalled size: 205 M\nDownloading packages:\nwarning: \/var\/cache\/yum\/x86_64\/7\/epel\/packages\/jq-1.6-2.el7.x86_64.rpm: Header V3 RSA\/SHA256 Signature, key ID 352c64e5: NOKEY\nPublic key for jq-1.6-2.el7.x86_64.rpm is not installed\n(1\/3): jq-1.6-2.el7.x86_64.rpm                                                                                               | 167 kB  00:00:00\n(2\/3): oniguruma-6.8.2-2.el7.x86_64.rpm                                                                                      | 181 kB  00:00:00\nwarning: \/var\/cache\/yum\/x86_64\/7\/hashicorp\/packages\/vault-1.12.1-1.x86_64.rpm: Header V4 RSA\/SHA512 Signature, key ID a3219f7b: NOKEY  00:00:00 ETA\nPublic key for vault-1.12.1-1.x86_64.rpm is not installed\n(3\/3): vault-1.12.1-1.x86_64.rpm                                                                                             |  81 MB  00:00:01\n----------------------------------------------------------------------------------------------------------------------------------------------------\nTotal                                                                                                                52 MB\/s |  81 MB  00:00:01\nRetrieving key from https:\/\/rpm.releases.hashicorp.com\/gpg\nImporting GPG key 0xA3219F7B:\n&#91;req]\n Userid     : \"HashiCorp Security (HashiCorp Package Signing) &lt;security+packaging@hashicorp.com&gt;\"\n Fingerprint: e8a0 32e0 94d8 eb4e a189 d270 da41 8c88 a321 9f7b\n From       : https:\/\/rpm.releases.hashicorp.com\/gpg\nRetrieving key from file:\/\/\/etc\/pki\/rpm-gpg\/RPM-GPG-KEY-EPEL-7\nImporting GPG key 0x352C64E5:\n Userid     : \"Fedora EPEL (7) &lt;epel@fedoraproject.org&gt;\"\n Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5\n Package    : epel-release-7-11.noarch (@extras)\n From       : \/etc\/pki\/rpm-gpg\/RPM-GPG-KEY-EPEL-7\nRunning transaction check\nRunning transaction test\nTransaction test succeeded\nRunning transaction\n  Installing : oniguruma-6.8.2-2.el7.x86_64                                                                                                     1\/3\n  Installing : jq-1.6-2.el7.x86_64                                                                                                              2\/3\n  Installing : vault-1.12.1-1.x86_64                                                                                                            3\/3Generating Vault TLS key and self-signed certificate...\nGenerating a 4096 bit RSA private key\n...............................................................................................................................................++\n.........................................................................++\nwriting new private key to 'tls.key'\n-----\nVault TLS key and self-signed certificate have been generated in '\/opt\/vault\/tls'.\n  Verifying  : vault-1.12.1-1.x86_64             1\/3\n  Verifying  : oniguruma-6.8.2-2.el7.x86_64      2\/3\n  Verifying  : jq-1.6-2.el7.x86_64                3\/3\n\nInstalled:\n  jq.x86_64 0:1.6-2.el7                                                   vault.x86_64 0:1.12.1-1\n\nDependency Installed:\n  oniguruma.x86_64 0:6.8.2-2.el7\n\nComplete!\n&#91;root@ip-172-31-86-35 ~]#<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code># Generate keyfiles, ssl and vault config\n\n&#91;root@ip-172-31-86-35 ~]# mkdir \/etc\/sslkeys\n&#91;root@ip-172-31-86-35 ~]# cd \/etc\/sslkeys\n&#91;root@ip-172-31-86-35 sslkeys]# cat ssl.conf\n&#91;req]\ndistinguished_name = req_distinguished_name\nx509_extensions = v3_req\nprompt = no\n\n&#91;req_distinguished_name]\nC = US\nST = NC\nL =  R\nO = Percona\nCN = *\n\n&#91;v3_req]\nsubjectKeyIdentifier = hash\nauthorityKeyIdentifier = keyid,issuer\nbasicConstraints = CA:TRUE\nsubjectAltName = @alt_names\n\n&#91;alt_names]\nIP = 172.31.86.35\n\n\n&#91;root@ip-172-31-86-35 sslkeys]# openssl req -config ssl.conf -x509 -days 365 -batch -nodes -newkey rsa:2048 -keyout vault.key -out vault.crt\nGenerating a 2048 bit RSA private key\n# Full configuration options can be found at https:\/\/www.vaultproject.io\/docs\/configuration\n...................................