Securely Rotate Database Credentials with MSE Nacos, KMS, and Apache Druid

1. Security Risks of Sensitive Data

Database access is fundamental to most applications, and compromised credentials can cause average financial losses of $4.88 million (≈¥35.42 million) per breach, with each leaked record costing about $169 (≈¥1,226). Beyond direct monetary loss, breaches damage corporate reputation.

Data source: IBM 19th Annual Data Breach Cost Study.

The 2019 GB/T 22239‑2019 “Level‑2 Information Security Protection” standard mandates strict controls for enterprises handling personal data, especially in finance.

2. How to Reduce Credential Leakage Risks

Nacos, a widely used configuration center, can improve credential security through stronger passwords, unified management, access control, and encrypted transmission, but it still suffers from two major issues:

Manual credential maintenance: Operations staff must manually set credentials in encrypted Nacos configs, introducing human error.

High runtime rotation cost: Replacing leaked credentials requires creating new accounts and restarting applications, often taking several hours for large clusters.

3. Zero‑Downtime Credential Rotation Without Application Restart

Application‑side connection pools (e.g., HikariCP, Apache Druid, C3P0) manage DB connections. To address the above problems, MSE Nacos, Alibaba Cloud KMS, Apache Druid, and Spring Cloud Alibaba jointly provide a dynamic runtime rotation solution.

The workflow (illustrated in the diagram below) consists of four components:

1. MSE Nacos – Dynamic Configuration Center

Unified management of data‑source configurations.

Integration with KMS to encrypt/decrypt credentials.

Provides runtime push capabilities for configuration changes.

2. Spring Cloud Alibaba – Application‑Side Framework

Combines nacos‑client and Druid to hide integration complexity.

Configurable data‑source and automatic trigger on configuration changes.

3. Apache Druid – Open‑Source Database Connection Pool

Unified management of connection pool size, timeout, and other parameters.

Supports runtime refresh for seamless credential switch.

Provides runtime exception protection (e.g., wrong credentials).

4. KMS – Alibaba Cloud Key Management Service

Encrypts and decrypts data‑source configurations.

Offers full‑managed credential storage and periodic rotation.

Enables one‑click rapid credential revocation after leakage.

4. Nacos + KMS + X – Generalized Data‑Source Solution

The same architecture can be extended to other data‑source components such as NoSQL (Redis/Tair), MQ (RocketMQ, Kafka), ScheduleX, OSS, etc., providing zero‑code migration, configuration‑driven integration, and reduced application complexity.

Benefits Achieved

Unified encrypted storage of DB credentials in Nacos.

Full credential management by KMS.

Dual‑layer permission control for configuration access.

Plaintext credentials exist only in application memory; all storage and transmission are encrypted.

Runtime, lossless rotation: credential changes are detected instantly and connections switch gracefully.

Credential switch time drops from several hours to a single second, dramatically improving security and operational efficiency.

For detailed integration steps, refer to the official documentation: MSE Nacos Data Source Management .