yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
Files
03e77f3e5b0080047fdcb72efdfd3333dd3bcf92
doc-exports/docs/dws/dev/dws_04_0993.html
luhuayi 177cd61a57 DWS DEVG 910.211 version 
Reviewed-by: Pruthi, Vineet <vineet.pruthi@t-systems.com>
Co-authored-by: luhuayi <luhuayi@huawei.com>
Co-committed-by: luhuayi <luhuayi@huawei.com>
2025-05-05 07:44:03 +00:00

439 lines
59 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<a name="EN-US_TOPIC_0000001764491956"></a><a name="EN-US_TOPIC_0000001764491956"></a>
<h1 class="topictitle1">Using pgcrypto to Encrypt GaussDB(DWS) Data</h1>
<div id="body0000001293206052"><p id="EN-US_TOPIC_0000001764491956__p18878596389">GaussDB(DWS) 8.2.0 and later provides a built-in cryptographic module pgcrypto. The pgcrypto module allows database users to store certain columns of data after encryption, enhancing sensitive data security. Users without the encryption key cannot read the encrypted data stored in GaussDB(DWS).</p>
<p id="EN-US_TOPIC_0000001764491956__p148781697385">The pgcrypto function runs inside database servers, which means that all data and passwords are transmitted in plaintext between pgcrypto and client applications. For security purposes, you are advised to use the SSL connection between the client and the GaussDB(DWS) server.</p>
<p id="EN-US_TOPIC_0000001764491956__p108787913817">The functions in the pgcrypto module are as follows.</p>
<div class="section" id="EN-US_TOPIC_0000001764491956__section4224155234819"><h4 class="sectiontitle">General Hash Functions</h4><ul id="EN-US_TOPIC_0000001764491956__ul15549163510497"><li id="EN-US_TOPIC_0000001764491956__li17550173564917">digest()<div class="p" id="EN-US_TOPIC_0000001764491956__p777319189551"><a name="EN-US_TOPIC_0000001764491956__li17550173564917"></a><a name="li17550173564917"></a>The digest() function can generate binary hash values by using a specified algorithm. The syntax is as follows:<pre class="screen" id="EN-US_TOPIC_0000001764491956__screen17185103881613">digest(data text, type text) returns bytea
digest(data bytea, type text) returns bytea</pre>
</div>
<p id="EN-US_TOPIC_0000001764491956__p12657191510177"><strong id="EN-US_TOPIC_0000001764491956__b1825335123616">data</strong> indicates the original data, and <strong id="EN-US_TOPIC_0000001764491956__b3190635203719">type</strong> indicates the encryption algorithm (<strong id="EN-US_TOPIC_0000001764491956__b9739175143718">md5</strong>, <strong id="EN-US_TOPIC_0000001764491956__b159801352163711">sha1</strong>, <strong id="EN-US_TOPIC_0000001764491956__b71275673716">sha224</strong>, <strong id="EN-US_TOPIC_0000001764491956__b076585810374">sha256</strong>, <strong id="EN-US_TOPIC_0000001764491956__b05050123816">sha384</strong>, <strong id="EN-US_TOPIC_0000001764491956__b750114116381">sha512</strong>, or <strong id="EN-US_TOPIC_0000001764491956__b36171723384">sm3</strong>). The return value of the function is a binary string.</p>
<p id="EN-US_TOPIC_0000001764491956__p7927852145717">Example:</p>
<p id="EN-US_TOPIC_0000001764491956__p1728171825813">Use the digest() function to encrypt the GaussDB(DWS) string using SHA256 for storage.</p>
<pre class="screen" id="EN-US_TOPIC_0000001764491956__screen10927115212572">select digest('GaussDB(DWS)', 'sha256');
digest
--------------------------------------------------------------------
\xcc2d1b97c6adfba44bbce7386516f63f16fc6e6a10bd938861d3aba501ac8aab
(1 row)</pre>
</li></ul>
</div>
<ul id="EN-US_TOPIC_0000001764491956__ul14834571129"><li id="EN-US_TOPIC_0000001764491956__li8484457121214">hmac()<div class="p" id="EN-US_TOPIC_0000001764491956__p115737290497"><a name="EN-US_TOPIC_0000001764491956__li8484457121214"></a><a name="li8484457121214"></a>The hmac() function can calculate the MAC value for data with a key by using a specified algorithm. The syntax is as follows:<pre class="screen" id="EN-US_TOPIC_0000001764491956__screen14952428162010">hmac(data text, key text, type text) returns bytea
hmac(data bytea, key bytea, type text) returns bytea </pre>
</div>
<p id="EN-US_TOPIC_0000001764491956__p12964611458"><strong id="EN-US_TOPIC_0000001764491956__b103911058123918">data</strong> indicates the original data, <strong id="EN-US_TOPIC_0000001764491956__b596211634012">key</strong> indicates the encryption key, and <strong id="EN-US_TOPIC_0000001764491956__b163911558193915">type</strong> indicates the encryption algorithm (<strong id="EN-US_TOPIC_0000001764491956__b163921758193915">md5</strong>, <strong id="EN-US_TOPIC_0000001764491956__b739211584393">sha1</strong>, <strong id="EN-US_TOPIC_0000001764491956__b339216587393">sha224</strong>, <strong id="EN-US_TOPIC_0000001764491956__b1739285811393">sha256</strong>, <strong id="EN-US_TOPIC_0000001764491956__b839319589397">sha384</strong>, <strong id="EN-US_TOPIC_0000001764491956__b1039315843913">sha512</strong>, or <strong id="EN-US_TOPIC_0000001764491956__b939355812396">sm3</strong>). The return value of the function is a binary string.</p>
<p id="EN-US_TOPIC_0000001764491956__p1087513113012">Example:</p>
<p id="EN-US_TOPIC_0000001764491956__p36118910019">Use <strong id="EN-US_TOPIC_0000001764491956__b9473144518407">key123</strong> and the SHA256 algorithm to calculate the MAC value for the string <strong id="EN-US_TOPIC_0000001764491956__b4338135811409">GaussDB(DWS)</strong>.</p>
<pre class="screen" id="EN-US_TOPIC_0000001764491956__screen819220181003">select hmac('GaussDB(DWS)', 'key123', 'sha256');
hmac
--------------------------------------------------------------------
\x14e1d9e110e9b11ab8379dc02b49533d50a6f4deafe6d6cd451d06c106c97d83
(1 row) </pre>
<p id="EN-US_TOPIC_0000001764491956__p19952152812207">If both the original data and its encryption result are modified, the digest() function cannot identify the changes. The hmac() function can identify the changes as long as the key is not disclosed.</p>
<p id="EN-US_TOPIC_0000001764491956__p095252862019">If the key is longer than the hash block, it will be hashed first, and the hash result will be used as the key.</p>
</li></ul>
<div class="section" id="EN-US_TOPIC_0000001764491956__section17992151961314"><h4 class="sectiontitle">Cryptographic Hash Functions</h4><p id="EN-US_TOPIC_0000001764491956__p15760185152419">The crypt() and gen_salt() functions are used for password hashing. crypt() executes hashes to encrypt data, and gen_salt() generates salted hashes.</p>
<p id="EN-US_TOPIC_0000001764491956__p5833101513130">The algorithms in crypt() differ from the common MD5 and SHA1 hash algorithms in the following aspects:</p>
<ul id="EN-US_TOPIC_0000001764491956__ul255313563245"><li id="EN-US_TOPIC_0000001764491956__li25535567248">The algorithms used in crypt() are slow. This is the only way to make it difficult for brute-force attackers to crack passwords, which only contain a small amount of data.</li><li id="EN-US_TOPIC_0000001764491956__li5554956142415">A random value (called salt) is used for encryption, so that users will get different ciphertexts even if they use the same passwords. This can protect passwords for cracking algorithms.</li><li id="EN-US_TOPIC_0000001764491956__li6554656112419">The encryption results include algorithm types. Passwords can be encrypted using different algorithms for different users.</li><li id="EN-US_TOPIC_0000001764491956__li1645213185254">Some of the algorithms are self-adaptive. They can slow down computing if it is too fast, and do not cause incompatibility issues with existing passwords.</li></ul>
