To setup Vault with SSL enabled. Refer to this gist on how to easily create SSL certificates to be used by Vault: https://gist.github.com/riveraja/f9e3ed84b54fddb935baf4742a8febe9#file-create_ssl_using_terraform-md
Once the SSL certificates are created start Vault with this sample configuration
[root@vault1 ~]# cat /etc/vault.hcl
listener "tcp" {
address = "192.168.0.114:8200"
tls_cert_file="/etc/sslkeys/vault.crt.pem"
tls_key_file="/etc/sslkeys/vault.key.pem"
}
storage "file" {
path = "/var/lib/vault"
}
Assuming Vault started up fine and you are able to unseal Vault, the next step is to create the policy file.
[root@vault1 ~]# cat /etc/vault/policy/dc1.hcl
path "secret/*" {
capabilities = ["list"]
}
path "secret/dc1/*" {
capabilities = ["create", "read", "delete", "update", "list"]
}
Create a policy in Vault named dc1-secrets using the dc1.hcl file like this:
[root@vault1 ~]# vault policy write dc1-secrets /etc/vault/policy/dc1.hcl
Success! Uploaded policy: dc1-secrets
Next, create a token using the newly created policy:
[root@vault1 ~]# vault token create -policy=dc1-secrets > dc1-token
[root@vault1 ~]# cat dc1-token
Key Value
--- -----
token be515093-b1a8-c799-b237-8e04ea90ad7a
token_accessor 4c1ba5c5-3fed-e9bb-d230-5bf1392e2d7e
token_duration 8760h
token_renewable true
token_policies ["dc1-secrets" "default"]
identity_policies []
policies ["dc1-secrets" "default"]
Configure Master's my.cnf with the following variables:
early-plugin-load="keyring_vault=keyring_vault.so"
loose-keyring_vault_config="/var/lib/mysql-keyring/keyring_vault.conf"
encrypt_binlog=ON
innodb_encrypt_online_alter_logs=ON
innodb_encrypt_tables=ON
innodb_temp_tablespace_encrypt=ON
master_verify_checksum=ON
binlog_checksum=CRC32
log_bin=mysqld-bin
binlog_format=ROW
server-id=1
log-slave-updates
Create the keyring_vault.conf file in the path above with the following contents:
[root@mysql1 ~]# cat /var/lib/mysql-keyring/keyring_vault.conf
vault_url = https://192.168.0.114:8200
secret_mount_point = secret/dc1/master
token = be515093-b1a8-c799-b237-8e04ea90ad7a
vault_ca = /etc/vault_ca/ca.crt.pem
Here we are using the CA certificate generated in the Vault server using Terraform. Observe that our secret_mount_point
is secret/dc1/master
, we want to make sure that this mount point is unique across all servers. This is in fact advised in the manual.
Ensure that the CA certificate is owned by mysql user:
[root@mysql1 ~]# ls -la /etc/vault_ca/
total 24
drwxr-xr-x 2 mysql mysql 41 Jul 14 11:39 .
drwxr-xr-x 63 root root 4096 Jul 14 13:17 ..
-rw------- 1 mysql mysql 1139 Jul 14 11:39 ca.crt.pem
Initialize the MySQL data directory on the Master:
[root@mysql1 ~]# mysqld --initialize-insecure --datadir=/var/lib/mysql --user=mysql
For production systems we do not recommend using --initialize-insecure
option, this is just to avoid additional steps in this tutorial.
Finally on the master, start mysqld instance and then create an encrypted table.
[root@mysql1 ~]# systemctl status mysqld
● mysqld.service - MySQL Server
Loaded: loaded (/usr/lib/systemd/system/mysqld.service; disabled; vendor preset: disabled)
Active: active (running) since Sat 2018-07-14 23:53:16 UTC; 2s ago
Docs: man:mysqld(8)
http://dev.mysql.com/doc/refman/en/using-systemd.html
Process: 1401 ExecStart=/usr/sbin/mysqld --daemonize --pid-file=/var/run/mysqld/mysqld.pid $MYSQLD_OPTS (code=exited, status=0/SUCCESS)
Process: 1383 ExecStartPre=/usr/bin/mysqld_pre_systemd (code=exited, status=0/SUCCESS)
Main PID: 1403 (mysqld)
CGroup: /system.slice/mysqld.service
└─1403 /usr/sbin/mysqld --daemonize --pid-file=/var/run/mysqld/mysqld.pid
Jul 14 23:53:16 mysql1 systemd[1]: Starting MySQL Server...
Jul 14 23:53:16 mysql1 systemd[1]: Started MySQL Server.
At this point you should have a MySQL master server with tablespace encryption using Vault.