How to change token of harshicop vault

cuongtm · October 18, 2024, 7:05am

Hi,

we are using vault for pg_tde, we already add vault_v2 and set principle key, but now we want to change vault token, how to do that

SELECT pg_tde_add_key_provider_vault_v2(‘provider-name’,:‘secret_token’,‘url’,‘mount’,‘ca_path’);

Jan_Wieremjewicz · October 21, 2024, 7:14am

Hi! Thanks for reaching out!

For now, the way to do it is to add a new provider and change the principal key to the new provider as we have not add yet functions to modify/delete a provider. These are already planned, just the priority now is with hardening and use cases that have no workarounds.

Can you share some more about the use case where you tested pg_tde? Is this workaround I presented something that can get you through your issue?

cuongtm · October 21, 2024, 7:33am

because our vault token was expired so that DB cannot get master key from vault. From vault site they already recreate token but we can not update from DB site, when token expired, i cannot do anything for add new provider or change principle key

cuongtm · October 21, 2024, 7:40am

is there any way to backup and restore principle key, incase there is some issue with provider?

zsolt.parragi · October 22, 2024, 12:41pm

Hello!

We have no interface for this at the moment, we’ll add it in the future. In the meantime, you can try editing the datafile for pg_tde manually (make sure that the server is stopped during this, and make a backup of the file before).

The data file is in the data directory, with a path /base/<database_oid>/pg_tde_keyrings

cuongtm · October 25, 2024, 6:36am

Hi, /base/<database_oid>/pg_tde_keyrings is binary file, how can i edit and replace new token?

cuongtm · October 25, 2024, 7:01am

try to edit with vi, when restart db and select encrypted table, the error:

ERROR: key provider info file is corrupted: No such file or directory
DETAIL: invalid key provider record size 1 expected 1160

zsolt.parragi · October 25, 2024, 7:19am

Hello

Yes, it’s binary. You can use vim in hex/binary mode, for example:

vim -b <filename>
:%!xxd
:%!xxd -r (to save it)

but this als depends on your vimrc/configuration.

Or you can edit the file with a command line hex/binary editor, there are many available.

cuongtm · October 25, 2024, 7:34am

i already edit new token, but still error, is there any DB checksum info that check to make sure no manual edit?

ERROR: key provider info file is corrupted: No such file or directory
DETAIL: invalid key provider record size 1 expected 1160

Topic		Replies	Views
Creating master key with pg_tde and vault PG_TDE – Transparent Data Encryption (TDE)	2	242	May 29, 2024
How to protect vault token for MySQL TDE MySQL & MariaDB mysql , percona , closed-no-reply	0	680	March 22, 2022
Initial Secret/Token Exposed in Plain Text in the Data File PG_TDE – Transparent Data Encryption (TDE)	2	133	June 10, 2024
Best Practice for Automatic Vault Token Generation and Percona keyring_vault plugin Percona Server for MySQL 8.0	2	2021	November 14, 2022
Storing HashiCorp Vault token used by Percona keyring_vault Percona Server for MySQL 8.0	2	751	June 10, 2022

How to change token of harshicop vault

Related topics