Using Percona Server for MySQL 8.0 and Percona XtraBackup 8.0 with HashiCorp Vault Enterprise KMIP Secrets Engine

Percona HashiCorp Vault Enterprise KMIP Secrets EngineKMIP (Key Management Interoperability Protocol) is an open standard developed by OASIS (Organization for Advancement of Structured Information Standards) for the encryption of stored data and cryptographic key management.

Percona Server for MySQL 8.0.27 and Percona XtraBackup 8.0.27 now include a KMIP keyring plugin to enable the exchange of cryptographic keys between a key management server and the database for encryption purposes. The procedure to use them with HashiCorp Vault Enterprise is described below.

Install Hashicorp Vault Enterprise

We will first install Hashicorp Vault Enterprise on Ubuntu Linux “Bionic” and then enable the KMIP secrets engine. The KMIP secrets engine is only available with the Enterprise version of HashiCorp Vault, hence a valid license for it is required.

Add HashiCorp repository and install enterprise vault package:

Export the license as an environment variable:

Create a configuration file to be used with the vault, vault_config.hcl:

Note: Vault root certificates and key need to be created separately and are not covered here.

Start vault server with the configuration file:

Note: To configure and start the vault using systemd, refer to the instructions here.

Initialize the vault:

This will generate five unseal keys and the initial root token.

Unseal the vault.

Use any three unseal keys to unseal the vault. Three keys are required to unseal the vault.

The vault is unsealed.

To use the vault in any terminal, run:

Configure KMIP Secrets Engine in Vault

Enable KMIP secrets engine:

View the secrets list:

Change the kmip server listening address and port:

Note: Here kmip is the default path of the secret engine and not the type of the engine.

By default, the kmip generates certificates in EC(Elliptic Curve). We need RSA for MySQL, so specify the certificate type (tls_ca_key_type) and bits (tls_ca_key_bits) to configure the kmip server.


The KMIP secrets engine uses scopes to partition object storage into multiple named buckets. Within a scope, roles can be created with a set of allowed operations that the particular role can perform.

Create a scope:

Create a role within the scope, specifying the set of operations to allow or deny.

Client Certificate Generation for the scope and role created above.

Retrieve the generated CA certificate:

Copy and save the CA certificate as ca.pem.

Generate a certificate in PEM format, and save it in a JSON file named credential.json.

Extract the certificate from the credential.json using jq tool and save it in a file named cert.pem.

Extract the private key from the credential.json using jq tool and save it in a file named key.pem.

The KMIP configuration is now complete.

Percona Server for MySQL 8.0.27 Configuration for KMIP

This section describes the KMIP configuration in Percona Server for MySQL. KMIP is configured as a component in Percona Server for MySQL.

Create the global manifest file(mysqld.my) in the mysqld installation directory.

Create the global configuration file, component_keyring_kmip.cnf in the directory, where the component_keyring_kmip library resides.

Note: SElinux/AppArmor rules may have to be adjusted, so that Percona Server for MySQL and Percona XtraBackup can access the certificates.

Initialize and start mysqld with encryption options(add in my.cnf):

Check the KMIP component status:

Create some encrypted tables and add data in the Percona Server for MySQL.

Backup and Restore of Percona Server for MySQL 8.0.27 Using Percona XtraBackup 8.0.27

This section describes the procedure for taking backup and restore of Percona Server for MySQL 8.0.27 when the KMIP component is enabled and the KMIP vault server is running. Percona XtraBackup reads the KMIP configuration in Percona Server for MySQL automatically, and it is not required to pass this information separately.

Take full backup:

Prepare full backup:

Stop Percona Server for MySQL and move the data directory to another location. Disable SElinux/AppArmor before restoring the backup.

Restore full backup:

Change the ownership of the copied files in the Percona Server for MySQL data directory to the MySQL user.

Start Percona Server for MySQL and check the data. Enable SElinux/AppArmor, if disabled previously.

Leave a Reply

Your email address will not be published. Required fields are marked *