CockroachDB - HashiCorp Vault Integration

On this page Carat arrow pointing down

This pages reviews the supported integrations between CockroachDB and HashiCorp's Vault.

Vault offers tooling to extend CockroachDB's data security capabilities. Vault is an identity-based secrets and encryption management service, which can either be self-hosted or accessed as a software as a service (SaaS) product through HashiCorp Cloud Platform (HCP).

Cockroach Labs supports three integrations between Vault and CockroachDB:

Because of CockroachDB's PostgreSQL compatibility, customers can also use Vault's PostgreSQL Database Secrets Engine to manage CockroachDB SQL user credentials.

Use Vault's KMS secrets engine to manage a CockroachDB dedicated cluster's customer-managed encryption key

CockroachDB dedicated supports the use of customer-managed encrypted keys (CMEK) for the encryption of data at rest.

Vault's Key Management secrets engine allows customers to manage encryption keys on external key management services (KMS) such as those offered by Google Cloud Platform (GCP) or Amazon Web Services (AWS).

CockroachDB customers can integrate these services, using Vault's KMS secrets engine to handle the full lifecycle of the encryption keys that CockroachDB dedicated uses to protect their data.

Use Vault's Transit Secrets Engine to manage a CockroachDB self-hosted cluster's encryption-at-rest store key

When deploying Enterprise, customers can provide their own externally managed encryption keys for use as the store key for CockroachDB's Enterprise Encryption-at-rest.

Vault's Transit Secrets Engine can be used to generate suitable encryption keys for use as your cluster's store key.

Use Vault's PKI Secrets Engine to manage a CockroachDB self-hosted cluster's server and client certificates

CockroachDB self-hosted customers can use Vault's public key infrastructure (PKI) secrets engine to manage PKI certificates. Vault's PKI Secrets Engine greatly eases the security-critical work involved in securely maintaining a certificate authority (CA), generating, signing and distributing PKI certificates.

By using Vault to manage certificates, you can use only certificates with short validity durations, an important component of PKI security.

Use Vault's PostgreSQL Database Secrets Engine to manage CockroachDB SQL users and their credentials

CockroachDB users can use Vault's PostgreSQL Database Secrets Engine to handle the full lifecycle of SQL user credentials (creation, password rotation, deletion). Vault is capable of managing SQL user credentials in two ways:

  • As Static Roles, meaning that a single SQL user/role is mapped to a Vault role.

  • As Dynamic Secrets, meaning that credentials are generated and issued on demand from pre-configured templates, rather than created and persisted. Credentials are issued for specific clients and for short validity durations, further minimizing both the likelihood of a credential compromise, and the possible impact of any compromise that might occur.

Try the tutorial: Using HashiCorp Vault's Dynamic Secrets for Enhanced Database Credential Security in CockroachDB


Yes No
On this page

Yes No