+++\n# Full configuration options can be found at https:\/\/www.vaultproject.io\/docs\/configuration\n...............................+++\n# Full configuration options can be found at https:\/\/www.vaultproject.io\/docs\/configuration\nwriting new private key to 'vault.key'\n-----\n&#91;root@ip-172-31-86-35 sslkeys]# cat vault.key vault.crt &gt; vault.pem\n&#91;root@ip-172-31-86-35 sslkeys]# ls -lhtr\ntotal 16K\n-rw-r--r--. 1 root root  314 Nov 21 09:57 ssl.conf\n-rw-r--r--. 1 root root 1.7K Nov 21 09:58 vault.key\n-rw-r--r--. 1 root root 1.3K Nov 21 09:58 vault.crt\n-rw-r--r--. 1 root root 2.9K Nov 21 09:58 vault.pem\n\n&#91;root@ip-172-31-86-35 sslkeys]#  cat \/etc\/vault.d\/vault.hcl | grep -v \"#\"\n\nui = true\n\n# .bash_profile\ndisable_mlock = true\n\nstorage \"file\" {\n  path = \"\/opt\/vault\/data\"\n}\n\n\n\nlistener \"tcp\" {\n  address       = \"172.31.86.35:8200\"\n  tls_cert_file = \"\/etc\/sslkeys\/vault.crt\"\n  tls_key_file  = \/etc\/sslkeys\/vault.key\"\n}\n\n# I had wrong IP in ssl.conf while generating the certificates earlier. Stopped vault, regenerated certs, started vault\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code># Vault initialization\n&#91;root@ip-172-31-86-35 sslkeys]# vault operator init\nGet \"https:\/\/172.31.86.35:8200\/v1\/sys\/seal-status\": x509: certificate is valid for 10.0.2.18, not 172.31.86.35\n&#91;root@ip-172-31-86-35 sslkeys]# vi \/etc\/vault.d\/vault.\nvault.env  vault.hcl\n&#91;root@ip-172-31-86-35 sslkeys]# vi \/etc\/vault.d\/vault.\nvault.env  vault.hcl\n&#91;root@ip-172-31-86-35 sslkeys]# vi \/etc\/vault.d\/vault.hcl\n&#91;root@ip-172-31-86-35 sslkeys]# vi \/etc\/vault.d\/vault.env\n&#91;root@ip-172-31-86-35 sslkeys]# systemctl stop vaulkt\nFailed to stop vaulkt.service: Unit vaulkt.service not loaded.\n&#91;root@ip-172-31-86-35 sslkeys]# systemctl stop vault\n&#91;root@ip-172-31-86-35 sslkeys]# systemctl status vault.service\n\u25cf vault.service - \"HashiCorp Vault - A tool for managing secrets\"\n   Loaded: loaded (\/usr\/lib\/systemd\/system\/vault.service; disabled; vendor preset: disabled)\n   Active: inactive (dead)\n     Docs: https:\/\/www.vaultproject.io\/docs\/\n\nNov 21 10:15:18 ip-172-31-86-35.ec2.internal vault&#91;28624]: 2022-11-21T10:15:18.769Z &#91;INFO]  http: TLS handshake error from 172.31.86.35:562...ficate\nNov 21 10:21:51 ip-172-31-86-35.ec2.internal vault&#91;28624]: 2022-11-21T10:21:51.385Z &#91;INFO]  http: TLS handshake error from 172.31.86.35:562...ficate\nNov 21 10:22:29 ip-172-31-86-35.ec2.internal systemd&#91;1]: Stopping \"HashiCorp Vault - A tool for managing secrets\"...\nNov 21 10:22:29 ip-172-31-86-35.ec2.internal systemd&#91;1]: Stopped \"HashiCorp Vault - A tool for managing secrets\".\nNov 21 10:22:29 ip-172-31-86-35.ec2.internal systemd&#91;1]: &#91;\/usr\/lib\/systemd\/system\/vault.service:7] Unknown lvalue 'StartLimitIntervalSec' ... 'Unit'\nNov 21 10:22:29 ip-172-31-86-35.ec2.internal systemd&#91;1]: &#91;\/usr\/lib\/systemd\/system\/vault.service:8] Unknown lvalue 'StartLimitBurst' in sec... 'Unit'\nNov 21 10:22:29 ip-172-31-86-35.ec2.internal systemd&#91;1]: &#91;\/usr\/lib\/systemd\/system\/vault.service:7] Unknown lvalue 'StartLimitIntervalSec' ... 'Unit'\nNov 21 10:22:29 ip-172-31-86-35.ec2.internal systemd&#91;1]: &#91;\/usr\/lib\/systemd\/system\/vault.service:8] Unknown lvalue 'StartLimitBurst' in sec... 