Vault HashiCorp. PostgreSQL storage type

Vault Is a command line utility that is responsible for managing secrets – logins, passwords, keys, certificates. “Management” includes both storing and issuing secrets to specific applications with a note in their journal, to whom and when it happened.

In previous articles, we covered installing HashiCorp Vault and installing PostgreSQL 13 on Centos 8.

PostgreSQL settings

We create a base and a user. To do this, switch to the postgres user

                        $ sudo su - postgres

Create a database user

                        $ createuser vltusr

Switching to PostgreSQL shell

                        $ psql

Set a password for the database user

                        =# ALTER USER vltusr WITH ENCRYPTED password 'mypasswddd';

Create a base and set the owner of the base

                        =# CREATE DATABASE vaultdb WITH ENCODING='UTF8' OWNER=vltusr;

Switching to vaultdb base

                        =# c vaultdb
You are now connected to database "vaultdb" as user "postgres".

Create a table

                        =# CREATE TABLE vault_kv_store (
   parent_path TEXT COLLATE "C" NOT NULL,
   path        TEXT COLLATE "C",
   key         TEXT COLLATE "C",
   value       BYTEA,
   CONSTRAINT pkey PRIMARY KEY (path, key)

Create an index

                        =# CREATE INDEX parent_path_idx ON vault_kv_store (parent_path);

We leave

                        =# q
$ exit

Testing the connection

                        $ sudo su - postgres
$ psql -U vltusr -h localhost -p 5432 vaultdb
Password for user vltusr: 
=# q
$ exit

Vault setup

Stop Vault

                        $ sudo systemctl stop vault

Editing the Vault config

                        $ sudo nano /etc/vault.d/vault.hcl
#storage "file" {
#  path  = "/var/lib/vault/data"
storage "postgresql" {
  connection_url = "postgres://vltusr:
  table          = "vault_kv_store"
  max_parallel   = "128"


We put SELinux into premissive mode, otherwise the Vault service will not start

                        $ sudo setenforce 0
$ sudo nano /etc/selinux/config

Launching Vault

                        $ sudo systemctl start vault

Checking the status

                        $ systemctl status vault
$ journalctl -u vault

Further, all the manipulations are as in the article on installing HashiCorp Vault in Centos 8:

  • Adding Variables
  • Service initialization, where tokens will be issued there
  • Vault Printing
  • Authorization (vault login)

PostgreSQL backup

Create a file with parameters for connecting to the database in order to create a PostgreSQL dump in the future without entering a password

                        $ sudo nano /root/.pgpass
# hostname:port:database:username:password

We expose the rights

                        $ sudo chmod 600 /root/.pgpass

Create a dump

                        $ sudo pg_dump -d "vaultdb" -h localhost -Fc -U vltusr -w -f "/mnt/$(date +%Y%m%d_%H%M%S)_vaultdb.dump"

Related Posts