Configure your database connection to use TLS
Learn how to configure Piiano Vault to connect to the databse using Transport Layer Security (TLS) cryptographic protocol to protect data in motion
If you're using the hosted version of Vault, TLS is implemented by default.
To configure Piiano Vault to require a secure database connection using TLS, follow the following steps:
Set the environment variable
PVAULT_DB_REQUIRE_TLS
to true.Set the environment variable
PGSSLROOTCERT
to the path of the TLS Certificate Authority (CA) certificate. For example, if running Vault Server, add these flags to thedocker run
command:-v $(pwd):/certs -e \
-e PVAULT_DB_REQUIRE_TLS=true \
-e PGSSLROOTCERT=/certs/us-east-2-bundle.pemIf using AWS, you can get the certificate from the following URL: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
If using GCP, you can get the certificate from the following URL: https://cloud.google.com/sql/docs/postgres/configure-ssl-instance
To disable certificate verification for a TLS connection (which is not secure), set PVAULT_DB_REQUIRE_TLS
to false. With this setting, Piiano Vault will accept any TLS certificate for the DB connection, and if a TLS certificate is not found, it will fall back to a non-TLS connection. This option may be useful when testing with self-signed certificates, for example.