This commit implements support for storing keys on a vault server instead of locally. The current implementation only supports the KV v2 engine, which is the default secrets engine in recent vault versions.
To use vault for key storage, the following settings have to be used in the keyring configuration file:
provider set to vault-v2
url set to the URL of the vault server
mountPath is set to the mount point where the keyring should store the keys
token is an access token with read and write access to the above mount point
[optional] caPath is the path of the CA file used for SSL verification
Multiple servers can use the same vault server, with the following restrictions:
Servers in the same replication group should use the same 'pg_tde.keyringKeyPrefix` to ensure that they see the same keys
Unrelated servers should use different pg_tde.keyringKeyPrefix values to ensure that they use different keys without conflicts
The source also contains a sample keyring configuration file, keyring-vault.json. This configuration matches the settings of the vault development server (vault server -dev), only the ROOT_TOKEN has to be replaced to the token of the actual server process.
This commit implements support for storing keys on a vault server instead of locally. The current implementation only supports the KV v2 engine, which is the default secrets engine in recent vault versions.
To use vault for key storage, the following settings have to be used in the keyring configuration file:
provider
set tovault-v2
url
set to the URL of the vault servermountPath
is set to the mount point where the keyring should store the keystoken
is an access token with read and write access to the above mount pointcaPath
is the path of the CA file used for SSL verificationMultiple servers can use the same vault server, with the following restrictions:
pg_tde.keyringKeyPrefix
values to ensure that they use different keys without conflictsThe source also contains a sample keyring configuration file,
keyring-vault.json
. This configuration matches the settings of the vault development server (vault server -dev
), only the ROOT_TOKEN has to be replaced to the token of the actual server process.Implements #38