> There are some concerns about the usecase, because with file implementation encrypton keys are stored on the same place as database which does not feel like secure.
Yes, that is a problem. The keys are only needed on startup of the mysql instances and can afterwards be deleted. This however can be a operational problem since you have to provide the keys on startup, which is then not automatic, anymore.
Right now I think the best idea is to put the keys on the server with Ansible, startup the instance, then delete the keys. What do you think?
> So I guess implementing option to select encryption plugin and install it (like aws_key_management) would be also cool.
I have no possibility to test this with AWS or eperi, however I can provide some initial code and if some other person needs it, it can be further developed.
> Also there are some comments regarding current patch, since in case of the cluster, you probably need to generate them on localhost and later distribute to galera containers/hosts.
Good idea! I'll add that.
> But yes, I'd say we have nothing against implementing this feature, and you may go ahead and push patch for it.
Thanks for your answer, Dmitriy!
> There are some concerns about the usecase, because with file implementation encrypton keys are stored on the same place as database which does not feel like secure.
Yes, that is a problem. The keys are only needed on startup of the mysql instances and can afterwards be deleted. This however can be a operational problem since you have to provide the keys on startup, which is then not automatic, anymore.
Right now I think the best idea is to put the keys on the server with Ansible, startup the instance, then delete the keys. What do you think?
> So I guess implementing option to select encryption plugin and install it (like aws_key_management) would be also cool.
I have no possibility to test this with AWS or eperi, however I can provide some initial code and if some other person needs it, it can be further developed.
> Also there are some comments regarding current patch, since in case of the cluster, you probably need to generate them on localhost and later distribute to galera containers/hosts.
Good idea! I'll add that.
> But yes, I'd say we have nothing against implementing this feature, and you may go ahead and push patch for it.
Thanks, will do!