1. Introduction to the Fully-encrypted Database Features
A fully-encrypted database aims to protect privacy throughout the data lifecycle. Data is always encrypted during transmission, computing, and storage regardless of the service scenario or environment. After the data owner encrypts data on the client and sends the encrypted data to the server, even if an attacker manages to exploit some system vulnerability and steal user data, they cannot obtain valuable information. Data privacy is protected.
2. Customer Benefits of the Fully-encrypted Database
The entire service data flow is encrypted during processing. A fully-encrypted database:
Protects data privacy and security throughout the lifecycle on the cloud. Attackers cannot obtain information from the database server regardless of the data status.
Helps cloud service providers earn the trust of third-party users. Users, including service administrators and O&M administrators in enterprise service scenarios and application developers in consumer cloud services, can keep the encryption keys themselves so that even users with high permissions cannot access unencrypted data.
Enables cloud databases to better comply with personal privacy protection laws and regulations.
3. Use of the Fully-encrypted Database
Currently, the fully-encrypted database supports two connection modes: gsql and JDBC. This chapter describes how to use the database in the two connection modes.
3.1 Connecting to a Fully-encrypted Database
Run the gsql -p PORT –d postgres -r –C command to enable the encryption function.
Parameter description:
-p indicates the port number. -d indicates the database name. -C indicates that the encryption function is enabled.
To support JDBC operations on a fully-encrypted database, set enable_ce to 1.
3.2 Creating a User Key
A fully-encrypted database has two types of keys: client master key (CMK) and data encryption key (CEK).
The CMK is used to encrypt the CEK. The CEK is used to encrypt user data.
Before creating a key, use gs_ktool to create a key ID for creating a CMK.
openGauss=# \! gs_ktool -g
The sequence and dependency of creating a key are as follows: creating a key ID > creating a CMK > creating a CEK.
3.2.1 Creating a CMK and a CEK in the GSQL Environment
[Creating a CMK]
CREATE CLIENT MASTER KEY client_master_k ey_name WITH (KEY_STORE = key_store_name, KEY_PATH = “key_path_value ”, ALGORITHM = algorithm_type) ;
Parameter description:
client_master_k ey_name
This parameter is used as the name of a key object. In the same namespace, the value of this parameter must be unique.
Value range: a string. It must comply with the naming convention.
KEY_STORE
Tool or service that independently manages keys. Currently, only the key management tool gs_ktool provided by GaussDB Kenel and the online key management service huawei_kms provided by Huawei Cloud are supported. Value range: gs_ktool and huawei_kms
KEY_PATH
A key in the key management tool or service. The KEY_STORE and KEY_PATH parameters can be used to uniquely identify a key entity. When KEY_STORE is set to gs_ktool, the value is gs_ktool or KEY_ID. When KEY_STORE is set to huawei_kms, the value is a 36-byte key ID.
ALGORITHM
This parameter specifies the encryption algorithm used by the key entity. When KEY_STORE is set to gs_ktool, the value can be AES_256_CBC or SM4. When KEY_STORE is set to huawei_kms, the value is AES_256.
[Creating a CEK]
CREATE COLUMN ENCRYPTION KEY column_encrypti on_key_name WITH(CLIENT_MAS TER_KEY = client_master_k ey_name, ALGORITHM = algorithm_type, ENCRYPTED_VALUE = encrypted_value );
Parameter description:
column_encrypti on_key_name
This parameter is used as the name of a key object. In the same namespace, the value of this parameter must be unique.
Value range: String, which must comply with the naming convention.
CLIENT_MASTER_K EY
Specifies the CMK used to encrypt the CEK. The value is the CMK object name, which is created using the CREATE CLIENT MASTER KEY syntax.
ALGORITHM
Encryption algorithm to be used by the CEK. The value can be AEAD_AES_256_CB C_HMAC_SHA256, AEAD_AES_128_CB C_HMAC_SHA256, or SM4_SM3.
ENCRYPTED_VALUE (optional)
A key password specified by a user. The key password length ranges from 28 to 256 bits. The derived 28-bit key meets the AES128 security requirements. If the user needs to use AES256, the key password length must be 39 bits. If the user does not specify the key password length, a 256-bit key is automatically generated.
[Example in the GSQL environment]
– (1) Use the key management tool gs_ktool to create a key. The tool returns the ID of the newly generated key.
