supabase_vault
supabase_vault
pg_vault : Supabase Vault Extension
Overview
| ID | Extension | Package | Version | Category | License | Language |
|---|---|---|---|---|---|---|
| 7030 | supabase_vault | pg_vault | 0.3.1 | SEC | Apache-2.0 | C |
| Attribute | Has Binary | Has Library | Need Load | Has DDL | Relocatable | Trusted |
|---|---|---|---|---|---|---|
--s-d-- | No | Yes | No | Yes | no | no |
| Relationships | |
|---|---|
| Schemas | vault |
| Requires | pgsodium |
| See Also | passwordcheck_cracklib supautils pg_session_jwt anon pg_tde pgsmcrypto pgaudit |
Packages
| Type | Repo | Version | PG Major Compatibility | Package Pattern | Dependencies |
|---|---|---|---|---|---|
| EXT | PIGSTY | 0.3.1 | 18 17 16 15 14 | pg_vault | pgsodium |
| RPM | PIGSTY | 0.3.1 | 18 17 16 15 14 | vault_$v | - |
| DEB | PIGSTY | 0.3.1 | 18 17 16 15 14 | postgresql-$v-vault | - |
| Linux / PG | PG18 | PG17 | PG16 | PG15 | PG14 |
|---|---|---|---|---|---|
el8.x86_64 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 |
el8.aarch64 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 |
el9.x86_64 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 |
el9.aarch64 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 |
el10.x86_64 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 |
el10.aarch64 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 |
d12.x86_64 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 |
d12.aarch64 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 |
d13.x86_64 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 |
d13.aarch64 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 |
u22.x86_64 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 |
u22.aarch64 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 |
u24.x86_64 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 |
u24.aarch64 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 | PIGSTY 0.3.1 |
Source
pig build pkg pg_vault; # build rpm/debInstall
Make sure PGDG and PIGSTY repo available:
pig repo add pgsql -u # add both repo and update cacheInstall this extension with pig:
pig install pg_vault; # install via package name, for the active PG version
pig install supabase_vault; # install by extension name, for the current active PG version
pig install supabase_vault -v 18; # install for PG 18
pig install supabase_vault -v 17; # install for PG 17
pig install supabase_vault -v 16; # install for PG 16
pig install supabase_vault -v 15; # install for PG 15
pig install supabase_vault -v 14; # install for PG 14Create this extension with:
CREATE EXTENSION supabase_vault CASCADE; -- requires pgsodiumUsage
Supabase Vault provides a vault.secrets table to store sensitive information (API keys, tokens, etc.) encrypted at rest. Decryption happens on the fly through the vault.decrypted_secrets view.
CREATE EXTENSION supabase_vault CASCADE;Storing Secrets
INSERT INTO vault.secrets (secret) VALUES ('s3kre3t_k3y') RETURNING *;
-- Or use the helper function:
SELECT vault.create_secret('another_s3kre3t');
-- With optional name and description:
SELECT vault.create_secret('my_secret', 'unique_name', 'This is the description');Reading Secrets
The vault.secrets table stores data encrypted. Use the vault.decrypted_secrets view to read decrypted values:
SELECT * FROM vault.decrypted_secrets ORDER BY created_at DESC LIMIT 3;
-- Includes a `decrypted_secret` column with the plaintext valueUpdating Secrets
SELECT vault.update_secret(
'7095d222-efe5-4cd5-b5c6-5755b451e223',
'n3w_upd@ted_s3kret',
'updated_unique_name',
'This is the updated description'
);Security Note
Turn off statement logging to prevent secrets from appearing in logs:
ALTER SYSTEM SET statement_log = 'none';Last updated on