diff --git a/ansible/files/admin_api_scripts/pg_upgrade_scripts/complete.sh b/ansible/files/admin_api_scripts/pg_upgrade_scripts/complete.sh
index c2367116d..515c490f6 100755
--- a/ansible/files/admin_api_scripts/pg_upgrade_scripts/complete.sh
+++ b/ansible/files/admin_api_scripts/pg_upgrade_scripts/complete.sh
@@ -150,43 +150,6 @@ EOF
 
         run_sql -c "$PATCH_PGMQ_QUERY"
         run_sql -c "update pg_extension set extowner = 'postgres'::regrole where extname = 'pgmq';"
-
-        # Patch to handle upgrading to pgsodium-less Vault
-        REENCRYPT_VAULT_SECRETS_QUERY=$(cat <<EOF
-        DO \$\$
-        BEGIN
-          IF EXISTS (SELECT FROM pg_available_extension_versions WHERE name = 'supabase_vault' AND version = '0.3.0')
-            AND EXISTS (SELECT FROM pg_extension WHERE extname = 'supabase_vault')
-          THEN
-            IF (SELECT extversion FROM pg_extension WHERE extname = 'supabase_vault') != '0.2.8' THEN
-              GRANT USAGE ON SCHEMA vault TO postgres WITH GRANT OPTION;
-              GRANT SELECT, DELETE ON vault.secrets, vault.decrypted_secrets TO postgres WITH GRANT OPTION;
-              GRANT EXECUTE ON FUNCTION vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt TO postgres WITH GRANT OPTION;
-            END IF;
-            -- Do an explicit IF EXISTS check to avoid referencing pgsodium objects if the project already migrated away from using pgsodium.
-            IF EXISTS (SELECT FROM vault.secrets WHERE key_id IS NOT NULL) THEN
-              UPDATE vault.secrets s
-              SET
-                secret = encode(
-                  vault._crypto_aead_det_encrypt(
-                    message := pgsodium.crypto_aead_det_decrypt(decode(s.secret, 'base64'), convert_to(s.id || s.description || s.created_at || s.updated_at, 'utf8'), s.key_id, s.nonce),
-                    additional := convert_to(s.id::text, 'utf8'),
-                    key_id := 0,
-                    context := 'pgsodium'::bytea,
-                    nonce := s.nonce
-                  ),
-                  'base64'
-                ),
-                key_id = NULL
-              WHERE
-                key_id IS NOT NULL;
-            END IF;
-          END IF;
-        END
-        \$\$;
-EOF
-        )
-        run_sql -c "$REENCRYPT_VAULT_SECRETS_QUERY"
     fi
 
     run_sql -c "grant pg_read_all_data, pg_signal_backend to postgres"
diff --git a/ansible/files/postgresql_config/postgresql.conf.j2 b/ansible/files/postgresql_config/postgresql.conf.j2
index 5d4237068..6d2df6074 100644
--- a/ansible/files/postgresql_config/postgresql.conf.j2
+++ b/ansible/files/postgresql_config/postgresql.conf.j2
@@ -688,7 +688,7 @@ default_text_search_config = 'pg_catalog.english'
 #local_preload_libraries = ''
 #session_preload_libraries = ''
 
-shared_preload_libraries = 'pg_stat_statements, pgaudit, plpgsql, plpgsql_check, pg_cron, pg_net, pgsodium, timescaledb, auto_explain, pg_tle, plan_filter, supabase_vault'	# (change requires restart)
+shared_preload_libraries = 'pg_stat_statements, pgaudit, plpgsql, plpgsql_check, pg_cron, pg_net, pgsodium, timescaledb, auto_explain, pg_tle, plan_filter'	# (change requires restart)
 jit_provider = 'llvmjit'		# JIT library to use
 
