Skip to content

Add OpenBao Topic ver 2 #459

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jun 27, 2025
Merged

Add OpenBao Topic ver 2 #459

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ad1122f
add openbao config file pointing to docs
Andriciuc Jun 27, 2025
0ef82a2
replaced vault example with openbao
Andriciuc Jun 27, 2025
00a9f18
Merge branch 'release-17.5.2' into Add-OpenBao-config-topic-2
Andriciuc Jun 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 48 additions & 0 deletions ...rib/pg_tde/documentation/docs/global-key-provider-configuration/kmip-openbao.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
# Using OpenBao as a Key Provider

You can configure `pg_tde` to use OpenBao as a global key provider for managing encryption keys securely.

!!! note
This guide assumes that your OpenBao server is already set up and accessible. OpenBao configuration is outside the scope of this document, see [OpenBao's official documentation](https://openbao.org/docs/) for more information.

## Example usage

To register an OpenBao server as a global key provider:

```sql
SELECT pg_tde_add_global_key_provider_vault_v2(
'provider-name',
'url',
'mount',
'secret_token_path',
'ca_path'
);
```

## Parameter descriptions

* `provider-name` is the name to identify this key provider
* `secret_token_path` is a path to the file that contains an access token with read and write access to the above mount point
* `url` is the URL of the Vault server
* `mount` is the mount point where the keyring should store the keys
* [optional] `ca_path` is the path of the CA file used for SSL verification

The following example is for testing purposes only. Use secure tokens and proper SSL validation in production environments:

```sql
SELECT pg_tde_add_global_key_provider_vault_v2(
'my-openbao-provider',
'https://openbao.example.com:8200',
'secret/data',
'/path/to/token_file',
'/path/to/ca_cert.pem'
);
```

For more information on related functions, see the link below:

[Percona pg_tde Function Reference](../functions.md){.md-button}

## Next steps

[Global Principal Key Configuration :material-arrow-right:](set-principal-key.md){.md-button}
1 change: 1 addition & 0 deletions contrib/pg_tde/documentation/mkdocs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -181,6 +181,7 @@ nav:
- "Fortanix Configuration": global-key-provider-configuration/kmip-fortanix.md
- "Vault Configuration": global-key-provider-configuration/vault.md
- "Thales Configuration": global-key-provider-configuration/kmip-thales.md
- "Using OpenBao as a Key Provider": global-key-provider-configuration/kmip-openbao.md
- "Keyring File Configuration": global-key-provider-configuration/keyring.md
- "2.2 Global Principal Key Configuration": global-key-provider-configuration/set-principal-key.md
- "3. Validate Encryption with pg_tde": test.md
Expand Down
Loading