[cmd] gs_ktool -g
– (2) Use a privileged account to create a common user named alice.
openGauss=# CREATE USER alice PASSWORD ‘********’;
– (3) Use the account of common user alice to connect to the encrypted database and execute the syntax.
gsql -p 57101 postgres -U alice -r -C
– Create a CMK object.
openGauss=> CREATE CLIENT MASTER KEY alice_cmk WITH ( KEY_STORE = gs_ktool , KEY_PATH = “gs_ktool/1” , ALGORITHM = AES_256_CBC);
– Create a CEK object.
openGauss=> CREATE COLUMN ENCRYPTION KEY a_cek WITH VALUES (CLIENT_MASTER_ KEY = a_cmk, ALGORITHM = AEAD_AES_256_CB C_HMAC_SHA256);
openGauss=> CREATE COLUMN ENCRYPTION KEY another_cek WITH VALUES (CLIENT_MASTER_ KEY = a_cmk, ALGORITHM = SM4_SM3);
3.2..2 Creating a CMK and a CEK in the JDBC Environment
// Create a CMK.
Connection conn = DriverManager.g etConnection(“u rl”,“user”,“pas sword”);
Statement stmt = conn.createStat ement();
int rc = stmt.executeUpd ate(“CREATE CLIENT MASTER KEY ImgCMK1 WITH ( KEY_STORE = gs_ktool , KEY_PATH = \“gs_ktool/1\” , ALGORITHM = AES_256_CBC);”) ;
// Create a CEK.
int rc2 = stmt.executeUpd ate(“CREATE COLUMN ENCRYPTION KEY ImgCEK1 WITH VALUES (CLIENT_MASTER_ KEY = ImgCMK1, ALGORITHM = AEAD_AES_256_CB C_HMAC_SHA256); ”);
3.3 Creating an Encrypted Table
After creating the CMK and CEK, you can use the CEK to create an encrypted table.
An encrypted table can be created in two modes: randomized encryption and deterministic encryption.
Creating an Encrypted Table in the GSQL Environment
[Example]
openGauss=# CREATE TABLE creditcard_info (id_number int,
name text encrypted with (column_encrypt ion_key = ImgCEK, encryption_type = DETERMINISTIC),
credit_card varchar(19) encrypted with (column_encrypt ion_key = ImgCEK1, encryption_type = DETERMINISTIC)) ;
Parameter description:
ENCRYPTION_TYPE indicates the encryption type in the ENCRYPTED WITH constraint. The value of encryption_type _value can be DETERMINISTIC or RANDOMIZED.
Creating an Encrypted Table in the JDBC Environment
int rc3 = stmt.executeUpd ate(“CREATE TABLE creditcard_info (id_number int, name varchar(50) encrypted with (column_encrypt ion_key = ImgCEK1, encryption_type = DETERMINISTIC), credit_card varchar(19) encrypted with (column_encrypt ion_key = ImgCEK1, encryption_type = DETERMINISTIC)) ;”);
3.4 Inserting Data into the Encrypted Table and Querying the Data
After an encrypted table is created, you can insert and view data in the encrypted table in encrypted database mode (enabling the connection parameter -C). When the common environment (disabling the connection parameter -C) is used, operations cannot be performed on the encrypted table, and only ciphertext data can be viewed in the encrypted table.
Inserting Data into the Encrypted Table and Viewing the Data in the GSQL Environment
openGauss=# INSERT INTO creditcard_info VALUES (1,‘joe’,‘62179 86500001288393’ );
INSERT 0 1
openGauss=# INSERT INTO creditcard_info VALUES (2, ‘joy’,‘62199856 78349800033’);
INSERT 0 1
openGauss=# select * from creditcard_info where name = ‘joe’;
id_number | name | credit_card
———–+——+———————
1 | joe | 621798650000128 8393
(1 row)
Note: The data in the encrypted table is displayed in ciphertext when you use a non-encrypted client to view the data.
openGauss=# select id_number,name from creditcard_info ;
id_number | name
———–+—————————— ————-
1 | \x011aefabd754d ed0a536a9666479 0622487c4d36
2 | \x011aefabd7685 3108eb406c0f90e 7c773b71648f
(2 rows)
Inserting Data into the Encrypted Table and Viewing the Data in the JDBC Environment
// Insert data.
int rc4 = stmt.executeUpd ate(“INSERT INTO creditcard_info VALUES (1,‘joe’,‘62179 86500001288393’ );”);
// Query the encrypted table.