 # - Other Defaults -
diff --git a/ansible/files/postgresql_extension_custom_scripts/supabase_vault/after-create.sql b/ansible/files/postgresql_extension_custom_scripts/supabase_vault/after-create.sql
deleted file mode 100644
index 7ca37637a..000000000
--- a/ansible/files/postgresql_extension_custom_scripts/supabase_vault/after-create.sql
+++ /dev/null
@@ -1,3 +0,0 @@
-grant usage on schema vault to postgres with grant option;
-grant select, delete on vault.secrets, vault.decrypted_secrets to postgres with grant option;
-grant execute on function vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt to postgres with grant option;
diff --git a/ansible/files/sodium_extension.sql b/ansible/files/sodium_extension.sql
new file mode 100644
index 000000000..a19cabf72
--- /dev/null
+++ b/ansible/files/sodium_extension.sql
@@ -0,0 +1,6 @@
+create schema if not exists pgsodium;
+create extension if not exists pgsodium with schema pgsodium cascade;
+
+grant pgsodium_keyiduser to postgres with admin option;
+grant pgsodium_keyholder to postgres with admin option;
+grant pgsodium_keymaker  to postgres with admin option;
diff --git a/ansible/tasks/test-image.yml b/ansible/tasks/test-image.yml
index c680ce68e..9a8d4fa27 100644
--- a/ansible/tasks/test-image.yml
+++ b/ansible/tasks/test-image.yml
@@ -11,34 +11,17 @@
 #     cmd: sed -i.bak -e "s/pg_net,\ pgsodium,\ timescaledb/pg_net,\ timescaledb/g" -e "s/pgsodium.getkey_script=/#pgsodium.getkey_script=/g" /etc/postgresql/postgresql.conf
 #   when: debpkg_mode or stage2_nix
 
-- name: Temporarily disable PG Sodium and Supabase Vault references in config
+- name: Temporarily disable PG Sodium references in config
   become: yes
   become_user: postgres
   shell:
     cmd: >
-      sed -i.bak 
-      -e 's/\(shared_preload_libraries = '\''.*\)pgsodium,\(.*'\''\)/\1\2/' 
-      -e 's/\(shared_preload_libraries = '\''.*\)supabase_vault,\(.*'\''\)/\1\2/' 
-      -e 's/\(shared_preload_libraries = '\''.*\), *supabase_vault'\''/\1'\''/'
+      sed -i.bak
+      -e 's/\(shared_preload_libraries = '\''.*\)pgsodium,\(.*'\''\)/\1\2/'
       -e 's/pgsodium.getkey_script=/#pgsodium.getkey_script=/'
       /etc/postgresql/postgresql.conf
   when: debpkg_mode or stage2_nix
 
-- name: Verify pgsodium and vault removal from config
-  become: yes
-  become_user: postgres
-  shell:
-    cmd: |
-      FOUND=$(grep -E "shared_preload_libraries.*pgsodium|shared_preload_libraries.*supabase_vault|^pgsodium\.getkey_script" /etc/postgresql/postgresql.conf)
-      if [ ! -z "$FOUND" ]; then
-        echo "Found unremoved references:"
-        echo "$FOUND"
-        exit 1
-      fi
-  register: verify_result
-  failed_when: verify_result.rc != 0
-  when: debpkg_mode or stage2_nix
-
 - name: Start Postgres Database to load all extensions.
   become: yes
   become_user: postgres
diff --git a/ansible/vars.yml b/ansible/vars.yml
index 206cb139f..6d3d096b1 100644
--- a/ansible/vars.yml
+++ b/ansible/vars.yml
@@ -8,8 +8,8 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: "17.0.1.035-orioledb"
-  postgres15: "15.8.1.039"
+  postgresorioledb-17: "17.0.1.036-orioledb"
+  postgres15: "15.8.1.040"
 
 # Non Postgres Extensions
 pgbouncer_release: "1.19.0"
diff --git a/ebssurrogate/files/unit-tests/unit-test-01.sql b/ebssurrogate/files/unit-tests/unit-test-01.sql
index c466af12e..f3d47459f 100644
--- a/ebssurrogate/files/unit-tests/unit-test-01.sql
+++ b/ebssurrogate/files/unit-tests/unit-test-01.sql
@@ -17,6 +17,7 @@ BEGIN
         extension_array := ARRAY[
             'plpgsql',
             'pg_stat_statements',
+            'pgsodium',
             'pgtap',
             'pg_graphql',
             'pgcrypto',
@@ -29,6 +30,7 @@ BEGIN
         extension_array := ARRAY[
             'plpgsql',
             'pg_stat_statements',
+            'pgsodium',
             'pgtap',
             'pg_graphql',
             'pgcrypto',
@@ -42,7 +44,7 @@ BEGIN
     PERFORM set_config('myapp.extensions', array_to_string(extension_array, ','), false);
 END $$;
 
