Skip to content
Percona Software for PostgreSQL Documentation

For help, click the link below to get free database assistance or contact our experts for personalized support.

Get help from Percona

Vault Configuration

You can configure pg_tde to use HashiCorp Vault as a global key provider for managing encryption keys securely.

Note

This guide assumes that your Vault server is already set up and accessible. Vault configuration is outside the scope of this document, see Vault’s official documentation for more information.

Example usage

SELECT pg_tde_add_global_key_provider_vault_v2(
    'provider-name',
    'url',
    'mount',
    'secret_token_path',
    'ca_path'
);

Parameter descriptions

  • provider-name is the name to identify this key provider
  • secret_token_path is a path to the file that contains an access token with read and write access to the above mount point
  • url is the URL of the Vault server
  • mount is the mount point where the keyring should store the keys
  • [optional] ca_path is the path of the CA file used for SSL verification

The following example is for testing purposes only. Use secure tokens and proper SSL validation in production environments:

SELECT pg_tde_add_global_key_provider_vault_v2(
    'my-vault',
    'https://vault.vault.svc.cluster.local:8200',
    'secret/data',
    '/path/to/token_file',
    '/path/to/ca_cert.pem'
);

For more information on related functions, see the link below:

Percona pg_tde Function Reference

Next steps

Global Principal Key Configuration