ResultSet rs = null;
rs = stmt.executeQue ry(“select * from creditcard_info where name = ‘joe’;”);
// Close the statement object.
stmt.close();
The preceding describes how to use the fully-encrypted database features. For details, see the corresponding sections in the official document. However, for a common user, the functions described above are sufficient to ensure smooth implementation of daily work. In the future, fully-encrypted databases will evolve to be easier to use and provide higher performance. Stay tuned!
A fully-encrypted database aims to protect privacy throughout the data lifecycle. Data is always encrypted during transmission, computing, and storage regardless of the service scenario or environment. After the data owner encrypts data on the client and sends the encrypted data to the server, even if an attacker manages to exploit some system vulnerability and steal user data, they cannot obtain valuable information. Data privacy is protected.
2. Customer Benefits of the Fully-encrypted Database
The entire service data flow is encrypted during processing. A fully-encrypted database:
Protects data privacy and security throughout the lifecycle on the cloud. Attackers cannot obtain information from the database server regardless of the data status.
Helps cloud service providers earn the trust of third-party users. Users, including service administrators and O&M administrators in enterprise service scenarios and application developers in consumer cloud services, can keep the encryption keys themselves so that even users with high permissions cannot access unencrypted data.
Enables cloud databases to better comply with personal privacy protection laws and regulations.
3. Use of the Fully-encrypted Database
Currently, the fully-encrypted database supports two connection modes: gsql and JDBC. This chapter describes how to use the database in the two connection modes.
3.1 Connecting to a Fully-encrypted Database
Run the gsql -p PORT –d postgres -r –C command to enable the encryption function.
Parameter description:
-p indicates the port number. -d indicates the database name. -C indicates that the encryption function is enabled.
To support JDBC operations on a fully-encrypted database, set enable_ce to 1.
3.2 Creating a User Key
A fully-encrypted database has two types of keys: client master key (CMK) and data encryption key (CEK).
The CMK is used to encrypt the CEK. The CEK is used to encrypt user data.
Before creating a key, use gs_ktool to create a key ID for creating a CMK.
openGauss=# \! gs_ktool -g
The sequence and dependency of creating a key are as follows: creating a key ID > creating a CMK > creating a CEK.
3.2.1 Creating a CMK and a CEK in the GSQL Environment
[Creating a CMK]
CREATE CLIENT MASTER KEY client_master_k ey_name WITH (KEY_STORE = key_store_name, KEY_PATH = “key_path_value ”, ALGORITHM = algorithm_type) ;
Parameter description:
client_master_k ey_name
This parameter is used as the name of a key object. In the same namespace, the value of this parameter must be unique.
Value range: a string. It must comply with the naming convention.
KEY_STORE
Tool or service that independently manages keys. Currently, only the key management tool gs_ktool provided by GaussDB Kenel and the online key management service huawei_kms provided by Huawei Cloud are supported. Value range: gs_ktool and huawei_kms
KEY_PATH
A key in the key management tool or service. The KEY_STORE and KEY_PATH parameters can be used to uniquely identify a key entity. When KEY_STORE is set to gs_ktool, the value is gs_ktool or KEY_ID. When KEY_STORE is set to huawei_kms, the value is a 36-byte key ID.
ALGORITHM
This parameter specifies the encryption algorithm used by the key entity. When KEY_STORE is set to gs_ktool, the value can be AES_256_CBC or SM4. When KEY_STORE is set to huawei_kms, the value is AES_256.
[Creating a CEK]
CREATE COLUMN ENCRYPTION KEY column_encrypti on_key_name WITH(CLIENT_MAS TER_KEY = client_master_k ey_name, ALGORITHM = algorithm_type, ENCRYPTED_VALUE = encrypted_value );
Parameter description:
column_encrypti on_key_name
This parameter is used as the name of a key object. In the same namespace, the value of this parameter must be unique.
Value range: String, which must comply with the naming convention.
CLIENT_MASTER_K EY
Specifies the CMK used to encrypt the CEK. The value is the CMK object name, which is created using the CREATE CLIENT MASTER KEY syntax.
ALGORITHM
Encryption algorithm to be used by the CEK. The value can be AEAD_AES_256_CB C_HMAC_SHA256, AEAD_AES_128_CB C_HMAC_SHA256, or SM4_SM3.
ENCRYPTED_VALUE (optional)
A key password specified by a user. The key password length ranges from 28 to 256 bits. The derived 28-bit key meets the AES128 security requirements. If the user needs to use AES256, the key password length must be 39 bits. If the user does not specify the key password length, a 256-bit key is automatically generated.
