Configure your database connection to use TLS

Learn how to protect data in motion by configuring Piiano Vault to connect to the database using the Transport Layer Security (TLS) cryptographic protocol

note

The hosted version of Vault uses an encrypted connection to the database.

To configure Piiano Vault to require a secure database connection using TLS, set these environment variables:

PVAULT_DB_REQUIRE_TLS to true.
PGSSLROOTCERT to the path of the TLS Certificate Authority (CA) certificate.

For example, if running Vault Server, add these flags to the docker run command:

-v $(pwd):/certs -e \
-e PVAULT_DB_REQUIRE_TLS=true \
-e PGSSLROOTCERT=/certs/us-east-2-bundle.pem

For information on obtaining certificates:

for AWS, see Using SSL/TLS to encrypt a connection to a DB instance or cluster.
for GCP, see Configure SSL/TLS certificates.

note

To disable certificate verification for a TLS connection (which is not secure), set the environment variable PVAULT_DB_REQUIRE_TLS to false. With this setting, Piiano Vault accepts any TLS certificate for the database connection, and if a TLS certificate is not found, it falls back to a non-TLS connection. This option may be useful when testing with self-signed certificates, for example.

Learn how to protect data in motion by configuring Piiano Vault to connect to the database using the Transport Layer Security (TLS) cryptographic protocol​

On this page

Learn how to protect data in motion by configuring Piiano Vault to connect to the database using the Transport Layer Security (TLS) cryptographic protocol