Using HashiCorp KMS
Configuration example
Enable transit with HashiCorp Vault Transit Secrets Engine:
vault secrets enable transit
Create a key and give it a name:
vault write -f transit/keys/pg-tde-master-1
Use the vault write
command with the pg-tde-master-1
key to wrap and unwrap the data encryption key:
PGDATAKEYWRAPCMD='base64 | vault write -field=ciphertext transit/encrypt/pg-tde-master-1 plaintext=- > "%p"' PGDATAKEYUNWRAPCMD='vault write -field=plaintext transit/decrypt/pg-tde-master-1 ciphertext=- < "%p" | base64 -d'
- On this page
- Configuration example