Solution Summary

Hashicorp Vault is an identity-based secrets and encryption management system. Used in conjunction with EDB Postgres Advanced Server versions 15.2 and above or EDB Postgres Extended Server versions 15.2 and above, it allows users to control access to encryption keys and certificates, as well as perform key management. Using Hashicorp Vault’s Transit secrets engine allows Vault to handle cryptographic functions on data in-transit. Hashicorp Vault Transit secrets engine can be referred to as "encryption as a service".

Hashicorp Vault’s primary use case for Transit secrets engine is to encrypt data from applications while simultaneously storing encrypted data in some primary data store. Hashicorp Vault Transit Secrets Engine can also generate hashes, sign and verify data and generate HMACs of data. Hashicorp Vault Transit Secrets Engine can work with EDB Postgres Advanced Server and EDB Postgres Extended Server by securely storing the data key that is generated by initdb. Normally the key, that lives in pg_encryption/key.bin, is stored in plaintext format, but using Hashicorp Vault Transit Secrets Engine as an external key store manages the data encryption key and provides further security to the key itself.

The below image shows how Hashicorp Vault Transit Secrets Engine works to encrypt and decrypt data.