<p id="EN-US_TOPIC_0000001764491956__p8695362261">The following table lists the algorithms supported by the crypt() function.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="EN-US_TOPIC_0000001764491956__table1827185462515" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Algorithms supported by crypt()</caption><thead align="left"><tr id="EN-US_TOPIC_0000001764491956__row62732542251"><th align="left" class="cellrowborder" valign="top" width="15%" id="mcps1.3.6.6.2.7.1.1"><p id="EN-US_TOPIC_0000001764491956__p1062891268">Algorithm</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="15%" id="mcps1.3.6.6.2.7.1.2"><p id="EN-US_TOPIC_0000001764491956__p262496260">Maximum Password Length</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="15%" id="mcps1.3.6.6.2.7.1.3"><p id="EN-US_TOPIC_0000001764491956__p18631095267">Adaptability</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="15%" id="mcps1.3.6.6.2.7.1.4"><p id="EN-US_TOPIC_0000001764491956__p1763169102612">Salt Bits</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="15%" id="mcps1.3.6.6.2.7.1.5"><p id="EN-US_TOPIC_0000001764491956__p36319912268">Standard Output Length</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="25%" id="mcps1.3.6.6.2.7.1.6"><p id="EN-US_TOPIC_0000001764491956__p11638910264">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="EN-US_TOPIC_0000001764491956__row2274175417257"><td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.6.6.2.7.1.1 "><p id="EN-US_TOPIC_0000001764491956__p1630972618">bf</p>
</td>
<td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.6.6.2.7.1.2 "><p id="EN-US_TOPIC_0000001764491956__p18631698261">72</p>
</td>
<td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.6.6.2.7.1.3 "><p id="EN-US_TOPIC_0000001764491956__p06310919264"></p>
</td>
<td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.6.6.2.7.1.4 "><p id="EN-US_TOPIC_0000001764491956__p063189152619">128</p>
</td>
<td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.6.6.2.7.1.5 "><p id="EN-US_TOPIC_0000001764491956__p13638910261">60</p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.6.6.2.7.1.6 "><p id="EN-US_TOPIC_0000001764491956__p1065199142613">Blowfish-based 2a variation</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001764491956__row72756540259"><td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.6.6.2.7.1.1 "><p id="EN-US_TOPIC_0000001764491956__p136510910260">md5</p>
</td>
<td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.6.6.2.7.1.2 "><p id="EN-US_TOPIC_0000001764491956__p196529162618">unlimited</p>
</td>
<td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.6.6.2.7.1.3 "><p id="EN-US_TOPIC_0000001764491956__p91891726122216">×</p>
</td>
<td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.6.6.2.7.1.4 "><p id="EN-US_TOPIC_0000001764491956__p56610911261">48</p>
</td>
<td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.6.6.2.7.1.5 "><p id="EN-US_TOPIC_0000001764491956__p106610962614">34</p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.6.6.2.7.1.6 "><p id="EN-US_TOPIC_0000001764491956__p5669918267">MD5-based algorithm</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001764491956__row192761154112513"><td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.6.6.2.7.1.1 "><p id="EN-US_TOPIC_0000001764491956__p86689172614">xdes</p>
</td>
<td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.6.6.2.7.1.2 "><p id="EN-US_TOPIC_0000001764491956__p186611913266">8</p>
</td>
<td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.6.6.2.7.1.3 "><p id="EN-US_TOPIC_0000001764491956__p198318816229"></p>
</td>
<td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.6.6.2.7.1.4 "><p id="EN-US_TOPIC_0000001764491956__p767209142619">24</p>
</td>
<td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.6.6.2.7.1.5 "><p id="EN-US_TOPIC_0000001764491956__p1367149162611">20</p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.6.6.2.7.1.6 "><p id="EN-US_TOPIC_0000001764491956__p1567119202611">Extended DES</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001764491956__row1276115417256"><td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.6.6.2.7.1.1 "><p id="EN-US_TOPIC_0000001764491956__p17674913265">des</p>
</td>
<td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.6.6.2.7.1.2 "><p id="EN-US_TOPIC_0000001764491956__p12681498264">8</p>
</td>
<td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.6.6.2.7.1.3 "><p id="EN-US_TOPIC_0000001764491956__p56817992618">×</p>
</td>
<td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.6.6.2.7.1.4 "><p id="EN-US_TOPIC_0000001764491956__p156815962620">12</p>
</td>
<td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.6.6.2.7.1.5 "><p id="EN-US_TOPIC_0000001764491956__p06815916267">13</p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.6.6.2.7.1.6 "><p id="EN-US_TOPIC_0000001764491956__p768129122616">Native UNIX algorithm</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<ul id="EN-US_TOPIC_0000001764491956__ul4602323192715"><li id="EN-US_TOPIC_0000001764491956__li1360232332719">crypt()<div class="p" id="EN-US_TOPIC_0000001764491956__p277153712115"><a name="EN-US_TOPIC_0000001764491956__li1360232332719"></a><a name="li1360232332719"></a>The syntax of crypt() is as follows:<pre class="screen" id="EN-US_TOPIC_0000001764491956__screen583951571319">crypt(password text, salt text) returns text </pre>
</div>
<p id="EN-US_TOPIC_0000001764491956__p11128183664718">This function returns a hash value of the password string in crypt(3) format. The salt parameter is generated by the gen_salt() function.</p>
<p id="EN-US_TOPIC_0000001764491956__p1643043816478">For the same password, the crypt() function returns a different result each time, because the gen_salt() function generates a different salt each time. During password verification, the previously generated hash result can be used as the salt.</p>
<p id="EN-US_TOPIC_0000001764491956__p783901511139">For example, to set a new password, run the following command:</p>
<pre class="screen" id="EN-US_TOPIC_0000001764491956__screen20839191513138">UPDATE ... SET pswhash = crypt('new password', gen_salt('bf',10)); </pre>
<p id="EN-US_TOPIC_0000001764491956__p284051571312">The hash values of the entered password and the stored password are compared.</p>
<pre class="screen" id="EN-US_TOPIC_0000001764491956__screen16840115191310">SELECT (pswhash = crypt('entered password', pswhash)) AS pswmatch FROM ... ; </pre>
<p id="EN-US_TOPIC_0000001764491956__p084021551310">If the entered password is correct, <strong id="EN-US_TOPIC_0000001764491956__b220514617617">true</strong> is returned.</p>
<p id="EN-US_TOPIC_0000001764491956__p1693012364550">Example:</p>
<pre class="screen" id="EN-US_TOPIC_0000001764491956__screen22361855125519">create table userpwd(userid int8, pwd text);
CREATE TABLE
insert into userpwd values (1, crypt('this is a pwd', gen_salt('bf',10)));
INSERT 0 1
select crypt('this is a pwd', pwd)=pwd as result from userpwd where userid =1;
result
--------
t
(1 row)
select crypt('this is a wrong pwd', pwd)=pwd as result from userpwd where userid =1;
result
--------
f
(1 row)</pre>
</li></ul>
