Using Percona Server for MySQL with Amazon KMS as Keyring

 1 year ago
source link: https://www.percona.com/blog/using-percona-server-for-mysql-with-amazon-kms-as-keyring/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Using Percona Server for MySQL with Amazon KMS as Keyring

Percona Server for MySQL with Amazon KMSPercona Server for MySQL 8.0.28-20 introduces a new keyring component, component_keyring_kms, which allows using the AWS Key Management Service as a keyring. The component is also included in Percona XtraBackup 8.0.28, allowing backing up databases encrypted with this component.

The feature is similar to the AWS keyring plugin included in MySQL Enterprise, but it is implemented as a component instead, and because of that, it requires a different configuration.

Configuring AWS KMS

The component uses a single Master Key on KMS, which has to be created manually before configuring the component. This key can also be changed later, and existing keys using the old key will remain usable, as long as the key still exists on KMS.

To configure KMS, log in to the AWS Management Console, and set up a new CMK. This key can be later referenced in the component configuration either using its UUID, ARN, or an alias. Using an alias is recommended, as that allows changing the key without modifying the component configuration.

The component also needs a user, identified with an authentication key and a secret key to access the KMS service, and this user should have permission to use the CMK. It is recommended to use a dedicated user for this purpose.

Configuring Percona Server for MySQL

To use the KMS component with Percona Server for MySQL, create a global, or local manifest file enabling the component:

<span style="font-weight: 400;">{</span>
<span style="font-weight: 400;">  "components": "file://component_keyring_kms”</span>
<span style="font-weight: 400;">}</span>

And then also create a global or local configuration file for the KMS component itself:

<span style="font-weight: 400;">{
  “read_local_config”: “false”,</span>
<span style="font-weight: 400;">  "path": "</span><span style="font-weight: 400;">/usr/local/mysql/keyring/</span><span style="font-weight: 400;">keyring_kms_file",</span>
<span style="font-weight: 400;">  "read_only": "false",   </span>
<span style="font-weight: 400;">  “region": "us-east-2",</span>
<span style="font-weight: 400;">  "kms_key": "<uuid_or_alias_of_kms_key>",</span>
<span style="font-weight: 400;">  "auth_key": "<user_authentication_key>",</span>
<span style="font-weight: 400;">  “secret_access_key": "<user_secret_key>"</span>
<span style="font-weight: 400;">}</span>

The directory of the keyring file should exist, and the AWS credentials and key identifier have to be valid with the correct parameters, otherwise, component initialization will fail.

The configuration file should be named “component_keyring_kms.cnf”, and for a global configuration, it should reside in the server directory, or for a local configuration, in the data directory.

Because this file contains authentication information for the specified AWS user, the user should have the minimum permissions necessary, and the file should only be readable by the MySQL user.

When these files are present and set up correctly, the server will start with the KMS component loaded and ready to be used. Encryption features can be enabled separately one by one.

Data security

The KMS component works similarly to component_keyring_file: it stores the MySQL encryption keys in a file, specified by the path value in its configuration file. The difference between the two components is that instead of storing the keys in plain text in the file, the keys are encrypted using the KMS service. This means that the data directory and the keyring data file aren’t enough to decrypt the database, access to the KMS service is also required.

About Joyk

Aggregate valuable and interesting links.
Joyk means Joy of geeK