-SELECT no_plan();
+SELECT plan(8);
 
 SELECT extensions_are(
     string_to_array(current_setting('myapp.extensions'), ',')::text[]
@@ -54,5 +56,9 @@ SELECT has_schema('pg_catalog');
 SELECT has_schema('information_schema');
 SELECT has_schema('public');
 
+SELECT function_privs_are('pgsodium', 'crypto_aead_det_decrypt', array['bytea', 'bytea', 'uuid', 'bytea'], 'service_role', array['EXECUTE']);
+SELECT function_privs_are('pgsodium', 'crypto_aead_det_encrypt', array['bytea', 'bytea', 'uuid', 'bytea'], 'service_role', array['EXECUTE']);
+SELECT function_privs_are('pgsodium', 'crypto_aead_det_keygen', array[]::text[], 'service_role', array['EXECUTE']);
+
 SELECT * FROM finish();
-ROLLBACK;
+ROLLBACK;
\ No newline at end of file
diff --git a/flake.nix b/flake.nix
index 8bbd79525..c0ecc45f0 100644
--- a/flake.nix
+++ b/flake.nix
@@ -571,49 +571,42 @@
             sqlTests = ./nix/tests/smoke;
             pg_prove = pkgs.perlPackages.TAPParserSourceHandlerpgTAP;
             pg_regress = basePackages.pg_regress;
-            getkey-script = pkgs.stdenv.mkDerivation {
-              name = "pgsodium-getkey";
-              buildCommand = ''
-                mkdir -p $out/bin
-                cat > $out/bin/pgsodium-getkey << 'EOF'
-                #!${pkgs.bash}/bin/bash
-                set -euo pipefail
-                
-                TMPDIR_BASE=$(mktemp -d)
-                
-                if [[ "$(uname)" == "Darwin" ]]; then
-                  KEY_DIR="/private/tmp/pgsodium"
-                else
-                  KEY_DIR="''${PGSODIUM_KEY_DIR:-$TMPDIR_BASE/pgsodium}"
-                fi
-                KEY_FILE="$KEY_DIR/pgsodium.key"
-                
-                if ! mkdir -p "$KEY_DIR" 2>/dev/null; then
-                  echo "Error: Could not create key directory $KEY_DIR" >&2
-                  exit 1
-                fi
-                chmod 1777 "$KEY_DIR"
-                
-                if [[ ! -f "$KEY_FILE" ]]; then
-                  if ! (dd if=/dev/urandom bs=32 count=1 2>/dev/null | od -A n -t x1 | tr -d ' \n' > "$KEY_FILE"); then
-                    if ! (openssl rand -hex 32 > "$KEY_FILE"); then
-                      echo "00000000000000000000000000000000" > "$KEY_FILE"
-                      echo "Warning: Using fallback key" >&2
-                    fi
+            getkey-script = pkgs.writeScriptBin "pgsodium-getkey" ''
+              #!${pkgs.bash}/bin/bash
+              set -euo pipefail
+              
+              TMPDIR_BASE=$(mktemp -d)
+              
+              if [[ "$(uname)" == "Darwin" ]]; then
+                KEY_DIR="/private/tmp/pgsodium"
+              else
+                KEY_DIR="''${PGSODIUM_KEY_DIR:-$TMPDIR_BASE/pgsodium}"
+              fi
+              KEY_FILE="$KEY_DIR/pgsodium.key"
+              
+              if ! mkdir -p "$KEY_DIR" 2>/dev/null; then
+                echo "Error: Could not create key directory $KEY_DIR" >&2
+                exit 1
+              fi
+              chmod 1777 "$KEY_DIR"
+              
+              if [[ ! -f "$KEY_FILE" ]]; then
+                if ! (dd if=/dev/urandom bs=32 count=1 2>/dev/null | od -A n -t x1 | tr -d ' \n' > "$KEY_FILE"); then
+                  if ! (openssl rand -hex 32 > "$KEY_FILE"); then
+                    echo "00000000000000000000000000000000" > "$KEY_FILE"
+                    echo "Warning: Using fallback key" >&2
                   fi
-                  chmod 644 "$KEY_FILE"
-                fi
-                
-                if [[ -f "$KEY_FILE" && -r "$KEY_FILE" ]]; then
-                  cat "$KEY_FILE"
-                else
-                  echo "Error: Cannot read key file $KEY_FILE" >&2
-                  exit 1
                 fi
-                EOF
-                chmod +x $out/bin/pgsodium-getkey
-              '';
-            };
+                chmod 644 "$KEY_FILE"
+              fi
+              
+              if [[ -f "$KEY_FILE" && -r "$KEY_FILE" ]]; then
+                cat "$KEY_FILE"
+              else
+                echo "Error: Cannot read key file $KEY_FILE" >&2
+                exit 1
+              fi
+            '';
 