<ul id="EN-US_TOPIC_0000001764491956__ul1437825652711"><li id="EN-US_TOPIC_0000001764491956__li1837985652710">gen_salt()<div class="p" id="EN-US_TOPIC_0000001764491956__p191266221239"><a name="EN-US_TOPIC_0000001764491956__li1837985652710"></a><a name="li1837985652710"></a>The gen_salt() function is used to generate random parameters for <strong id="EN-US_TOPIC_0000001764491956__b343852214719">crypt</strong>. The syntax is as follows:<pre class="screen" id="EN-US_TOPIC_0000001764491956__screen1484013156134">gen_salt(type text [, iter_count integer ]) returns text </pre>
</div>
<p id="EN-US_TOPIC_0000001764491956__p49181319204913">This function generates a random salt string each time. The string determines the algorithm used by the crypt() function. The <strong id="EN-US_TOPIC_0000001764491956__b137076449712">type</strong> parameter specifies a hash algorithm (<strong id="EN-US_TOPIC_0000001764491956__b3401101012812">des</strong>, <strong id="EN-US_TOPIC_0000001764491956__b16418910812">xdes</strong>, <strong id="EN-US_TOPIC_0000001764491956__b175852718819">md5</strong>, or <strong id="EN-US_TOPIC_0000001764491956__b88331356819">bf</strong>) for generating a string. For the xdes and bf algorithms, <strong id="EN-US_TOPIC_0000001764491956__b115953171186">iter_count</strong> indicates the number of iterations. A large value indicates a long encryption or cracking time.</p>
<div class="codecoloring" codetype="Sql" id="EN-US_TOPIC_0000001764491956__screen172661926172613"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span>
<span class="normal">2</span>
<span class="normal">3</span>
<span class="normal">4</span>
<span class="normal">5</span></pre></div></td><td class="code"><div><pre><span></span><span class="k">SELECT</span><span class="w"> </span><span class="n">gen_salt</span><span class="p">(</span><span class="s1">'des'</span><span class="p">),</span><span class="w"> </span><span class="n">gen_salt</span><span class="p">(</span><span class="s1">'xdes'</span><span class="p">),</span><span class="w"> </span><span class="n">gen_salt</span><span class="p">(</span><span class="s1">'md5'</span><span class="p">),</span><span class="w"> </span><span class="n">gen_salt</span><span class="p">(</span><span class="s1">'bf'</span><span class="p">);</span>
<span class="w"> </span><span class="n">gen_salt</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">gen_salt</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">gen_salt</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">gen_salt</span><span class="w"> </span>
<span class="c1">----------+-----------+-------------+-------------------------------</span>
<span class="w"> </span><span class="n">qh</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">_J9</span><span class="p">..</span><span class="n">uEUi</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="err">$</span><span class="mi">1</span><span class="err">$</span><span class="n">SNgqyKAi</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="err">$</span><span class="mi">2</span><span class="n">a$06$B</span><span class="o">/</span><span class="n">Etc3J8zYBV49LrDU97MO</span>
<span class="p">(</span><span class="mi">1</span><span class="w"> </span><span class="k">row</span><span class="p">)</span>
</pre></div></td></tr></table></div>
</div>
<p id="EN-US_TOPIC_0000001764491956__p877163713418">The salt generated by an algorithm has a fixed format. For example, in <strong id="EN-US_TOPIC_0000001764491956__b157770446915">$2a$06$</strong> in the bf algorithm result, <strong id="EN-US_TOPIC_0000001764491956__b417074919910">2a</strong> indicates the 2a variation of Blowfish, and <strong id="EN-US_TOPIC_0000001764491956__b4802171310105">06</strong> indicates the number of iterations.</p>
<p id="EN-US_TOPIC_0000001764491956__p3840715151311">If <strong id="EN-US_TOPIC_0000001764491956__b1315552011019">iter_count</strong> is ignored, the default number of iterations will be used. The valid <strong id="EN-US_TOPIC_0000001764491956__b14715153414104">iter_count</strong> values depend on the algorithm used, as shown in the table below. For the xdes algorithm, the number of iterations must be an odd number.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="EN-US_TOPIC_0000001764491956__table115925192818" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Iteration counts of crypt()</caption><thead align="left"><tr id="EN-US_TOPIC_0000001764491956__row1261135115281"><th align="left" class="cellrowborder" valign="top" width="25%" id="mcps1.3.8.1.6.2.5.1.1"><p id="EN-US_TOPIC_0000001764491956__p1668113692918">Algorithm</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="25%" id="mcps1.3.8.1.6.2.5.1.2"><p id="EN-US_TOPIC_0000001764491956__p9669636162918">Default Value</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="25%" id="mcps1.3.8.1.6.2.5.1.3"><p id="EN-US_TOPIC_0000001764491956__p966983618299">Min.</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="25%" id="mcps1.3.8.1.6.2.5.1.4"><p id="EN-US_TOPIC_0000001764491956__p66691436192915">Max.</p>
</th>
</tr>
</thead>
<tbody><tr id="EN-US_TOPIC_0000001764491956__row126119517289"><td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.8.1.6.2.5.1.1 "><p id="EN-US_TOPIC_0000001764491956__p46285111286">xdes</p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.8.1.6.2.5.1.2 "><p id="EN-US_TOPIC_0000001764491956__p3842131511313">725</p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.8.1.6.2.5.1.3 "><p id="EN-US_TOPIC_0000001764491956__p188431015161311">1</p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.8.1.6.2.5.1.4 "><p id="EN-US_TOPIC_0000001764491956__p19451832162918">16777215</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001764491956__row176212513288"><td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.8.1.6.2.5.1.1 "><p id="EN-US_TOPIC_0000001764491956__p56265172817">bf</p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.8.1.6.2.5.1.2 "><p id="EN-US_TOPIC_0000001764491956__p13621551182817">6</p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.8.1.6.2.5.1.3 "><p id="EN-US_TOPIC_0000001764491956__p86255152815">4</p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.8.1.6.2.5.1.4 "><p id="EN-US_TOPIC_0000001764491956__p0452123216292">31</p>
</td>
</tr>
</tbody>
</table>
</div>
</li></ul>
<div class="section" id="EN-US_TOPIC_0000001764491956__section131505216178"><h4 class="sectiontitle">PGP Encryption Functions</h4><p id="EN-US_TOPIC_0000001764491956__p5101058151611">The PGP encryption function of GaussDB(DWS) complies with the OpenPGP (RFC 4880) standard, which includes requirements for symmetric key (private key) encryption and asymmetric key (public key) encryption.</p>
<p id="EN-US_TOPIC_0000001764491956__p74591216101713">An encrypted PGP message consists of the following parts:</p>
<ul id="EN-US_TOPIC_0000001764491956__ul11819532111710"><li id="EN-US_TOPIC_0000001764491956__li7819232121713">Session key (encrypted symmetric key or public key) of the message</li><li id="EN-US_TOPIC_0000001764491956__li1881923218175">Data encrypted using the session key</li></ul>
</div>
<p id="EN-US_TOPIC_0000001764491956__p18460141661714">For symmetric key (password) encryption:</p>
<ol id="EN-US_TOPIC_0000001764491956__ol13398101193312"><li id="EN-US_TOPIC_0000001764491956__li43981011163317">The key is encrypted using the String2Key (S2K) algorithm, which is like a slowed down crypt() algorithm with a random salt. A full-length binary key will be generated.</li><li id="EN-US_TOPIC_0000001764491956__li1398131193318">If a separate session key is required, a random key will be generated. If it is not required, the S2K key will be used as the session key.</li><li id="EN-US_TOPIC_0000001764491956__li17398161120335">If the S2K key is directly used for a session, this key will be put in the session key packet. Otherwise, the S2K key will be used to encrypt the session key, and the encryption result will be put in the session key packet.</li></ol>
