{ "name": "hyperion_vault", "abstract": "Encrypted secrets vault for PostgreSQL (KMS envelope encryption, REST API, automatic rotation)", "description": "hyperion_vault stores secrets encrypted at rest in PostgreSQL using envelope encryption: a per-version data key is wrapped by AWS KMS and the secret is sealed with XChaCha20-Poly1305, so only ciphertext, the wrapped key, and a nonce are ever written to disk or WAL. A co-located REST API creates, reads, updates, deletes, verifies, and automatically rotates secrets, with old versions kept valid for a configurable grace period. Designed to run on every member of a pg_replica cluster: reads are served locally on any node, writes are routed to the current primary, and the schema replicates byte-for-byte. Access to read secrets is restricted to an IPv4 allowlist; management operations require admin tokens.", "version": "0.1.0", "maintainer": [ "Tadas Talaikis " ], "license": "gpl_3", "provides": { "hyperion_vault": { "abstract": "Encrypted secrets vault for PostgreSQL", "file": "extension/hyperion_vault.control", "version": "0.1.0" } }, "prereqs": { "runtime": { "requires": { "PostgreSQL": "18.0.0" }, "recommends": { "pg_replica": "0.6.0" } }, "build": { "requires": { "cargo-pgrx": "0.18.1" } } }, "resources": { "homepage": "https://hyperiondb.eu", "bugtracker": { "web": "https://github.com/hyperiondb/hyperion-vault/issues" }, "repository": { "url": "https://github.com/hyperiondb/hyperion-vault.git", "web": "https://github.com/hyperiondb/hyperion-vault", "type": "git" } }, "generated_by": "Tadas Talaikis", "meta-spec": { "version": "1.0.0", "url": "https://pgxn.org/meta/spec.txt" }, "tags": [ "vault", "secrets", "encryption", "kms", "rotation", "security" ], "release_status": "unstable" }