             # Use the shared setup but with a test-specific name
             start-postgres-server-bin = makePostgresDevSetup {
@@ -682,8 +675,6 @@
               echo "listen_addresses = '*'" >> "$PGTAP_CLUSTER"/postgresql.conf
               echo "port = 5435" >> "$PGTAP_CLUSTER"/postgresql.conf
               echo "host all all 127.0.0.1/32 trust" >> $PGTAP_CLUSTER/pg_hba.conf
-              echo "Checking shared_preload_libraries setting:"
-              grep -rn "shared_preload_libraries" "$PGTAP_CLUSTER"/postgresql.conf
               # Remove timescaledb if running orioledb-17 check
               echo "I AM ${pgpkg.version}===================================================="
               if [[ "${pgpkg.version}" == *"17"* ]]; then
diff --git a/migrations/db/migrations/20250218031949_pgsodium_mask_role.sql b/migrations/db/migrations/20250218031949_pgsodium_mask_role.sql
new file mode 100644
index 000000000..c4a3eadf4
--- /dev/null
+++ b/migrations/db/migrations/20250218031949_pgsodium_mask_role.sql
@@ -0,0 +1,25 @@
+-- migrate:up
+CREATE OR REPLACE FUNCTION pgsodium.mask_role(masked_role regrole, source_name text, view_name text)
+RETURNS void
+LANGUAGE plpgsql
+SECURITY DEFINER
+SET search_path TO ''
+AS $function$
+BEGIN
+  EXECUTE format(
+    'GRANT SELECT ON pgsodium.key TO %s',
+    masked_role);
+
+  EXECUTE format(
+    'GRANT pgsodium_keyiduser, pgsodium_keyholder TO %s',
+    masked_role);
+
+  EXECUTE format(
+    'GRANT ALL ON %I TO %s',
+    view_name,
+    masked_role);
+  RETURN;
+END
+$function$;
+
+-- migrate:down
diff --git a/nix/ext/vault.nix b/nix/ext/vault.nix
index 2cbd7e7a9..c822fcd51 100644
--- a/nix/ext/vault.nix
+++ b/nix/ext/vault.nix
@@ -1,24 +1,23 @@
-{ lib, stdenv, fetchFromGitHub, libsodium, postgresql }:
+{ lib, stdenv, fetchFromGitHub, postgresql }:
 
 stdenv.mkDerivation rec {
   pname = "vault";
-  version = "0.3.1";
+  version = "0.2.9";
 