<p id="EN-US_TOPIC_0000001764491956__p16460116161711">For public key encryption:</p>
<ol id="EN-US_TOPIC_0000001764491956__ol125781877334"><li id="EN-US_TOPIC_0000001764491956__li125786773316">A random session key is generated.</li><li id="EN-US_TOPIC_0000001764491956__li1757917183310">This random key is encrypted using the public key and then put in the session key packet.</li></ol>
<p id="EN-US_TOPIC_0000001764491956__p17461616171713">In either case, the data encryption process is as follows:</p>
<ol id="EN-US_TOPIC_0000001764491956__ol165121218332"><li id="EN-US_TOPIC_0000001764491956__li651292103318">(Optional) Compress data, convert data to UTF-8, or convert newline characters.</li><li id="EN-US_TOPIC_0000001764491956__li65121212335">A block consisting of random bytes is added before the data, serving as a random initial value (IV).</li><li id="EN-US_TOPIC_0000001764491956__li7512521333">A random prefix and the SHA1 hash value suffix are added to the data.</li><li id="EN-US_TOPIC_0000001764491956__li1151202143319">The entire content is encrypted using the session key and then placed in the data packet.</li></ol>
<p id="EN-US_TOPIC_0000001764491956__p38585114205"><strong id="EN-US_TOPIC_0000001764491956__b19476145716363">Supported PGP encryption functions</strong></p>
<ul id="EN-US_TOPIC_0000001764491956__ul14485526336"><li id="EN-US_TOPIC_0000001764491956__li1082415219239">pgp_sym_encrypt()<p id="EN-US_TOPIC_0000001764491956__p1877319229231"><a name="EN-US_TOPIC_0000001764491956__li1082415219239"></a><a name="li1082415219239"></a>Description: Encrypts a symmetric key.</p>
<div class="p" id="EN-US_TOPIC_0000001764491956__p9464141432419">Syntax:<pre class="screen" id="EN-US_TOPIC_0000001764491956__screen847411273317">pgp_sym_encrypt(data text, psw text [, options text ]) returns bytea
pgp_sym_encrypt_bytea(data bytea, psw text [, options text ]) returns bytea </pre>
</div>
<p id="EN-US_TOPIC_0000001764491956__p747472143311"><strong id="EN-US_TOPIC_0000001764491956__b868361411395">data</strong> indicates the data to be encrypted, <strong id="EN-US_TOPIC_0000001764491956__b7162191723912">psw</strong> indicates the PGP symmetric key, and <strong id="EN-US_TOPIC_0000001764491956__b7155621123918">options</strong> is used to set options. For details, see <a href="#EN-US_TOPIC_0000001764491956__table571713162917">Table 3</a>.</p>
</li><li id="EN-US_TOPIC_0000001764491956__li93627319256">pgp_sym_decrypt()<p id="EN-US_TOPIC_0000001764491956__p153742719253"><a name="EN-US_TOPIC_0000001764491956__li93627319256"></a><a name="li93627319256"></a>Description: Decrypts a message encrypted using a PGP symmetric key.</p>
<div class="p" id="EN-US_TOPIC_0000001764491956__p162103522255">Syntax:<pre class="screen" id="EN-US_TOPIC_0000001764491956__screen49631514173410">pgp_sym_decrypt(msg bytea, psw text [, options text ]) returns text
pgp_sym_decrypt_bytea(msg bytea, psw text [, options text ]) returns bytea </pre>
</div>
<p id="EN-US_TOPIC_0000001764491956__p6616115326"><strong id="EN-US_TOPIC_0000001764491956__b1370916616317">msg</strong> indicates the data to be decrypted, <strong id="EN-US_TOPIC_0000001764491956__b771012610319">psw</strong> indicates the PGP symmetric key, and <strong id="EN-US_TOPIC_0000001764491956__b271019613310">options</strong> is used to set options. For details, see <a href="#EN-US_TOPIC_0000001764491956__table571713162917">Table 3</a>. To avoid generating invalid characters, you are not allowed to use the pgp_sym_decrypt function to decrypt bytea data. You can use the pgp_sym_decrypt_bytea function instead.</p>
</li></ul>
<ul id="EN-US_TOPIC_0000001764491956__ul55331313333"><li id="EN-US_TOPIC_0000001764491956__li1965741216260">pgp_pub_encrypt()<p id="EN-US_TOPIC_0000001764491956__p543517134266"><a name="EN-US_TOPIC_0000001764491956__li1965741216260"></a><a name="li1965741216260"></a>Description: Encrypts a public key.</p>
<div class="p" id="EN-US_TOPIC_0000001764491956__p17424132432620">Syntax:<pre class="screen" id="EN-US_TOPIC_0000001764491956__screen145207143316">pgp_pub_encrypt(data text, key bytea [, options text ]) returns bytea
pgp_pub_encrypt_bytea(data bytea, key bytea [, options text ]) returns bytea </pre>
</div>
<p id="EN-US_TOPIC_0000001764491956__p731713243313"><strong id="EN-US_TOPIC_0000001764491956__b174901213154414">data</strong> indicates the data to be encrypted. <strong id="EN-US_TOPIC_0000001764491956__b9283121644414">key</strong> indicates the PGP public key. If a private key is used as input, an error will be returned. <strong id="EN-US_TOPIC_0000001764491956__b988014261441">options</strong> is used to set options. For details, see <a href="#EN-US_TOPIC_0000001764491956__table571713162917">Table 3</a>.</p>
</li><li id="EN-US_TOPIC_0000001764491956__li679233662615">pgp_pub_decrypt()<p id="EN-US_TOPIC_0000001764491956__p1367274642617"><a name="EN-US_TOPIC_0000001764491956__li679233662615"></a><a name="li679233662615"></a>Description: Decrypts a message encrypted using a PGP public key.</p>
<div class="p" id="EN-US_TOPIC_0000001764491956__p1276113103287">Syntax:<pre class="screen" id="EN-US_TOPIC_0000001764491956__screen9521101193316">pgp_pub_decrypt(msg bytea, key bytea [, psw text [, options text ]]) returns text
pgp_pub_decrypt_bytea(msg bytea, key bytea [, psw text [, options text ]]) returns bytea </pre>
</div>
<p id="EN-US_TOPIC_0000001764491956__p7522916334">You can decrypt a message encrypted using a public key. The <strong id="EN-US_TOPIC_0000001764491956__b159596634516">key</strong> must be the private key corresponding to the public key used for encryption. If the private key is password protected, specify the password in <strong id="EN-US_TOPIC_0000001764491956__b1375201654511">psw</strong>. If you have not specified any password but want to specify this option now, provide an empty password.</p>
<p id="EN-US_TOPIC_0000001764491956__p12522121113314">To avoid generating invalid characters, you are not allowed to use the pgp_pub_decrypt function to decrypt bytea data. You can use pgp_pub_decrypt_bytea function instead.</p>
<p id="EN-US_TOPIC_0000001764491956__p1952219133318">The <strong id="EN-US_TOPIC_0000001764491956__b3830111114918">key</strong> must be the private key corresponding to the public key used for encryption. If the private key is password protected, specify the password in <strong id="EN-US_TOPIC_0000001764491956__b17820117164912">psw</strong>. If you have not specified any password but want to specify this option now, provide an empty password. The options <strong id="EN-US_TOPIC_0000001764491956__b87148347318">parameter</strong> is used to set options. For details, see <a href="#EN-US_TOPIC_0000001764491956__table571713162917">Table 3</a>.</p>
</li><li id="EN-US_TOPIC_0000001764491956__li445195515262">pgp_key_id()<p id="EN-US_TOPIC_0000001764491956__p5766256182614"><a name="EN-US_TOPIC_0000001764491956__li445195515262"></a><a name="li445195515262"></a>Description: Extracts the key ID of the PGP public or private key. If an encrypted message is used as the input, the ID of the key used to encrypt the message will be returned. </p>
