Using OpenBao as a key provider¶
You can configure open_pg_tde to use OpenBao as a global key provider for managing encryption keys. OpenBao is an Apache 2.0 licensed fork of HashiCorp Vault and uses the Key/Value version 2 (KV v2) secrets engine.
Note
This guide assumes that your OpenBao server is already set up and accessible. OpenBao configuration is outside the scope of this document. See the OpenBao documentation for more information.
Example usage¶
To register an OpenBao server as a global key provider:
SELECT open_pg_tde_add_global_key_provider_openbao(
'provider-name',
'url',
'mount',
'secret_token_path',
'ca_path',
'namespace'
);
Parameter descriptions¶
provider-nameis the name that identifies this key provider.urlis the URL of the OpenBao server.mountis the mount point where the keyring stores the keys.secret_token_pathis the path to a file that contains an access token with read and write access to the mount point.ca_pathis the path of the CA file used for TLS verification. This parameter is optional.namespaceis the namespace on the OpenBao server. This parameter is optional. See namespace support in OpenBao. You can set a namespace without aca_pathby passingNULLas theca_pathvalue.
The following example is for testing only. Use secure tokens and TLS validation in production:
SELECT open_pg_tde_add_global_key_provider_openbao(
'my-openbao-provider',
'https://openbao.example.com:8200',
'secret/data',
'/path/to/token_file',
'/path/to/ca_cert.pem'
);
For the related functions, see the open_pg_tde function reference.