-  buildInputs = [ libsodium postgresql ];
+  buildInputs = [ postgresql ];
 
   src = fetchFromGitHub {
     owner = "supabase";
     repo = pname;
     rev = "refs/tags/v${version}";
-    hash = "sha256-MC87bqgtynnDhmNZAu96jvfCpsGDCPB0g5TZfRQHd30=";
+    hash = "sha256-kXTngBW4K6FkZM8HvJG2Jha6OQqbejhnk7tchxy031I=";
   };
 
   installPhase = ''
     mkdir -p $out/{lib,share/postgresql/extension}
 
-    install -D *${postgresql.dlSuffix} $out/lib
-    install -D -t $out/share/postgresql/extension sql/*.sql
-    install -D -t $out/share/postgresql/extension *.control
+    cp sql/*.sql $out/share/postgresql/extension
+    cp *.control $out/share/postgresql/extension
   '';
 
   meta = with lib; {
diff --git a/nix/tests/expected/z_15_ext_interface.out b/nix/tests/expected/z_15_ext_interface.out
index 2fedc4366..9914fa3b9 100644
--- a/nix/tests/expected/z_15_ext_interface.out
+++ b/nix/tests/expected/z_15_ext_interface.out
@@ -4750,9 +4750,6 @@ order by
  sslinfo                | public                   | ssl_issuer_dn                                    |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | text
  sslinfo                | public                   | ssl_issuer_field                                 | text                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | text
  sslinfo                | public                   | ssl_version                                      |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | text
- supabase_vault         | vault                    | _crypto_aead_det_decrypt                         | message bytea, additional bytea, key_id bigint, context bytea, nonce bytea                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | bytea
- supabase_vault         | vault                    | _crypto_aead_det_encrypt                         | message bytea, additional bytea, key_id bigint, context bytea, nonce bytea                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | bytea
- supabase_vault         | vault                    | _crypto_aead_det_noncegen                        |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | bytea
  supabase_vault         | vault                    | create_secret                                    | new_secret text, new_name text, new_description text, new_key_id uuid                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | uuid
  supabase_vault         | vault                    | update_secret                                    | secret_id uuid, new_secret text, new_name text, new_description text, new_key_id uuid                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | void
  tablefunc              | public                   | connectby                                        | text, text, text, text, integer, text                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | SETOF record
@@ -5229,7 +5226,7 @@ order by
  xml2                   | public                   | xpath_table                                      | text, text, text, text, text                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | SETOF record
  xml2                   | public                   | xslt_process                                     | text, text                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | text
  xml2                   | public                   | xslt_process                                     | text, text, text                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | text
-(5058 rows)
+(5055 rows)
 
 /*
 
@@ -6037,15 +6034,6 @@ order by
  postgis_topology             | topology                 | topology                                         | name
  postgis_topology             | topology                 | topology                                         | precision
  postgis_topology             | topology                 | topology                                         | srid
- supabase_vault               | vault                    | decrypted_secrets                                | created_at
- supabase_vault               | vault                    | decrypted_secrets                                | decrypted_secret
- supabase_vault               | vault                    | decrypted_secrets                                | description
- supabase_vault               | vault                    | decrypted_secrets                                | id
- supabase_vault               | vault                    | decrypted_secrets                                | key_id
- supabase_vault               | vault                    | decrypted_secrets                                | name
- supabase_vault               | vault                    | decrypted_secrets                                | nonce
- supabase_vault               | vault                    | decrypted_secrets                                | secret
- supabase_vault               | vault                    | decrypted_secrets                                | updated_at
  supabase_vault               | vault                    | secrets                                          | created_at
  supabase_vault               | vault                    | secrets                                          | description
  supabase_vault               | vault                    | secrets                                          | id
@@ -6369,5 +6357,5 @@ order by
  wrappers                     | public                   | wrappers_fdw_stats                               | rows_in
  wrappers                     | public                   | wrappers_fdw_stats                               | rows_out
  wrappers                     | public                   | wrappers_fdw_stats                               | updated_at
-(1106 rows)
+(1097 rows)
 
