This pages reviews the supported integrations between CockroachDB and HashiCorp's Vault.
Vault offers tooling to extend CockroachDB's data security capabilities. Vault is an identity-based secrets and encryption management service, which can either be self-hosted or accessed as a software as a service (SaaS) product through HashiCorp Cloud Platform (HCP).
Cockroach Labs supports three integrations between Vault and CockroachDB:
- Using Vault's Key Management Secrets (KMS) Engine to manage & distribute encryption keys to AWS or GCP KMS for CockroachDB Dedicated's customer-managed encryption key (CMEK) functionality.
- Using Vault's Transit Secrets Engine to generate the store key for Enterprise Encryption At Rest for a CockroachDB Self-Hosted cluster.
- Using Vault's PKI Secrets Engine to manage the server and client certificates for a CockroachDB Self-Hosted cluster.
Because of CockroachDB's PostgreSQL compatibility, customers can also use Vault's PostgreSQL Database Secrets Engine to manage CockroachDB SQL user credentials.
Use Vault's KMS secrets engine to manage a CockroachDB Dedicated cluster's customer-managed encryption key
CockroachDB Dedicated supports the use of customer-managed encrypted keys (CMEK) for the encryption of data at rest.
Vault's Key Management secrets engine allows customers to manage encryption keys on external key management services (KMS) such as those offered by Google Cloud Platform (GCP) or Amazon Web Services (AWS).
CockroachDB customers can integrate these services, using Vault's KMS secrets engine to handle the full lifecycle of the encryption keys that CockroachDB Dedicated uses to protect their data.
Use Vault's Transit Secrets Engine to manage a CockroachDB Self-Hosted cluster's encryption-at-rest store key
When deploying Enterprise, customers can provide their own externally managed encryption keys for use as the store key for CockroachDB's Enterprise Encryption-at-rest.
Vault's Transit Secrets Engine can be used to generate suitable encryption keys for use as your cluster's store key.
Use Vault's PKI Secrets Engine to manage a CockroachDB Self-Hosted cluster's server and client certificates
CockroachDB Self-Hosted customers can use Vault's public key infrastructure (PKI) secrets engine to manage PKI certificates. Vault's PKI Secrets Engine greatly eases the security-critical work involved in securely maintaining a certificate authority (CA), generating, signing and distributing PKI certificates.
By using Vault to manage certificates, you can use only certificates with short validity durations, an important component of PKI security.
Use Vault's PostgreSQL Database Secrets Engine to manage CockroachDB SQL users and their credentials
CockroachDB users can use Vault's PostgreSQL Database Secrets Engine to handle the full lifecycle of SQL user credentials (creation, password rotation, deletion). Vault is capable of managing SQL user credentials in two ways:
As Static Roles, meaning that a single SQL user/role is mapped to a Vault role.
As Dynamic Secrets, meaning that credentials are generated and issued on demand from pre-configured templates, rather than created and persisted. Credentials are issued for specific clients and for short validity durations, further minimizing both the likelihood of a credential compromise, and the possible impact of any compromise that might occur.
Try the tutorial: Using HashiCorp Vault's Dynamic Secrets for Enhanced Database Credential Security in CockroachDB