Tag Archives: KingbaseES

Kingbasees supports column encryption

Kingbase column encryption supports SM4 and RC4 encryption algorithms. The specific algorithm is specified in initdb. The default is SM4. To use column encryption, you must   shared_ preload_ libraries = ‘sysencrypt’

1. Column encryption

Create two tables: encrypted and unencrypted

test=# create table t1_encrypt(name text encrypted);
CREATE TABLE
test=# create table t1_noencrypt(name text);
CREATE TABLE
test=# insert into t1_encrypt values('kingbase');
INSERT 0 1
test=# insert into t1_noencrypt values('kingbase');
INSERT 0 1

Check the encryption with hexdump

Encryption table:

[kingbase@dbhost03 61904]$ hexdump -c 71512
0000000  \0  \0  \0  \0   P 344   E 224  \0  \0  \0  \0      \0 240 037
0000010  \0     004      \0  \0  \0  \0 320 237   R  \0 240 237   R  \0
0000020  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0
*
0001fa0 001 334 003  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0
0001fe0 001  \0 001 020 002  \b 030  \0   # 314   N 223 345   f 272   N
0001ff0 211 246 225 375 026 372   f 206 365  \0  \0  \0  \0  \0  \0  \0
0002000

Unencrypted table: you can see that Kingbase is plaintext

[kingbase@dbhost03 61904]$ hexdump -c 71518
0000000  \0  \0  \0  \0 270 344   E 224  \0  \0  \0  \0 034  \0 330 037
0000010  \0     004      \0  \0  \0  \0 330 237   B  \0  \0  \0  \0  \0
0000020  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0
*
0001fd0  \0  \0  \0  \0  \0  \0  \0  \0 002 334 003  \0  \0  \0  \0  \0
0001fe0  \0  \0  \0  \0  \0  \0  \0  \0 001  \0 001  \0 002  \b 030  \0
0001ff0 023   k   i   n   g   b   a   s   e  \0  \0  \0  \0  \0  \0  \0
0002000

2. Column encryption usage restrictions

1. Tablespace encryption and column encryption cannot be used at the same time

If encryption is enabled for a tablespace, you can no longer create tables with encrypted columns on that tablespace. The specific error reports are as follows:

test=# CREATE TABLE t1(id INT, name VARCHAR(100) encrypted) TABLESPACE tsp1;
ERROR:  Column encryption and tablepspace encryption cannot be userd at the same time.

2. After closing the wallet, you cannot create or delete encrypted tables

test=# closeup wallet with password "Kingbase";
WARNING:  wallet alread closed
CLOSE WALLET
test=# drop table t1_encrypt;
ERROR:  wallet status is closed, open wallet and try again
test=# create table t2_encrypt(name text encrypted);
ERROR:  wallet status is closed, open wallet and try again

3. Cannot modify columns as encrypted or unencrypted

test=# alter table t1_encrypt alter column name type text;
ERROR:  cannot modify encrypted column type.
test=# alter table t1_noencrypt alter column name set encrypted;
ERROR:  syntax error at or near "encrypted"
LINE 1: alter table t1_noencrypt alter column name set encrypted;

4. Encrypted column does not support blob, CLOB

test=# create table t1_encrypt(name clob encrypted);
ERROR:  BLOB, CLOB or composite type columns can't be encrypted