diff --git a/nix/tests/expected/z_17_ext_interface.out b/nix/tests/expected/z_17_ext_interface.out
index a0177327a..37f417f81 100644
--- a/nix/tests/expected/z_17_ext_interface.out
+++ b/nix/tests/expected/z_17_ext_interface.out
@@ -4707,9 +4707,6 @@ order by
  sslinfo              | public         | ssl_issuer_dn                                    |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | text
  sslinfo              | public         | ssl_issuer_field                                 | text                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | text
  sslinfo              | public         | ssl_version                                      |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | text
- supabase_vault       | vault          | _crypto_aead_det_decrypt                         | message bytea, additional bytea, key_id bigint, context bytea, nonce bytea                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | bytea
- supabase_vault       | vault          | _crypto_aead_det_encrypt                         | message bytea, additional bytea, key_id bigint, context bytea, nonce bytea                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | bytea
- supabase_vault       | vault          | _crypto_aead_det_noncegen                        |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | bytea
  supabase_vault       | vault          | create_secret                                    | new_secret text, new_name text, new_description text, new_key_id uuid                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | uuid
  supabase_vault       | vault          | update_secret                                    | secret_id uuid, new_secret text, new_name text, new_description text, new_key_id uuid                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | void
  tablefunc            | public         | connectby                                        | text, text, text, text, integer                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | SETOF record
@@ -4909,7 +4906,7 @@ order by
  xml2                 | public         | xpath_table                                      | text, text, text, text, text                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | SETOF record
  xml2                 | public         | xslt_process                                     | text, text                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | text
  xml2                 | public         | xslt_process                                     | text, text, text                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | text
-(4750 rows)
+(4747 rows)
 
 /*
 
@@ -5324,15 +5321,6 @@ order by
  postgis_topology             | topology    | topology                | name
  postgis_topology             | topology    | topology                | precision
  postgis_topology             | topology    | topology                | srid
- supabase_vault               | vault       | decrypted_secrets       | created_at
- supabase_vault               | vault       | decrypted_secrets       | decrypted_secret
- supabase_vault               | vault       | decrypted_secrets       | description
- supabase_vault               | vault       | decrypted_secrets       | id
- supabase_vault               | vault       | decrypted_secrets       | key_id
- supabase_vault               | vault       | decrypted_secrets       | name
- supabase_vault               | vault       | decrypted_secrets       | nonce
- supabase_vault               | vault       | decrypted_secrets       | secret
- supabase_vault               | vault       | decrypted_secrets       | updated_at
  supabase_vault               | vault       | secrets                 | created_at
  supabase_vault               | vault       | secrets                 | description
  supabase_vault               | vault       | secrets                 | id
@@ -5350,5 +5338,5 @@ order by
  wrappers                     | public      | wrappers_fdw_stats      | rows_in
  wrappers                     | public      | wrappers_fdw_stats      | rows_out
  wrappers                     | public      | wrappers_fdw_stats      | updated_at
-(407 rows)
+(398 rows)
 
diff --git a/nix/tests/postgresql.conf.in b/nix/tests/postgresql.conf.in
index 483a1a8e2..ef860afcb 100644
--- a/nix/tests/postgresql.conf.in
+++ b/nix/tests/postgresql.conf.in
@@ -718,7 +718,7 @@ default_text_search_config = 'pg_catalog.english'
 
 #local_preload_libraries = ''
 #session_preload_libraries = ''
-shared_preload_libraries = 'pg_stat_statements, pgaudit, plpgsql, plpgsql_check, pg_cron, pg_net, pgsodium, timescaledb, auto_explain, pg_tle, plan_filter, pg_backtrace, supabase_vault'	# (change requires restart)
+shared_preload_libraries = 'pg_stat_statements, pgaudit, plpgsql, plpgsql_check, pg_cron, pg_net, pgsodium, timescaledb, auto_explain, pg_tle, plan_filter, pg_backtrace'	# (change requires restart)
 jit_provider = 'llvmjit'		# JIT library to use
 
 
@@ -795,7 +795,6 @@ jit_provider = 'llvmjit'		# JIT library to use
 # Add settings for extensions here
 
 pgsodium.getkey_script = '@PGSODIUM_GETKEY_SCRIPT@'
-vault.getkey_script = '@PGSODIUM_GETKEY_SCRIPT@'
 
 auto_explain.log_min_duration = 10s
 cron.database_name = 'postgres'