diff --git a/ansible/files/postgresql_extension_custom_scripts/pgsodium/after-create.sql b/ansible/files/postgresql_extension_custom_scripts/pgsodium/after-create.sql
index 907c67ebf..38242ab20 100644
--- a/ansible/files/postgresql_extension_custom_scripts/pgsodium/after-create.sql
+++ b/ansible/files/postgresql_extension_custom_scripts/pgsodium/after-create.sql
@@ -1,3 +1,26 @@
 grant execute on function pgsodium.crypto_aead_det_decrypt(bytea, bytea, uuid, bytea) to service_role;
 grant execute on function pgsodium.crypto_aead_det_encrypt(bytea, bytea, uuid, bytea) to service_role;
 grant execute on function pgsodium.crypto_aead_det_keygen to service_role;
+
+CREATE OR REPLACE FUNCTION pgsodium.mask_role(masked_role regrole, source_name text, view_name text)
+RETURNS void
+LANGUAGE plpgsql
+SECURITY DEFINER
+SET search_path TO ''
+AS $function$
+BEGIN
+  EXECUTE format(
+    'GRANT SELECT ON pgsodium.key TO %s',
+    masked_role);
+
+  EXECUTE format(
+    'GRANT pgsodium_keyiduser, pgsodium_keyholder TO %s',
+    masked_role);
+
+  EXECUTE format(
+    'GRANT ALL ON %I TO %s',
+    view_name,
+    masked_role);
+  RETURN;
+END
+$function$;
diff --git a/ansible/files/postgresql_extension_custom_scripts/pgsodium/before-create.sql b/ansible/files/postgresql_extension_custom_scripts/pgsodium/before-create.sql
new file mode 100644
index 000000000..fb82a46a3
--- /dev/null
+++ b/ansible/files/postgresql_extension_custom_scripts/pgsodium/before-create.sql
@@ -0,0 +1,9 @@
+do $$
+declare
+  _extversion text := @extversion@;
+  _r record;
+begin
+  if _extversion is not null and _extversion != '3.1.8' then
+    raise exception 'only pgsodium 3.1.8 is supported';
+  end if;
+end $$;
diff --git a/ansible/vars.yml b/ansible/vars.yml
index dba3aff49..2a1cdb357 100644
--- a/ansible/vars.yml
+++ b/ansible/vars.yml
@@ -8,8 +8,8 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: "17.0.1.019-orioledb"
-  postgres15: "15.8.1.029"
+  postgresorioledb-17: "17.0.1.020-orioledb"
+  postgres15: "15.8.1.030"
 
 # Non Postgres Extensions
 pgbouncer_release: "1.19.0"