Reputation: 733
How does vault PostgreSQL plugin of database secret engine with PostgreSQL backend work?
I was thinking if I specified the backend and secret engine plugin to be connected to the same postgreSQL server, I can gain the dynamic secrets feature and store secrets in the same place encrypted at the same time. When I tried to apply it I got more confused as you get a token to access the database directly which implies no encryption is there with one being able to store secrets directly. I thought of combining "Encryption as a Service" from vault with database secret engine to achieve this but want to make sure that there is no other way.
Do you have any idea to achieve this?
Thanks in advance
Upvotes: 1
Views: 1618
Answers (1)
Reputation: 836
The PostgreSQL secret engine doens't store data, but generates dynamic credential to access the PostgreSQL server.
If you want to store encrypted data in the PostgreSQL server use it as storage backend, and use a K/V secret engine. Every data of Vault, included the secrets of the K/V engine, will be stored in the database (of course everything is crypted).
Remember that the secrets engine does not specify where data is stored, they are just a secret service of Vault. The storage backend is the location where data is stored
Upvotes: 1
Related Questions
- Authentication methods using the vault API package
- How to inject vault and consume hashicorp vault secrets?
- Hashicorp Vault Database Secret Engine - Track dynamic users generated by Vault
- Vault - AWS RDS Postgres integration
- Error with Hashicorp Vault for PostgreSQL dynamic credentials
- Not able to configure hashicorp-vault with Postgres database
- How to setup vault and Postgres in Google cloud to have the correct permissions?
- Vault: how to create an secret-id
- How does hashicorp Vault work for securing DB credentials?
- HashiCorp Vault: Secret backends