<div class="p" id="EN-US_TOPIC_0000001764491956__p1866010228284">Syntax:<pre class="screen" id="EN-US_TOPIC_0000001764491956__screen1522417337">pgp_key_id(bytea) returns text </pre>
</div>
<p id="EN-US_TOPIC_0000001764491956__p952291103311">This function can return two special key IDs:</p>
<ul id="EN-US_TOPIC_0000001764491956__ul952321183312"><li id="EN-US_TOPIC_0000001764491956__li25221173319"><strong id="EN-US_TOPIC_0000001764491956__b499719337567">SYMKEY</strong>, indicating that a message is encrypted using a symmetric key.</li><li id="EN-US_TOPIC_0000001764491956__li1452381133318"><strong id="EN-US_TOPIC_0000001764491956__b8579447175618">ANYKEY</strong>, indicating that a message is encrypted using the public key, but the key ID has been deleted. To decrypt the message in this case, you need to try all the keys until you find the correct private key. pgcrypto does not produce such encrypted messages.</li></ul>
<div class="note" id="EN-US_TOPIC_0000001764491956__note14688144515"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="EN-US_TOPIC_0000001764491956__p146801184518">Different keys may have the same ID. This situation rarely occurs. In this case, the client application needs to try different keys for decryption, in the same way it deals with <strong id="EN-US_TOPIC_0000001764491956__b102342356592">ANYKEY</strong>.</p>
</div></div>
</li><li id="EN-US_TOPIC_0000001764491956__li159199139271">armor()<p id="EN-US_TOPIC_0000001764491956__p1073165278"><a name="EN-US_TOPIC_0000001764491956__li159199139271"></a><a name="li159199139271"></a>Description: Converts binary data into PGP ASCII-armor format by the CRC calculation and formatting of a Base64 string.</p>
<p id="EN-US_TOPIC_0000001764491956__p181382295283">Syntax:</p>
<pre class="screen" id="EN-US_TOPIC_0000001764491956__screen12722144372719">armor(data bytea [ , keys text[], values text[] ]) returns text </pre>
</li><li id="EN-US_TOPIC_0000001764491956__li8799122613279">dearmor()<p id="EN-US_TOPIC_0000001764491956__p2025212819274"><a name="EN-US_TOPIC_0000001764491956__li8799122613279"></a><a name="li8799122613279"></a>Description: Performs the reverse conversion.</p>
<div class="p" id="EN-US_TOPIC_0000001764491956__p15267103522811">Syntax:<pre class="screen" id="EN-US_TOPIC_0000001764491956__screen7523121173312">dearmor(data text) returns bytea </pre>
</div>
<p id="EN-US_TOPIC_0000001764491956__p82351326358">Converts the encrypted data bytea to the PGP ASCII-armor format, or the other way around.</p>
<p id="EN-US_TOPIC_0000001764491956__p23371717184716"><strong id="EN-US_TOPIC_0000001764491956__b861913281046">data</strong> indicates the data to be converted. If multiple pairs of keys and values are specified, an armor header will be generated for each key-value pair and added to the output. The two arrays are both one-dimensional arrays with the same length, and cannot contain non-ASCII characters.</p>
</li><li id="EN-US_TOPIC_0000001764491956__li9274650192719">pgp_armor_headers()<div class="p" id="EN-US_TOPIC_0000001764491956__p045185182712"><a name="EN-US_TOPIC_0000001764491956__li9274650192719"></a><a name="li9274650192719"></a>Description: Returns the armor header in the data.<pre class="screen" id="EN-US_TOPIC_0000001764491956__screen452471193319">pgp_armor_headers(data text, key out text, value out text) returns setof record </pre>
</div>
<p id="EN-US_TOPIC_0000001764491956__p926053817618">The return result is a data row set consisting of key and value columns. Any non-ASCII characters contained in the set are regarded as UTF-8 characters.</p>
<p id="EN-US_TOPIC_0000001764491956__p87716267298"></p>
<p id="EN-US_TOPIC_0000001764491956__p124001922102918"><strong id="EN-US_TOPIC_0000001764491956__b2142141816815">Using GnuPG to generate PGP keys</strong></p>
<p id="EN-US_TOPIC_0000001764491956__p1170514119296">To generate a key, run the following command:</p>
<pre class="screen" id="EN-US_TOPIC_0000001764491956__screen770521152915">gpg --gen-key </pre>
<p id="EN-US_TOPIC_0000001764491956__p12705413291">DSA and Elgamal keys are recommended.</p>
<p id="EN-US_TOPIC_0000001764491956__p11705171142919">To use an RSA key, you must create a DSA or RSA key as the master key used only for signature, and then specify <strong id="EN-US_TOPIC_0000001764491956__b118245493447">gpg --edit-key</strong> to add an RSA encryption subkey.</p>
<p id="EN-US_TOPIC_0000001764491956__p107051211294">To list keys, run the following command:</p>
<pre class="screen" id="EN-US_TOPIC_0000001764491956__screen270513182913">gpg --list-secret-keys </pre>
<p id="EN-US_TOPIC_0000001764491956__p670511111299">To export a public key in ASCII-protected format, run the following command:</p>
<pre class="screen" id="EN-US_TOPIC_0000001764491956__screen1870601162910">gpg -a --export KEYID &gt; public.key </pre>
<p id="EN-US_TOPIC_0000001764491956__p197061716294">To export a private key in ASCII-protected format, run the following command:</p>
<pre class="screen" id="EN-US_TOPIC_0000001764491956__screen1070618112296">gpg -a --export-secret-keys KEYID &gt; secret.key </pre>
<p id="EN-US_TOPIC_0000001764491956__p8706416294">Before using these keys as the input to the PGP function, run dearmor() on them. Alternatively, if you can process binary data, remove <strong id="EN-US_TOPIC_0000001764491956__b19453181971414">-a</strong> from the command.</p>
<div class="notice" id="EN-US_TOPIC_0000001764491956__note1170720182914"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-en-us.png"> </span><div class="noticebody"><p id="EN-US_TOPIC_0000001764491956__p157069119299">The PGP encryption function has the following restrictions:</p>
<ul id="EN-US_TOPIC_0000001764491956__ul370712162914"><li id="EN-US_TOPIC_0000001764491956__li87068152914">Signatures are not supported. This function does not check whether the encryption subkey belongs to the master key.</li><li id="EN-US_TOPIC_0000001764491956__li87061212295">The encryption key cannot be used as the master key. This constraint does not impose much impact, because it is rarely violated.</li><li id="EN-US_TOPIC_0000001764491956__li14706161152913">Only one subkey is allowed. This may be a problem, because multiple subkeys are often required. General GPG and PGP keys cannot be used as pgcrypto encryption keys. Their usage is totally different.</li></ul>
</div></div>
<p id="EN-US_TOPIC_0000001764491956__p2070712122914"><strong id="EN-US_TOPIC_0000001764491956__b98204481815">PGP function parameters</strong></p>
<p id="EN-US_TOPIC_0000001764491956__p1707151132914">The option names in the pgcrypto function are similar to those in the GnuPG function. Option values are set using equal signs (=), and the options are separated by commas (,). Example:</p>
<pre class="screen" id="EN-US_TOPIC_0000001764491956__screen1570721152916">pgp_sym_encrypt(data, psw, 'compress-algo=1, cipher-algo=aes256') </pre>
<p id="EN-US_TOPIC_0000001764491956__p2707111112913">Options other than <strong id="EN-US_TOPIC_0000001764491956__b319767142116">convert-crlf</strong> can be used only for encryption functions. The decryption function obtains parameters from PGP data.</p>
<p id="EN-US_TOPIC_0000001764491956__p107071717299">The most common options are <strong id="EN-US_TOPIC_0000001764491956__b1534252902318">compress-algo</strong> and <strong id="EN-US_TOPIC_0000001764491956__b337853012239">unicode-mode</strong>. You can retain the default values for other options.</p>
