The AWS KMS component is now available in Percona Server for MySQL starting from version 8.0.30. This addition enables data-at-rest encryption by utilizing the AWS KMS component, providing the functionality to create and manage cryptographic keys across AWS services.
How do we set up encryption using AWS KMS?
You should only load a keyring component with a manifest file. Do not use the INSTALL_COMPONENT statement, which loads the keyring components too late in the startup sequence of the server. For example, InnoDB requires the component, but because the components are registered in the ‘mysql.component’ table, this table is loaded after InnoDB initialization.
To install a KMS component:
- Write a manifest in a valid JSON format.
- Write a configuration file.
Let’s install the KMS component using global configuration.
A manifest file needs to be created where the mysqld is installed. You can check where the mysqld binary is:
1 2 | # whereis mysqld mysqld: /usr/sbin/mysqld /usr/share/man/man8/mysqld.8.gz |
In our case, we will create it in /usr/sbin.
1 2 3 4 5 | # cat /usr/sbin/mysqld.my { "read_local_manifest": false, "components": "file://component_keyring_kms" } |
This file has to be a read-only file, or else you might get warnings in your MySQL error logs.
1 2 | chown mysql:mysql /usr/sbin/mysqld.my chmod 400 /usr/sbin/mysqld.my |
You can create a key in the AWS key management service and use it for configuration.
The next step is to create the configuration file. The configuration file has to be named component_keyring_kms.cnf and should be under the plugins directory.
1 2 3 4 5 6 7 8 9 10 | # cat /usr/lib64/mysql/plugin/component_keyring_kms.cnf { "read_local_config": false, "path": "/var/lib/mysql/keyring-mysql/keyring", "read_only": false, "region": "us-east-1", "kms_key": "arn:aws:kms:us-east-1:572778926944:alias/mysqltest", "auth_key": "AKIAYKXCI2NQPGAPUFG4", "secret_access_key": "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" } |
Make sure you enter the:
Region – The proper region where you created the key
ARN – For the key created
Auth key – Access key ID
Secret_access_key – Secret access key for the user
MySQL will be able to access AWS Key Management Service using the ARN, auth_key and secret_access_key. The user for which the secret key is generated should have access to key management services. Make sure the access key you have provided has proper privileges.
You can test it from the command line AWS tool using your secret access key and secret key ID:
1 | aws kms list-keys |
This command should list the keys. You can ensure that the keyring_kms is activated by checking the following output from MySQL:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | mysql> select * from keyring_component_status; +---------------------+---------------------------------------------------- | STATUS_KEY | STATUS_VALUE | +---------------------+---------------------------------------------------+ | Component_name | component_keyring_kms | | Author | Percona Corporation | | License | GPL | | Implementation_name | component_keyring_kms | | Version | 1.0 | | Component_status | Active | | Data_file | /var/lib/mysql/keyring-mysql/keyring | | Read_only | No | | KeyId | arn:aws:kms:us-east-1:572778926944:alias/mysqltest| +---------------------+---------------------------------------------------+ |
You can check the component status, and it should be active.
For any errors, look at the mysqld error logs. If there is any problem with a configuration file, it will not initialize, and the component status will show as inactive.
Conclusion
AWS key management service can be used when you don’t have a vault and want to use the key for encryption purposes quickly. This works similarly to keyring_file, but it uses the encrypted key for encryption. The keys are encrypted using the AWS KMS service.
Percona Distribution for MySQL is the most complete, stable, scalable, and secure open source MySQL solution available, delivering enterprise-grade database environments for your most critical business applications… and it’s free to use!
Try Percona Distribution for MySQL today!
