Configuration

Implementing Hashicorp Vault with EDB Postgres Advanced Server version 15.2 and above or EDB Postgres Extended Server version 15.2 and above, requires the following components:

• EDB Postgres distribution (15.2 or later)
• Hashicorp Vault v1.13.3

Prerequisites

• A running EDB Postgres distribution
• Hashicorp Vault installed and deployed per your VM environment

Enable Hashicorp Vault Transit Secrets Engine

1. After your Hashicorp Vault configuration is installed and deployed per the guidelines in the Hashicorp documentation, you will then need to enable the transit secrets engine.

2. Assume root user.

3. First set your two variables, your API address and token you receieved during installation and setup.

root@ip-172-31-50-151:/home/ubuntu# export VAULT_ADDR='http://127.0.0.1:8200'
root@ip-172-31-50-151:/home/ubuntu# export VAULT_TOKEN="hvs.D9lfoRBZYtdJY2t3lG3f6yUa"

4. Before you enable the Transit Secrets Engine you can check your Vault Server status with vault status.

root@ip-172-31-50-151:/home/ubuntu# vault status
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.13.3
Build Date      2023-06-06T18:12:37Z
Storage Type    inmem
Cluster Name    vault-cluster-18a7ed39
Cluster ID      83012ee7-18f0-9480-e8b6-3ff02c285ba2
HA Enabled      false

5. Type vault secrets enable transit.

root@ip-172-31-50-151:/home/ubuntu# vault secrets enable transit
Success! Enabled the transit secrets engine at: transit/

6. Next you will create your encryption key with an identifiable name. For example: vault write -f transit/keys/pg-tde-master-1

root@ip-172-31-50-151:/usr/lib/edb-pge/15/bin# vault write -f transit/keys/pg-tde-master-1
Success! Data written to: transit/keys/pg-tde-master-1

7. You now have your encryption key set and are ready to export your WRAP and UNWRAP commands and initialize your database.

• On this page
• Prerequisites
• Enable Hashicorp Vault Transit Secrets Engine