<div class="tablenoborder"><a name="EN-US_TOPIC_0000001764491956__table571713162917"></a><a name="table571713162917"></a><table cellpadding="4" cellspacing="0" summary="" id="EN-US_TOPIC_0000001764491956__table571713162917" frame="border" border="1" rules="all"><caption><b>Table 3 </b>pgcrypto encryption options</caption><thead align="left"><tr id="EN-US_TOPIC_0000001764491956__row27081115292"><th align="left" class="cellrowborder" valign="top" width="13.11%" id="mcps1.3.18.6.22.2.6.1.1"><p id="EN-US_TOPIC_0000001764491956__p370714192919">Option</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="26.889999999999997%" id="mcps1.3.18.6.22.2.6.1.2"><p id="EN-US_TOPIC_0000001764491956__p7708141142915">Description</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="10.2%" id="mcps1.3.18.6.22.2.6.1.3"><p id="EN-US_TOPIC_0000001764491956__p670816120294">Default Value</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="29.799999999999997%" id="mcps1.3.18.6.22.2.6.1.4"><p id="EN-US_TOPIC_0000001764491956__p2708121202910">Value</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="20%" id="mcps1.3.18.6.22.2.6.1.5"><p id="EN-US_TOPIC_0000001764491956__p8708181132918">Function</p>
</th>
</tr>
</thead>
<tbody><tr id="EN-US_TOPIC_0000001764491956__row177093115298"><td class="cellrowborder" valign="top" width="13.11%" headers="mcps1.3.18.6.22.2.6.1.1 "><p id="EN-US_TOPIC_0000001764491956__p2708171122917">cipher-algo</p>
</td>
<td class="cellrowborder" valign="top" width="26.889999999999997%" headers="mcps1.3.18.6.22.2.6.1.2 "><p id="EN-US_TOPIC_0000001764491956__p07083114291">Cryptographic algorithm</p>
</td>
<td class="cellrowborder" valign="top" width="10.2%" headers="mcps1.3.18.6.22.2.6.1.3 "><p id="EN-US_TOPIC_0000001764491956__p870821192917">aes128</p>
</td>
<td class="cellrowborder" valign="top" width="29.799999999999997%" headers="mcps1.3.18.6.22.2.6.1.4 "><p id="EN-US_TOPIC_0000001764491956__p770818172918">bf, aes128, aes192, aes256, 3des, cast5</p>
</td>
<td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.18.6.22.2.6.1.5 "><p id="EN-US_TOPIC_0000001764491956__p1970910115291">pgp_sym_encrypt, pgp_pub_encrypt</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001764491956__row177101613294"><td class="cellrowborder" valign="top" width="13.11%" headers="mcps1.3.18.6.22.2.6.1.1 "><p id="EN-US_TOPIC_0000001764491956__p1770921112917">compress-algo</p>
</td>
<td class="cellrowborder" valign="top" width="26.889999999999997%" headers="mcps1.3.18.6.22.2.6.1.2 "><p id="EN-US_TOPIC_0000001764491956__p970912112914">Compression algorithm</p>
</td>
<td class="cellrowborder" valign="top" width="10.2%" headers="mcps1.3.18.6.22.2.6.1.3 "><p id="EN-US_TOPIC_0000001764491956__p57096114292">0</p>
</td>
<td class="cellrowborder" valign="top" width="29.799999999999997%" headers="mcps1.3.18.6.22.2.6.1.4 "><ul id="EN-US_TOPIC_0000001764491956__ul8709418297"><li id="EN-US_TOPIC_0000001764491956__li4709131142920"><strong id="EN-US_TOPIC_0000001764491956__b207649534842925">0</strong>: not compressed</li><li id="EN-US_TOPIC_0000001764491956__li77098112918"><strong id="EN-US_TOPIC_0000001764491956__b1936722862515">1</strong>: ZIP compression</li><li id="EN-US_TOPIC_0000001764491956__li207091011296"><strong id="EN-US_TOPIC_0000001764491956__b81627310257">2</strong>: ZLIB compression (ZIP + Metadata + CRC)</li></ul>
</td>
<td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.18.6.22.2.6.1.5 "><p id="EN-US_TOPIC_0000001764491956__p97101211298">pgp_sym_encrypt, pgp_pub_encrypt</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001764491956__row17106117296"><td class="cellrowborder" valign="top" width="13.11%" headers="mcps1.3.18.6.22.2.6.1.1 "><p id="EN-US_TOPIC_0000001764491956__p87101192916">compress-level</p>
</td>
<td class="cellrowborder" valign="top" width="26.889999999999997%" headers="mcps1.3.18.6.22.2.6.1.2 "><p id="EN-US_TOPIC_0000001764491956__p6710151192911">Compression level. A high level indicates the compression will be slow, but the data size after compression will be small. <strong id="EN-US_TOPIC_0000001764491956__b1197042217275">0</strong> disables compression.</p>
</td>
<td class="cellrowborder" valign="top" width="10.2%" headers="mcps1.3.18.6.22.2.6.1.3 "><p id="EN-US_TOPIC_0000001764491956__p8710181162912">6</p>
</td>
<td class="cellrowborder" valign="top" width="29.799999999999997%" headers="mcps1.3.18.6.22.2.6.1.4 "><p id="EN-US_TOPIC_0000001764491956__p27107119291">0, 1-9</p>
</td>
<td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.18.6.22.2.6.1.5 "><p id="EN-US_TOPIC_0000001764491956__p1471020142914">pgp_sym_encrypt, pgp_pub_encrypt</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001764491956__row1471116114295"><td class="cellrowborder" valign="top" width="13.11%" headers="mcps1.3.18.6.22.2.6.1.1 "><p id="EN-US_TOPIC_0000001764491956__p187100112910">convert-crlf</p>
</td>
<td class="cellrowborder" valign="top" width="26.889999999999997%" headers="mcps1.3.18.6.22.2.6.1.2 "><p id="EN-US_TOPIC_0000001764491956__p77101814296">Indicates whether to convert <strong id="EN-US_TOPIC_0000001764491956__b1998818171298">\n</strong> to <strong id="EN-US_TOPIC_0000001764491956__b18949202122912">\r\n</strong> during encryption, and whether to convert <strong id="EN-US_TOPIC_0000001764491956__b1031192972916">\r\n</strong> to <strong id="EN-US_TOPIC_0000001764491956__b1771953012916">\n</strong> during decryption. RFC4880 requires that <strong id="EN-US_TOPIC_0000001764491956__b8949144315298">\r\n</strong> must be used as the newline character in text data storage.</p>
</td>
<td class="cellrowborder" valign="top" width="10.2%" headers="mcps1.3.18.6.22.2.6.1.3 "><p id="EN-US_TOPIC_0000001764491956__p47117119297">0</p>
</td>
<td class="cellrowborder" valign="top" width="29.799999999999997%" headers="mcps1.3.18.6.22.2.6.1.4 "><p id="EN-US_TOPIC_0000001764491956__p10711151112914">0, 1</p>
</td>
<td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.18.6.22.2.6.1.5 "><p id="EN-US_TOPIC_0000001764491956__p37115132914">pgp_sym_encrypt, pgp_pub_encrypt, pgp_sym_decrypt, pgp_pub_decrypt</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001764491956__row1371231172917"><td class="cellrowborder" valign="top" width="13.11%" headers="mcps1.3.18.6.22.2.6.1.1 "><p id="EN-US_TOPIC_0000001764491956__p1471116111299">disable-mdc</p>
</td>
<td class="cellrowborder" valign="top" width="26.889999999999997%" headers="mcps1.3.18.6.22.2.6.1.2 "><p id="EN-US_TOPIC_0000001764491956__p1471112122918">SHA-1 is not used to protect data. It is used only for compatibility with old PGP products.</p>
</td>
<td class="cellrowborder" valign="top" width="10.2%" headers="mcps1.3.18.6.22.2.6.1.3 "><p id="EN-US_TOPIC_0000001764491956__p571112122917">0</p>
</td>
<td class="cellrowborder" valign="top" width="29.799999999999997%" headers="mcps1.3.18.6.22.2.6.1.4 "><p id="EN-US_TOPIC_0000001764491956__p471191192916">0, 1</p>
</td>
<td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.18.6.22.2.6.1.5 "><p id="EN-US_TOPIC_0000001764491956__p1971111142919">pgp_sym_encrypt, pgp_pub_encrypt</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001764491956__row371215192912"><td class="cellrowborder" valign="top" width="13.11%" headers="mcps1.3.18.6.22.2.6.1.1 "><p id="EN-US_TOPIC_0000001764491956__p157121015292">sess-key</p>
</td>
