Configuring

Implementing Hashicorp Vault with EDB Postgres Advanced Server version 15.2 and later or EDB Postgres Extended Server version 15.2 and later requires the following components:

• EDB Postgres distribution (15.2 or later)
• Hashicorp Vault v1.13.3

Prerequisites

• A running EDB Postgres distribution
• Hashicorp Vault installed and deployed per your VM environment

Enable Hashicorp Vault transit secrets engine

After you install and deploy your Hashicorp Vault configuration per the guidelines in the Hashicorp documentation, you must then enable the transit secrets engine.

1. Assume root user.

2. Set your two variables, your API address, and the token you receieved during installation and setup:

root@ip-172-31-50-151:/home/ubuntu# export VAULT_ADDR='http://127.0.0.1:8200'
root@ip-172-31-50-151:/home/ubuntu# export VAULT_TOKEN="hvs.D9lfoRBZYtdJY2t3lG3f6yUa"

3. Before you enable the transit secrets engine, you can check your Vault server status using vault status:

root@ip-172-31-50-151:/home/ubuntu# vault status
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.13.3
Build Date      2023-06-06T18:12:37Z
Storage Type    inmem
Cluster Name    vault-cluster-18a7ed39
Cluster ID      83012ee7-18f0-9480-e8b6-3ff02c285ba2
HA Enabled      false

4. Enter vault secrets enable transit:

root@ip-172-31-50-151:/home/ubuntu# vault secrets enable transit
Success! Enabled the transit secrets engine at: transit/

5. Create your encryption key with an identifiable name, for example: vault write -f transit/keys/pg-tde-master-1

root@ip-172-31-50-151:/usr/lib/edb-pge/15/bin# vault write -f transit/keys/pg-tde-master-1
Success! Data written to: transit/keys/pg-tde-master-1

Your encryption key is now set and you are ready to export your WRAP and UNWRAP commands and initialize your database.

• On this page
• Prerequisites
• Enable Hashicorp Vault transit secrets engine