Skip to main content

Configure your database connection to use TLS

Learn how to configure Piiano Vault to connect to the database using Transport Layer Security (TLS) cryptographic protocol to protect data in motion


If you're using the hosted version of Vault, TLS is implemented by default.

To configure Piiano Vault to require a secure database connection using TLS, follow the following steps:

  1. Set the environment variable PVAULT_DB_REQUIRE_TLS to true.

  2. Set the environment variable PGSSLROOTCERT to the path of the TLS Certificate Authority (CA) certificate. For example, if running Vault Server, add these flags to the docker run command:

    -v $(pwd):/certs -e \
    -e PGSSLROOTCERT=/certs/us-east-2-bundle.pem

    If using AWS, you can get the certificate from the following URL:
    If using GCP, you can get the certificate from the following URL:


To disable certificate verification for a TLS connection (which is not secure), set PVAULT_DB_REQUIRE_TLS to false. With this setting, Piiano Vault will accept any TLS certificate for the DB connection, and if a TLS certificate is not found, it will fall back to a non-TLS connection. This option may be useful when testing with self-signed certificates, for example.

On this page