<td class="cellrowborder" valign="top" width="26.889999999999997%" headers="mcps1.3.18.6.22.2.6.1.2 "><p id="EN-US_TOPIC_0000001764491956__p67121917299">A separate session key is used. Public key encryption always uses a separate session key. This option is used for symmetric key encryption, which directly uses the S2K key by default.</p>
</td>
<td class="cellrowborder" valign="top" width="10.2%" headers="mcps1.3.18.6.22.2.6.1.3 "><p id="EN-US_TOPIC_0000001764491956__p571215152914">0</p>
</td>
<td class="cellrowborder" valign="top" width="29.799999999999997%" headers="mcps1.3.18.6.22.2.6.1.4 "><p id="EN-US_TOPIC_0000001764491956__p1671220118292">0, 1</p>
</td>
<td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.18.6.22.2.6.1.5 "><p id="EN-US_TOPIC_0000001764491956__p17121417295">pgp_sym_encrypt</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001764491956__row167141111297"><td class="cellrowborder" valign="top" width="13.11%" headers="mcps1.3.18.6.22.2.6.1.1 "><p id="EN-US_TOPIC_0000001764491956__p1771312119297">s2k-mode</p>
</td>
<td class="cellrowborder" valign="top" width="26.889999999999997%" headers="mcps1.3.18.6.22.2.6.1.2 "><p id="EN-US_TOPIC_0000001764491956__p67137110295">S2K algorithm</p>
</td>
<td class="cellrowborder" valign="top" width="10.2%" headers="mcps1.3.18.6.22.2.6.1.3 "><p id="EN-US_TOPIC_0000001764491956__p171317116298">3</p>
</td>
<td class="cellrowborder" valign="top" width="29.799999999999997%" headers="mcps1.3.18.6.22.2.6.1.4 "><ul id="EN-US_TOPIC_0000001764491956__ul671415111290"><li id="EN-US_TOPIC_0000001764491956__li57133110299"><strong id="EN-US_TOPIC_0000001764491956__b12732131175018">0</strong>: Salt is not used. This setting is not recommended.</li><li id="EN-US_TOPIC_0000001764491956__li187148115293"><strong id="EN-US_TOPIC_0000001764491956__b76765725017">1</strong>: Salt is used, but the number of iterations is fixed.</li><li id="EN-US_TOPIC_0000001764491956__li1471411142915"><strong id="EN-US_TOPIC_0000001764491956__b74281347518">3</strong>: Salt is used, and the number of iterations can be changed.</li></ul>
</td>
<td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.18.6.22.2.6.1.5 "><p id="EN-US_TOPIC_0000001764491956__p1871416120291">pgp_sym_encrypt</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001764491956__row3715131182910"><td class="cellrowborder" valign="top" width="13.11%" headers="mcps1.3.18.6.22.2.6.1.1 "><p id="EN-US_TOPIC_0000001764491956__p1771416118299">s2k-count</p>
</td>
<td class="cellrowborder" valign="top" width="26.889999999999997%" headers="mcps1.3.18.6.22.2.6.1.2 "><p id="EN-US_TOPIC_0000001764491956__p47148120291">Number of iterations of the S2K algorithm</p>
</td>
<td class="cellrowborder" valign="top" width="10.2%" headers="mcps1.3.18.6.22.2.6.1.3 "><p id="EN-US_TOPIC_0000001764491956__p5714218298">A random value between 65,536 and 253,952.</p>
</td>
<td class="cellrowborder" valign="top" width="29.799999999999997%" headers="mcps1.3.18.6.22.2.6.1.4 "><p id="EN-US_TOPIC_0000001764491956__p1471418192911">1024 ≤ Value ≤ 65,011,712</p>
</td>
<td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.18.6.22.2.6.1.5 "><p id="EN-US_TOPIC_0000001764491956__p67151112915"><strong id="EN-US_TOPIC_0000001764491956__b1188052775317">pgp_sym_encrypt</strong> and <strong id="EN-US_TOPIC_0000001764491956__b7787113125314">s2k-mode=3</strong></p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001764491956__row1171520132917"><td class="cellrowborder" valign="top" width="13.11%" headers="mcps1.3.18.6.22.2.6.1.1 "><p id="EN-US_TOPIC_0000001764491956__p147155119299">s2k-digest-algo</p>
</td>
<td class="cellrowborder" valign="top" width="26.889999999999997%" headers="mcps1.3.18.6.22.2.6.1.2 "><p id="EN-US_TOPIC_0000001764491956__p871519142911">Digest algorithm used during S2K calculation</p>
</td>
<td class="cellrowborder" valign="top" width="10.2%" headers="mcps1.3.18.6.22.2.6.1.3 "><p id="EN-US_TOPIC_0000001764491956__p671561112918">sha1</p>
</td>
<td class="cellrowborder" valign="top" width="29.799999999999997%" headers="mcps1.3.18.6.22.2.6.1.4 "><p id="EN-US_TOPIC_0000001764491956__p8715819295">md5, sha1</p>
</td>
<td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.18.6.22.2.6.1.5 "><p id="EN-US_TOPIC_0000001764491956__p37152115292">pgp_sym_encrypt</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001764491956__row17162112910"><td class="cellrowborder" valign="top" width="13.11%" headers="mcps1.3.18.6.22.2.6.1.1 "><p id="EN-US_TOPIC_0000001764491956__p27157102919">s2k-cipher-algo</p>
</td>
<td class="cellrowborder" valign="top" width="26.889999999999997%" headers="mcps1.3.18.6.22.2.6.1.2 "><p id="EN-US_TOPIC_0000001764491956__p107169162919">Password used to encrypt a separate session key</p>
</td>
<td class="cellrowborder" valign="top" width="10.2%" headers="mcps1.3.18.6.22.2.6.1.3 "><p id="EN-US_TOPIC_0000001764491956__p8716101122919">cipher-algo algorithm</p>
</td>
<td class="cellrowborder" valign="top" width="29.799999999999997%" headers="mcps1.3.18.6.22.2.6.1.4 "><p id="EN-US_TOPIC_0000001764491956__p571691112910">bf, aes, aes128, aes192, aes256</p>
</td>
<td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.18.6.22.2.6.1.5 "><p id="EN-US_TOPIC_0000001764491956__p107161162917">pgp_sym_encrypt</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001764491956__row571731152914"><td class="cellrowborder" valign="top" width="13.11%" headers="mcps1.3.18.6.22.2.6.1.1 "><p id="EN-US_TOPIC_0000001764491956__p971615152911">unicode-mode</p>
</td>
<td class="cellrowborder" valign="top" width="26.889999999999997%" headers="mcps1.3.18.6.22.2.6.1.2 "><p id="EN-US_TOPIC_0000001764491956__p197163132917">Whether to convert text data between database internal encoding and UTF-8. If the database already uses UTF-8 encoding, no conversion will be performed, but the message will be marked as UTF-8. If this parameter is not specified, the message will not be marked.</p>
</td>
<td class="cellrowborder" valign="top" width="10.2%" headers="mcps1.3.18.6.22.2.6.1.3 "><p id="EN-US_TOPIC_0000001764491956__p4716131152916">0</p>
</td>
<td class="cellrowborder" valign="top" width="29.799999999999997%" headers="mcps1.3.18.6.22.2.6.1.4 "><p id="EN-US_TOPIC_0000001764491956__p1471715152918">0, 1</p>
</td>
<td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.18.6.22.2.6.1.5 "><p id="EN-US_TOPIC_0000001764491956__p13717613291">pgp_sym_encrypt, pgp_pub_encrypt</p>
</td>
</tr>
</tbody>
</table>
</div>
</li></ul>
<div class="section" id="EN-US_TOPIC_0000001764491956__section923711516354"><h4 class="sectiontitle">Raw Encryption Functions</h4><p id="EN-US_TOPIC_0000001764491956__p104761716191712">Raw encryption functions only run a cipher over data. They do not support any advanced functions of PGP encryption. Therefore, the following problems exist:</p>
<ul id="EN-US_TOPIC_0000001764491956__ul197802039111012"><li id="EN-US_TOPIC_0000001764491956__li1878033910103">They use user key directly as cipher key.</li><li id="EN-US_TOPIC_0000001764491956__li4780939111018">No integrity check is performed to check whether the encrypted data was modified.</li><li id="EN-US_TOPIC_0000001764491956__li14781939181011">You need to associate all encryption parameters yourself, including IV.</li><li id="EN-US_TOPIC_0000001764491956__li278123915104">Text data cannot be processed.</li></ul>
<p id="EN-US_TOPIC_0000001764491956__p247717161176">With the introduction of PGP encryption, these raw encryption functions are not recommended.</p>
