Hologres V4.0 and later support a subset of functions from the PostgreSQL pgcrypto extension for data encryption, decryption, and encoding to protect sensitive data. This topic describes the supported functions, their syntax, parameters, examples, and usage notes.
Overview
The pgcrypto extension provides functions for data encryption, decryption, and encoding to protect sensitive data. Before using these functions, you must create the extension by running the following command: CREATE EXTENSION IF NOT EXISTS pgcrypto;
Limitations
-
The pgcrypto functions described in this topic are supported only in Hologres V4.0 and later versions.
-
The pgcrypto functions run only in the PQE engine. Do not use them in the same SQL statement with functions that run exclusively in the HQE engine, such as Remote UDFs. Mixing these functions causes an execution engine conflict and returns the following error:
ERROR: ORCA failed to produce a plan : No plan has been computed for required propertiesTo use pgcrypto functions and Remote UDFs together, split the operations into separate SQL statements.
Supported functions
Hologres supports the following pgcrypto functions:
|
Function |
Description |
|
Encodes binary data into a text representation based on a specified format. |
|
|
Decodes a string from a specified format into binary data. |
|
|
Encrypts data using a specified algorithm and key. |
|
|
Decrypts data using a specified algorithm and key. |
|
|
Converts binary data from a specified character encoding to the database's internal representation, such as UTF-8. |
Function details
encode(data, format)
-
Description: Encodes binary data (type
bytea) into a text string based on the specified format. -
Syntax
encode(data bytea, format text) -
Parameters
-
data: The binary data to be encoded. -
format: The encoding format, which can behex,base64, orescape.
-
-
Return value: The encoded text string.
-
Example
-- Encode binary data as hex SELECT encode('\xDEADBEEF'::bytea, 'hex'); -- Result: deadbeef -- Encode binary data as Base64 SELECT encode('\x12345678'::bytea, 'base64'); -- Result: EjRWeA==
decode(str, format)
-
Description: Decodes a text string from a specified format into binary data (
bytea). -
Syntax
decode(str text, format text) -
Parameters
-
str: The string to be decoded. -
format: The decoding format. It supportshex,base64, andescape.
-
-
Return value: The decoded binary data (
bytea). -
Example
-- Decode a hex string into binary data SELECT decode('deadbeef', 'hex'); -- Result: \xdeadbeef -- Decode a Base64 string into binary data SELECT decode('EjRWeA==', 'base64'); -- Result: \x12345678
encrypt(data, key, algorithm)
-
Description: Encrypts data using a specified key and algorithm.
-
Syntax
encrypt(data bytea, key bytea, algorithm text) -
Parameters
-
data: The raw data to be encrypted. -
key: The encryption key. -
algorithm: The encryption algorithm, such asaesoraes-ecb/pad:pkcs.
-
-
Return value: The encrypted binary data (
bytea). -
Example
-- Encrypt data using the AES algorithm and output the result as a Base64 string SELECT encode(encrypt('hello world'::bytea, 'mysecretpassword'::bytea, 'aes-ecb/pad:pkcs'), 'base64'); -- Result: The encrypted Base64 string. The output varies with each execution due to cryptographic randomness.
decrypt(data, key, algorithm)
-
Description: Decrypts data with a specified key and algorithm. The key and algorithm must match those used for encryption.
-
Syntax
decrypt(data bytea, key bytea, algorithm text) -
Parameters
-
data: The data to decrypt. -
key: The decryption key (the same key used for encryption). -
algorithm: The decryption algorithm (the same as the one used for encryption).
-
-
Return value: The decrypted binary data (bytea), which is often used with
convert_fromto obtain plaintext. -
Example
-- Decrypt the Base64 ciphertext and convert it to UTF-8 text. -- Replace <encrypted_base64_string> with the actual ciphertext. SELECT convert_from( decrypt( decode('<encrypted_base64_string>', 'base64'), 'mysecretpassword'::bytea, 'aes-ecb/pad:pkcs' ), 'utf8' ); -- Result: The decrypted plaintext
convert_from(data, encoding)
-
Description: Converts binary data from a specified character encoding to the database's internal representation, such as UTF-8.
-
Syntax
convert_from(data bytea, encoding name) -
Parameters
-
data: The binary data with a specific encoding. -
encoding: The character encoding of the source data, such asutf8,latin1, andgbk.
-
-
Return value: The converted text string.
-
Example
-- Convert GBK-encoded binary data to text SELECT convert_from('\xb0\xc5\xba\xcd'::bytea, 'gbk'); -- Result: Chinese characters
Practical example
This example shows how to use pgcrypto functions to encrypt sensitive fields (such as ID card numbers) for storage and decrypt them for queries.
-- Enable the pgcrypto extension.
CREATE EXTENSION IF NOT EXISTS pgcrypto;
-- Create a user information table that contains sensitive data.
CREATE TABLE mf_user_info (
id bigint,
name text,
gender text,
id_card_no text,
tel text
);
INSERT INTO mf_user_info VALUES
(1, 'bob', 'male', '0001', '13900001234'),
(2, 'allen', 'male', '0011', '13900001111'),
(3, 'kate', 'female', '0111', '13900002222'),
(4, 'annie', 'female', '1111', '13900003333');
-- Create a table for encrypted storage.
CREATE TABLE mf_user_info_encrypt (
id bigint,
name text,
gender text,
id_card_no_encrypt text,
tel text
);
-- Encrypt the sensitive data and write it to the new table.
INSERT INTO mf_user_info_encrypt
SELECT
id, name, gender,
encode(encrypt(id_card_no::text::bytea, 'myencryptionkey'::bytea, 'aes-ecb/pad:pkcs'), 'base64') AS id_card_no_encrypt,
tel
FROM mf_user_info;
-- Decrypt and query the ID card numbers.
SELECT id, name, gender,
convert_from(decrypt(decode(id_card_no_encrypt, 'base64'), 'myencryptionkey'::bytea, 'aes-ecb/pad:pkcs'), 'utf8') AS id_card_no,
tel
FROM mf_user_info_encrypt;
Usage notes
-
Security: Choose an encryption algorithm and key length that meet your security requirements.
-
Performance: Encryption and decryption consume additional computing resources. Consider the trade-off between performance and security.
-
Key management: Manage your encryption keys securely. Avoid hard-coding keys in your application code.
-
Encoding: When working with multi-byte characters, ensure consistent character encoding. For example, convert data to
byteabefore encryption and specify the correct encoding withconvert_fromafter decryption.
References
For more information about pgcrypto, see the official PostgreSQL pgcrypto Documentation.
Compatibility
Hologres's implementation of pgcrypto is compatible with PostgreSQL. However, Hologres supports only the functions listed in this topic, not the complete set of functions from the PostgreSQL pgcrypto extension.