Vault as MariaDB encryption plugin -- alternative to AWS?

[ob1201]

Feature Request:

MariaDB 10 supports Data at Rest Encryption

https://mariadb.com/kb/en/library/data-at-rest-encryption/

Encryption Plugins

https://mariadb.com/kb/en/library/encryption-plugins/ Encryption plugins

"in MariaDB are used for the data at rest encryption feature. They are responsible for both key management and for the actual encryption and decryption of data."

Currently, there are two available plugins, MariaDB's own

file_key_management

plugin, which is bog-simple, provides no rotation/management, but is "easily(TM)" extensible,

and, a plugin for AWS' KMS. Which does provide key auto-rotation, etc.

But, of course, it's 3rd-party, off-premises ... and Amazon.

I note that Vault proj provides a "MariaDB Secrets Engine"

https://www.vaultproject.io/docs/secrets/databases/mysql-maria.html

"The database secrets engine generates database credentials dynamically based on configured roles. It works with a number of different databases through a plugin interface. There are a number of builtin database types and an exposed framework for running custom database types for extendability. This means that services that need to access a database no longer need to hardcode credentials: they can request them from Vault, and use Vault's leasing mechanism to more easily roll keys."

Has there been any work on a Vault-based MariaDB plugin with key management/rotation capabilities similar to that provided by the AWS offsite solution?

I've also asked in a related discussion on the MariaDB ML:

https://lists.launchpad.net/maria-discuss/msg05033.html

in case anyone wants to chime in there.

[hazhirh]

+1

[oraclejavanet]

+1