Configure your database connection to use TLS

Learn how to configure Piiano Vault to connect to the databse using Transport Layer Security (TLS) cryptographic protocol to protect data in motion

note

If you're using the hosted version of Vault, TLS is implemented by default.

To configure Piiano Vault to require a secure database connection using TLS, follow the following steps:

1. Set the environment variable PVAULT_DB_REQUIRE_TLS to true.

2. Set the environment variable PGSSLROOTCERT to the path of the TLS Certificate Authority (CA) certificate. For example, if running Vault Server, add these flags to the docker run command:

   -v $(pwd):/certs -e \
   -e PVAULT_DB_REQUIRE_TLS=true \
   -e PGSSLROOTCERT=/certs/us-east-2-bundle.pem

   If using AWS, you can get the certificate from the following URL: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
   If using GCP, you can get the certificate from the following URL: https://cloud.google.com/sql/docs/postgres/configure-ssl-instance

note

To disable certificate verification for a TLS connection (which is not secure), set PVAULT_DB_REQUIRE_TLS to false. With this setting, Piiano Vault will accept any TLS certificate for the DB connection, and if a TLS certificate is not found, it will fall back to a non-TLS connection. This option may be useful when testing with self-signed certificates, for example.