Syntax
Encrypting columns in a new table
CREATE TABLE <table name> (
<column_name> <data_type> ENCRYPT,
<column_name> <data_type> NULL ENCRYPT,
<column_name> <data_type> NOT NULL ENCRYPT
);
Adding an encrypted column to an existing table
ALTER TABLE <table_name> ADD COLUMN <column_name> <data_type> ENCRYPT;
Encryption methods
ENCRYPT ( <column name to encrypt> , <Secret Key of exactly 256-bit (32-byte) length> )
Decryption method
DECRYPT ( <column name to decrypt> , <Secret Key of exactly 256-bit (32-byte) length> )
Examples
Encrypting a new table
CREATE TABLE client_name (
id BIGINT NOT NULL ENCRYPT,
first_name TEXT ENCRYPT,
last_name TEXT,
salary INT ENCRYPT);
Inserting encrypt player salary (INT data type)
INSERT INTO NBA (player_name, team_name, jersey_number, position, age, height, weight, college, salary)
VALUES ('Jayson Christopher Tatum', 'Boston Celtics', 0, 'SF', 25, '6-8', 210 , 'Duke', ENCRYPT ( 32600060 , '6a8431f6e9c2777ee356c0b8aa3c12c0c63bdf366ac3342c4c9184b51697b47f');
Similar example using COPY FROM
COPY NBA
(
player_name, team_name, jersey_number, position, age, height, weight, college,
ENCRYPT (salary, '6a8431f6e9c2777ee356c0b8aa3c12c0c63bdf366ac3342c4c9184b51697b47f')
)
FROM WRAPPER csv_fdw
OPTIONS
(location = '/tmp/source_file.csv', quote='@');
Query the encrypted data
SELECT player_name, DECRYPT( salary, '6a8431f6e9c2777ee356c0b8aa3c12c0c63bdf366ac3342c4c9184b51697b47f') FROM NBA
WHERE player_name ='Jayson Christopher Tatum';
player_name |salary |
------------------------+----------+
Jayson Christopher Tatum|1500000 |
Query the encrypted data using WHERE clause on an encrypted column
SELECT player_name, DECRYPT( salary, '6a8431f6e9c2777ee356c0b8aa3c12c0c63bdf366ac3342c4c9184b51697b47f')
FROM NBA
WHERE DECRYPT( salary, '6a8431f6e9c2777ee356c0b8aa3c12c0c63bdf366ac3342c4c9184b51697b47f') > 1000000;
player_name |salary |
------------------------+----------+
Jayson Christopher Tatum|1500000 |
------------------------+----------+
Marcus Smart |1350000 |
Example of COPY TO using DECRYPT
COPY
(SELECT player_name, DECRYPT( salary, '6a8431f6e9c2777ee356c0b8aa3c12c0c63bdf366ac3342c4c9184b51697b47f')
FROM NBA
WHERE player_name ='Jayson Christopher Tatum')
TO WRAPPER parquet_fdw
OPTIONS (LOCATION = '/tmp/file.parquet');
Limitations
The following functionality is not supported by the encryption feature:
Catalog queries,Utility commands,Foreign Tables,Create AS SELECT.A single encryption key must be used per column - using a different key would result in an error.
Compression of encrypted columns is limited to the following types:
Flat,LZ4,PD4,DICT,RLE.This feature is not backward compatible with previous versions of SQreamDB.
The encryption feature affect performance and compression.
Permissions
The Data Encryption feature does not require a specific permission, users with relevant TABLE and COLUMN permissions may utilize it.