'Unit'\nNov 21 10:22:34 ip-172-31-86-35.ec2.internal systemd&#91;1]: &#91;\/usr\/lib\/systemd\/system\/vault.service:7] Unknown lvalue 'StartLimitIntervalSec' ... 'Unit'\nNov 21 10:22:34 ip-172-31-86-35.ec2.internal systemd&#91;1]: &#91;\/usr\/lib\/systemd\/system\/vault.service:8] Unknown lvalue 'StartLimitBurst' in sec... 'Unit'\nHint: Some lines were ellipsized, use -l to show in full.\n&#91;root@ip-172-31-86-35 sslkeys]# openssl req -config ssl.conf -x509 -days 365 -batch -nodes -newkey rsa:2048 -keyout vault.key -out vault.crt\nGenerating a 2048 bit RSA private key\n......................................................................................................+++\n....................................................................................................................+++\nwriting new private key to 'vault.key'\n-----\n&#91;root@ip-172-31-86-35 sslkeys]# cat vault.key vault.crt &gt; vault.pem\n&#91;root@ip-172-31-86-35 sslkeys]# systemctl start vault\n\n\n\n&#91;root@ip-172-31-86-35 sslkeys]# vault operator init\nUnseal Key 1: QUQSR\/uyijp+hkdsRDJRaR6FTltQeSU0OOSCKYxRGqo9\nUnseal Key 2: gh2b+wQ5DpGgwArXaGEVmtdZGJ5JxsRxItP+B+ADSoPT\nUnseal Key 3: KFYSvC5k\/c\/ZtBQ07F1mVvcJ94Gm0GHCzXBQvcs2i5Qu\nUnseal Key 4: wOV2yMa0hgh5pSz8LGxym3Hxw7+WExdWkRvOhgT0OsST\nUnseal Key 5: NYyn6iovdhdS1vDW8t\/aX2OtpHEOiqy0w1BLeTr4fspv\n\nInitial Root Token: hvs.OL17owxJNxq7cf84VCAhdcVF\n\nVault initialized with 5 key shares and a key threshold of 3. Please securely\ndistribute the key shares printed above. When the Vault is re-sealed,\nrestarted, or stopped, you must supply at least 3 of these keys to unseal it\nbefore it can start servicing requests.\n\nVault does not store the generated root key. Without at least 3 keys to\nreconstruct the root key, Vault will remain permanently sealed!\n\nIt is possible to generate new unseal keys, provided you have a quorum of\nexisting unseal keys shares. See \"vault operator rekey\" for more information.\n\n\n&#91;root@ip-172-31-86-35 sslkeys]# netstat -tupan | grep 820\ntcp        0      0 172.31.86.35:8200       0.0.0.0:*               LISTEN      28755\/vault\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code># Unseal tokens, vault login, prepare policy\n# Unseal all the tokens (5) received earlier in vault init command\n&#91;root@ip-172-31-86-35 sslkeys]# vault operator unseal\nUnseal Key (will be hidden):\nKey             Value\n---             -----\nSeal Type       shamir\nInitialized     true\nSealed          false\nTotal Shares    5\nThreshold       3\nVersion         1.12.1\nBuild Date      2022-10-27T12:32:05Z\nStorage Type    file\nCluster Name    vault-cluster-cbc9f102\nCluster ID      5f8422e4-14b9-8b52-819c-8cb72cb4f550\nHA Enabled      false\n\n\n# login to vault\n&#91;root@ip-172-31-86-35 sslkeys]# vault login\nToken (will be hidden):\nSuccess! You are now authenticated. The token information displayed below\nis already stored in the token helper. You do NOT need to run \"vault login\"\nagain. Future Vault requests will automatically use this token.\n\nKey                  Value\n---                  -----\ntoken                hvs.OL17owxJNxq7cf84VCAhdcVF\ntoken_accessor       ivTNmfi4Ehh20GsSADdk515h\ntoken_duration       \u221e\ntoken_renewable      false\ntoken_policies       &#91;\"root\"]\nidentity_policies    &#91;]\npolicies             &#91;\"root\"]\n&#91;root@ip-172-31-86-35 sslkeys]#\n\n\n&#91;root@ip-172-31-86-35 sslkeys]# mkdir -p \/etc\/vault\/policy\n&#91;root@ip-172-31-86-35 sslkeys]# cat \/etc\/vault\/policy\/mysql.hcl\npath \"secret\/*\" {\ncapabilities = &#91;\"list\"]\n}\n\npath \"secret\/mysql\/*\" {\ncapabilities = &#91;\"create\", \"read\", \"delete\", \"update\", \"list\"]\n}\n\n&#91;root@ip-172-31-86-35 sslkeys]# vault policy write mysql-secrets \/etc\/vault\/policy\/mysql.hcl\nSuccess! Uploaded policy: mysql-secrets\n&#91;root@ip-172-31-86-35 sslkeys]# vault token create -policy=mysql-secrets &gt; ~\/mysql-vault-token\n&#91;root@ip-172-31-86-35 sslkeys]# cat ~\/mysql-vault-token\nKey                  Value\n---                  -----\ntoken                hvs.CAESIA0simB1I_i8PB6li5OMui42YAMe4GLkS9G7OntdZDq3Gh4KHGh2cy5haWZtZGpoTlRzTkdETDFCZ2dXMmhYemo\ntoken_accessor       DvcJVAGOC1yhzhn1aNAr9pJk\ntoken_duration       768h\ntoken_renewable      true\ntoken_policies       &#91;\"default\" \"mysql-secrets\"]\nidentity_policies    &#91;]\npolicies             &#91;\"default\" \"mysql-secrets\"]\n&#91;root@ip-172-31-86-35 sslkeys]#\n\n&#91;root@ip-172-31-86-35 sslkeys]# vault secrets enable -path=secret kv\nSuccess! Enabled the kv secrets engine at: secret\/\n&#91;root@ip-172-31-86-35 sslkeys]#\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code># MySQL side configuration\n# Ship the vault cert file to MySQL servers for authentication:\n\nOn Percona MySQL Servers:\nmkdir \/etc\/vault_ca\nscp 172.31.86.35:\/etc\/sslkeys\/vault.pem \/etc\/vault_ca\/vault.pem\nchown mysql:mysql \/etc\/vault_ca -R\n\n\n# Enable plugin and add keyring config to my.cnf\n\n&#91;mysqld]\nearly-plugin-load=\"keyring_vault=keyring_vault.so\"\nloose-keyring_vault_config=\"\/var\/lib\/mysql-keyring\/keyring_vault.conf\"\n\n\n# Create vault configuration file\n\n&#91;root@ip-172-31-80-134 ~]# cat \/var\/lib\/mysql-keyring\/keyring_vault.conf\nvault_url = https:\/\/172.31.86.35:8200\nsecret_mount_point = secret\/mysql\/master\ntoken = hvs.CAESIA0simB1I_i8PB6li5OMui42YAMe4GLkS9G7OntdZDq3Gh4KHGh2cy5haWZtZGpoTlRzTkdETDFCZ2dXMmhYemo\nvault_ca = \/etc\/vault_ca\/vault.pem\n\n# The vault plugin in enabled\nmysql&gt; show plugins;\n+-------------------------------+----------+--------------------+------------------+---------+\n| Name                          | Status   | Type               | Library          | License |\n+-------------------------------+----------+--------------------+------------------+---------+\n| keyring_vault                 | ACTIVE   | KEYRING            | keyring_vault.so | GPL     |\n...\n\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code># Encrypt a table\nmysql&gt; alter table backup_test encryption='Y';\nQuery OK, 30 rows affected (0.07 sec)\nRecords: 30  Duplicates: 0  Warnings: 0\n\nmysql&gt; use test; show create table backup_test\\G\nReading table information for completion of table and column names\nYou can turn off this feature to get a quicker startup with -A\n\nDatabase changed\n*************************** 1. row ***************************\n       Table: backup_test\nCreate Table: CREATE TABLE `backup_test` (\n  `id` int(10) unsigned NOT NULL AUTO_INCREMENT,\n  PRIMARY KEY (`id`)\n) ENGINE=InnoDB AUTO_INCREMENT=88 DEFAULT CHARSET=latin1 ENCRYPTION='Y'\n1 row in set (0.00 sec)\n\nmysql&gt; select * from backup_test;\n+----+\n| id |\n+----+\n|  1 |\n|  3 |\n|  6 |\n...\n| 77 |\n| 80 |\n| 83 |\n| 86 |\n+----+\n30 rows in set (0.00 sec)\n\nmysql&gt; SELECT TABLE_SCHEMA, TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES WHERE CREATE_OPTIONS LIKE '%ENCRYPTION%';\n+--------------+-------------+----------------+\n| TABLE_SCHEMA | TABLE_NAME  | CREATE_OPTIONS |\n+--------------+-------------+----------------+\n| test         | backup_test | ENCRYPTION=\"Y\" |\n+--------------+-------------+----------------+\n1 row in set (0.16 sec)\n<\/code><\/pre>\n\n\n\n<p>Errors during setup:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>2022-11-21T13:18:56.842070Z 0 &#91;ERROR] Plugin keyring_vault reported: 'keyring_vault initialization failure.\n\nPlease check that the keyring_vault_config_file points to readable keyring_vault configuration file.