supabase_vault
Overview
| Package | Version | Category | License | Language |
|---|---|---|---|---|
pg_vault | 0.3.1 | SEC | Apache-2.0 | C |
| ID | Extension | Bin | Lib | Load | Create | Trust | Reloc | Schema |
|---|---|---|---|---|---|---|---|---|
| 7030 | supabase_vault | No | Yes | No | Yes | No | No | vault |
| Related | pgsodium passwordcheck_cracklib supautils pg_session_jwt anon pg_tde pgsmcrypto pgaudit |
|---|
Version
| Type | Repo | Version | PG Ver | Package | Deps |
|---|---|---|---|---|---|
| EXT | PIGSTY | 0.3.1 | 1817161514 | pg_vault | pgsodium |
| RPM | PIGSTY | 0.3.1 | 1817161514 | vault_$v | - |
| DEB | PIGSTY | 0.3.1 | 1817161514 | postgresql-$v-vault | - |
Build
You can build the RPM / DEB packages for pg_vault using pig build:
pig build pkg pg_vault # build RPM / DEB packages
Install
You can install pg_vault directly. First, make sure the PGDG and PIGSTY repositories are added and enabled:
pig repo add pgsql -u # Add repo and update cache
Install the extension using pig or apt/yum/dnf:
pig install pg_vault; # Install for current active PG version
pig ext install -y pg_vault -v 18 # PG 18
pig ext install -y pg_vault -v 17 # PG 17
pig ext install -y pg_vault -v 16 # PG 16
pig ext install -y pg_vault -v 15 # PG 15
pig ext install -y pg_vault -v 14 # PG 14
dnf install -y vault_18 # PG 18
dnf install -y vault_17 # PG 17
dnf install -y vault_16 # PG 16
dnf install -y vault_15 # PG 15
dnf install -y vault_14 # PG 14
apt install -y postgresql-18-vault # PG 18
apt install -y postgresql-17-vault # PG 17
apt install -y postgresql-16-vault # PG 16
apt install -y postgresql-15-vault # PG 15
apt install -y postgresql-14-vault # PG 14
Create Extension:
CREATE EXTENSION supabase_vault CASCADE; -- requires: pgsodium
Usage
Supabase Vault provides a vault.secrets table to store sensitive information (API keys, tokens, etc.) encrypted at rest. Decryption happens on the fly through the vault.decrypted_secrets view.
CREATE EXTENSION supabase_vault CASCADE;
Storing Secrets
INSERT INTO vault.secrets (secret) VALUES ('s3kre3t_k3y') RETURNING *;
-- Or use the helper function:
SELECT vault.create_secret('another_s3kre3t');
-- With optional name and description:
SELECT vault.create_secret('my_secret', 'unique_name', 'This is the description');
Reading Secrets
The vault.secrets table stores data encrypted. Use the vault.decrypted_secrets view to read decrypted values:
SELECT * FROM vault.decrypted_secrets ORDER BY created_at DESC LIMIT 3;
-- Includes a `decrypted_secret` column with the plaintext value
Updating Secrets
SELECT vault.update_secret(
'7095d222-efe5-4cd5-b5c6-5755b451e223',
'n3w_upd@ted_s3kret',
'updated_unique_name',
'This is the updated description'
);
Security Note
Turn off statement logging to prevent secrets from appearing in logs:
ALTER SYSTEM SET statement_log = 'none';
Feedback
Was this page helpful?
Thanks for the feedback! Please let us know how we can improve.
Sorry to hear that. Please let us know how we can improve.