Closed Torkolis closed 8 months ago
Thanks for the bug report!
Trying to access master-key-2
is related to key rotation / versioning support (we want to find the latest version of the key), but the behavior you described is indeed a bug, I'll look into it.
So I have managed to set up pg_tde using vault. Basically the 'mountPath' entry needs to match a mount of the kv secret engine (explanation in the docs would be cool, took me a while to figure it out). So when I created the first table it wrote a secret in that entry called "master-key-1" containing some data: But now I have a problem that it tries to access master-key-2 in vault which does not exist and returns 404. The usual database encryption actually works as expected, but I just don't understand why it makes GET requests to master-key-2... I think it is probably a bug. I did some tests and here are the nginx logs (my vault reachable behind an nginx):
all the /v1/secret/data/master-key-1 calls are fine, it is also nice that pg_tde only needs it once but the /v1/secret/data/master-key-2 calls are unnecessary and just create a lot of traffic.
If I create this secret manually in vault UI, then GET requests are sent to /v1/secret/data/master-key-3, creating that one manually too results in GET requests sent to /v1/secret/data/master-key-4 and so on. I think there needs to be configuration option in pg_tde.conf how many of these secrets should be used.