\nPlease also make sure Vault is running and accessible. The keyring_vault will stay unusable until correct configuration file gets provided.'\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>2022-11-21T13:37:52.844008Z 0 &#91;ERROR] Plugin keyring_vault reported: 'CURL returned this error code: 77 with error message : Problem with the SSL CA cert (path? access rights?)'\n2022-11-21T13:37:52.844066Z 0 &#91;Note] Plugin keyring_vault reported: 'Probing secret for being a mount point unsuccessful - skipped.'\n2022-11-21T13:37:52.844280Z 0 &#91;ERROR] Plugin keyring_vault reported: 'CURL returned this error code: 77 with error message : Problem with the SSL CA cert (path? access rights?)'\n...\n2022-11-21T13:37:52.844317Z 0 &#91;Note] Plugin keyring_vault reported: 'Probing secret\/mysql for being a mount point unsuccessful - skipped.'\n2022-11-21T13:37:52.844825Z 0 &#91;ERROR] Plugin keyring_vault reported: 'Error while loading keyring content. The keyring might be malformed'\n2022-11-21T13:37:52.844830Z 0 &#91;ERROR] Plugin keyring_vault reported: 'keyring_vault initialization failure. \n\nPlease check that the keyring_vault_config_file points to readable keyring_vault configuration file. Please also make sure Vault is running and accessible. The keyring_vault will stay unusable until correct configuration file gets provided.\n<\/code><\/pre>\n\n\n\n<p>References:<\/p>\n\n\n\n<p><a href=\"https:\/\/www.percona.com\/blog\/2018\/09\/17\/using-the-keyring_vault-plugin-with-percona-server-for-mysql-5-7\/\" target=\"_blank\" rel=\"noopener nofollow\" title=\"\">https:\/\/www.percona.com\/blog\/2018\/09\/17\/using-the-keyring_vault-plugin-with-percona-server-for-mysql-5-7\/<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.percona.com\/blog\/2020\/04\/21\/using-vault-to-store-the-master-key-for-data-at-rest-encryption-on-percona-server-for-mongodb\/\" target=\"_blank\" rel=\"noopener nofollow\" title=\"\">https:\/\/www.percona.com\/blog\/2020\/04\/21\/using-vault-to-store-the-master-key-for-data-at-rest-encryption-on-percona-server-for-mongodb\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Percona Tech Days are free, half-day events dedicated to the most popular open source database technologies: PostgreSQL, MongoDB and MySQL. This talk for MySQL was related to MySQL Encryption with&hellip;\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[8,870],"tags":[523,522,520,427,524,519,521],"class_list":{"0":"post-2687","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-mysql","7":"category-mysql-tools","8":"tag-data-encryption","9":"tag-data-security","10":"tag-encryption","11":"tag-mysql","12":"tag-mysql-encryption","13":"tag-percona-talk","14":"tag-vault"},"aioseo_notices":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/kedar.nitty-witty.com\/blog\/wp-json\/wp\/v2\/posts\/2687","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kedar.nitty-witty.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kedar.nitty-witty.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kedar.nitty-witty.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kedar.nitty-witty.com\/blog\/wp-json\/wp\/v2\/comments?post=2687"}],"version-history":[{"count":4,"href":"https:\/\/kedar.nitty-witty.com\/blog\/wp-json\/wp\/v2\/posts\/2687\/revisions"}],"predecessor-version":[{"id":2741,"href":"https:\/\/kedar.nitty-witty.com\/blog\/wp-json\/wp\/v2\/posts\/2687\/revisions\/2741"}],"wp:attachment":[{"href":"https:\/\/kedar.nitty-witty.com\/blog\/wp-json\/wp\/v2\/media?parent=2687"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kedar.nitty-witty.com\/blog\/wp-json\/wp\/v2\/categories?post=2687"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kedar.nitty-witty.com\/blog\/wp-json\/wp\/v2\/tags?post=2687"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}