<pre class="screen" id="EN-US_TOPIC_0000001764491956__screen247712166178">encrypt(data bytea, key bytea, type text) returns bytea
decrypt(data bytea, key bytea, type text) returns bytea
encrypt_iv(data bytea, key bytea, iv bytea, type text) returns bytea
decrypt_iv(data bytea, key bytea, iv bytea, type text) returns bytea </pre>
<p id="EN-US_TOPIC_0000001764491956__p8477191631714"><strong id="EN-US_TOPIC_0000001764491956__b109848371233">data</strong> indicates the data to be encrypted, and <strong id="EN-US_TOPIC_0000001764491956__b077834002315">type</strong> indicates the encryption/decryption method. The syntax of the <strong id="EN-US_TOPIC_0000001764491956__b88095528234">type</strong> parameter is as follows:</p>
<pre class="screen" id="EN-US_TOPIC_0000001764491956__screen11478161612175">algorithm [ - mode ] [ /pad: padding ] </pre>
</div>
<p id="EN-US_TOPIC_0000001764491956__p13478201601710">The options of <strong id="EN-US_TOPIC_0000001764491956__b1489215515248">algorithm</strong> are as follows:</p>
<ul id="EN-US_TOPIC_0000001764491956__ul16741747101411"><li id="EN-US_TOPIC_0000001764491956__li1574224761410"><strong id="EN-US_TOPIC_0000001764491956__b8941612172419">bf</strong>: Blowfish algorithm. Synonyms: <strong id="EN-US_TOPIC_0000001764491956__b14407163511243">BF</strong>, <strong id="EN-US_TOPIC_0000001764491956__b597883611242">BF-CBC</strong>; <strong id="EN-US_TOPIC_0000001764491956__b1787313715241">BLOWFISH</strong>, <strong id="EN-US_TOPIC_0000001764491956__b899363820245">BF-CBC</strong>; <strong id="EN-US_TOPIC_0000001764491956__b13345124017245">BLOWFISH-CBC</strong>, <strong id="EN-US_TOPIC_0000001764491956__b12441184119244">BF-CBC</strong>; <strong id="EN-US_TOPIC_0000001764491956__b756114427247">BLOWFISH-ECB</strong>, <strong id="EN-US_TOPIC_0000001764491956__b1082014431249">BF-ECB</strong>; <strong id="EN-US_TOPIC_0000001764491956__b2338184582419">BLOWFISH-CFB</strong>, <strong id="EN-US_TOPIC_0000001764491956__b1474545511249">BF-CFB</strong></li><li id="EN-US_TOPIC_0000001764491956__li7742164781416"><strong id="EN-US_TOPIC_0000001764491956__b28367362520">aes</strong>: AES algorithm (Rijndael-128, -192, or -256). <strong id="EN-US_TOPIC_0000001764491956__b4561324172516">Synonyms</strong>: <strong id="EN-US_TOPIC_0000001764491956__b1150682682514">AES</strong>, <strong id="EN-US_TOPIC_0000001764491956__b10122122912254">AES-CBC</strong>, <strong id="EN-US_TOPIC_0000001764491956__b138351932192519">RIJNDAEL</strong>, <strong id="EN-US_TOPIC_0000001764491956__b499563414253">AES-CBC</strong>, <strong id="EN-US_TOPIC_0000001764491956__b10243193792518">RIJNDAEL</strong>, <strong id="EN-US_TOPIC_0000001764491956__b1564313852519">AES-CBC</strong>, <strong id="EN-US_TOPIC_0000001764491956__b1994715407258">RIJNDAEL-CBC</strong>, <strong id="EN-US_TOPIC_0000001764491956__b8226174292515">AES-CBC</strong>, <strong id="EN-US_TOPIC_0000001764491956__b14232944152512">RIJNDAEL-ECB</strong>,<strong id="EN-US_TOPIC_0000001764491956__b1130814562514"> AES-ECB</strong></li><li id="EN-US_TOPIC_0000001764491956__li1742847181415">DES algorithm. Synonyms: <strong id="EN-US_TOPIC_0000001764491956__b366513483275">DES</strong>, <strong id="EN-US_TOPIC_0000001764491956__b1089810498275">DES-CBC</strong>; <strong id="EN-US_TOPIC_0000001764491956__b52470511274">3DES</strong>, <strong id="EN-US_TOPIC_0000001764491956__b2271145212712">DES3-CBC</strong>, <strong id="EN-US_TOPIC_0000001764491956__b1630685522713">3DES-ECB</strong>, <strong id="EN-US_TOPIC_0000001764491956__b164811356202718">DES3-ECB</strong>; <strong id="EN-US_TOPIC_0000001764491956__b1663825714272">3DES-CBC</strong>, <strong id="EN-US_TOPIC_0000001764491956__b2027910591270">DES3-CBC</strong></li><li id="EN-US_TOPIC_0000001764491956__li574244791414">CAST5 algorithm. Synonym: <strong id="EN-US_TOPIC_0000001764491956__b12151857172818">CAST5-CBC</strong></li></ul>
<p id="EN-US_TOPIC_0000001764491956__p194781916201720">The options of <strong id="EN-US_TOPIC_0000001764491956__b153871322918">mode</strong> are as follows:</p>
<ul id="EN-US_TOPIC_0000001764491956__ul5478116131718"><li id="EN-US_TOPIC_0000001764491956__li04789163176"><strong id="EN-US_TOPIC_0000001764491956__b1549842515292">cbc</strong>: The next block depends on the previous block. (This is the default value.)</li><li id="EN-US_TOPIC_0000001764491956__li34781716141719"><strong id="EN-US_TOPIC_0000001764491956__b116327176314">ecb</strong>: Each block is encrypted separately. (This value is used only for tests.)</li></ul>
<p id="EN-US_TOPIC_0000001764491956__p947931613175">The options of <strong id="EN-US_TOPIC_0000001764491956__b242913458312">padding</strong> are as follows:</p>
<ul id="EN-US_TOPIC_0000001764491956__ul84790165170"><li id="EN-US_TOPIC_0000001764491956__li144791316161712"><strong id="EN-US_TOPIC_0000001764491956__b1989355613317">pkcs</strong>: The data can be of any length. (This is the default value.)</li><li id="EN-US_TOPIC_0000001764491956__li347991611179"><strong id="EN-US_TOPIC_0000001764491956__b937110174327">none</strong>: The data must be a multiple of cipher block size.</li></ul>
<p id="EN-US_TOPIC_0000001764491956__p124794168179">For example, the encryption results of the following functions are the same:</p>
<pre class="screen" id="EN-US_TOPIC_0000001764491956__screen17479201671710">encrypt(data, 'fooz', 'bf')
encrypt(data, 'fooz', 'bf-cbc/pad:pkcs') </pre>
<p id="EN-US_TOPIC_0000001764491956__p1947911164170">For the <strong id="EN-US_TOPIC_0000001764491956__b671819117332">encrypt_iv</strong> and <strong id="EN-US_TOPIC_0000001764491956__b418220323312">decrypt_iv</strong> functions, the <strong id="EN-US_TOPIC_0000001764491956__b14798184103314">iv</strong> parameter indicates the initial value for the CBC mode. This parameter is ignored for ECB. It is truncated or padded with zeroes if not exactly block size. It defaults to all zeroes in the functions without this parameter.</p>
<div class="section" id="EN-US_TOPIC_0000001764491956__section1299184210365"><h4 class="sectiontitle">Random Data Functions</h4><ul id="EN-US_TOPIC_0000001764491956__ul19169122514448"><li id="EN-US_TOPIC_0000001764491956__li1616922514446">The gen_random_bytes() function is used to generate cryptographically strong random bytes.<pre class="screen" id="EN-US_TOPIC_0000001764491956__screen548051618173">gen_random_bytes(count integer) returns bytea </pre>
<p id="EN-US_TOPIC_0000001764491956__p154593141033"><strong id="EN-US_TOPIC_0000001764491956__b181814173375">count</strong> indicates the number of returned bytes. The value range is 1 to 1024.</p>
<p id="EN-US_TOPIC_0000001764491956__p3480191619176">Example:</p>
<pre class="screen" id="EN-US_TOPIC_0000001764491956__screen16611151216449">SELECT gen_random_bytes(16);
gen_random_bytes
------------------------------------
\x1f1eddc11153afdde0f9e1229f8f4caf
(1 row)</pre>
</li></ul>
<ul id="EN-US_TOPIC_0000001764491956__ul20698828124413"><li id="EN-US_TOPIC_0000001764491956__li869972820445">The gen_random_uuid() function is used to return a random UUID of version 4.<pre class="screen" id="EN-US_TOPIC_0000001764491956__screen17273124214311">SELECT gen_random_uuid();
gen_random_uuid
--------------------------------------
2bd664a2-b760-4859-8af6-8d09ccc5b830</pre>
</li></ul>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dws_04_0994.html">GaussDB(DWS) Sensitive Data Management</a></div>
</div>
</div>
View Git Blame Copy Permalink