[Example in the GSQL environment]
– (1) Use the key management tool gs_ktool to create a key. The tool returns the ID of the newly generated key.
[cmd] gs_ktool -g
– (2) Use a privileged account to create a common user named alice.
openGauss=# CREATE USER alice PASSWORD ‘********’;
– (3) Use the account of common user alice to connect to the encrypted database and execute the syntax.
gsql -p 57101 postgres -U alice -r -C
– Create a CMK object.
openGauss=> CREATE CLIENT MASTER KEY alice_cmk WITH ( KEY_STORE = gs_ktool , KEY_PATH = “gs_ktool/1” , ALGORITHM = AES_256_CBC);
– Create a CEK object.
openGauss=> CREATE COLUMN ENCRYPTION KEY a_cek WITH VALUES (CLIENT_MASTER_ KEY = a_cmk, ALGORITHM = AEAD_AES_256_CB C_HMAC_SHA256);
openGauss=> CREATE COLUMN ENCRYPTION KEY another_cek WITH VALUES (CLIENT_MASTER_ KEY = a_cmk, ALGORITHM = SM4_SM3);
3.2..2 Creating a CMK and a CEK in the JDBC Environment
// Create a CMK.
Connection conn = DriverManager.g etConnection(“u rl”,“user”,“pas sword”);
Statement stmt = conn.createStat ement();
int rc = stmt.executeUpd ate(“CREATE CLIENT MASTER KEY ImgCMK1 WITH ( KEY_STORE = gs_ktool , KEY_PATH = \“gs_ktool/1\” , ALGORITHM = AES_256_CBC);”) ;
// Create a CEK.
int rc2 = stmt.executeUpd ate(“CREATE COLUMN ENCRYPTION KEY ImgCEK1 WITH VALUES (CLIENT_MASTER_ KEY = ImgCMK1, ALGORITHM = AEAD_AES_256_CB C_HMAC_SHA256); ”);
3.3 Creating an Encrypted Table
After creating the CMK and CEK, you can use the CEK to create an encrypted table.
An encrypted table can be created in two modes: randomized encryption and deterministic encryption.
Creating an Encrypted Table in the GSQL Environment
[Example]
openGauss=# CREATE TABLE creditcard_info (id_number int,
name text encrypted with (column_encrypt ion_key = ImgCEK, encryption_type = DETERMINISTIC),
credit_card varchar(19) encrypted with (column_encrypt ion_key = ImgCEK1, encryption_type = DETERMINISTIC)) ;
Parameter description:
ENCRYPTION_TYPE indicates the encryption type in the ENCRYPTED WITH constraint. The value of encryption_type _value can be DETERMINISTIC or RANDOMIZED.
Creating an Encrypted Table in the JDBC Environment
int rc3 = stmt.executeUpd ate(“CREATE TABLE creditcard_info (id_number int, name varchar(50) encrypted with (column_encrypt ion_key = ImgCEK1, encryption_type = DETERMINISTIC), credit_card varchar(19) encrypted with (column_encrypt ion_key = ImgCEK1, encryption_type = DETERMINISTIC)) ;”);
3.4 Inserting Data into the Encrypted Table and Querying the Data
After an encrypted table is created, you can insert and view data in the encrypted table in encrypted database mode (enabling the connection parameter -C). When the common environment (disabling the connection parameter -C) is used, operations cannot be performed on the encrypted table, and only ciphertext data can be viewed in the encrypted table.
Inserting Data into the Encrypted Table and Viewing the Data in the GSQL Environment
openGauss=# INSERT INTO creditcard_info VALUES (1,‘joe’,‘62179 86500001288393’ );
INSERT 0 1
openGauss=# INSERT INTO creditcard_info VALUES (2, ‘joy’,‘62199856 78349800033’);
INSERT 0 1
openGauss=# select * from creditcard_info where name = ‘joe’;
id_number | name | credit_card
———–+——+———————
1 | joe | 621798650000128 8393
(1 row)
Note: The data in the encrypted table is displayed in ciphertext when you use a non-encrypted client to view the data.
openGauss=# select id_number,name from creditcard_info ;
id_number | name
———–+—————————— ————-
1 | \x011aefabd754d ed0a536a9666479 0622487c4d36
2 | \x011aefabd7685 3108eb406c0f90e 7c773b71648f
(2 rows)
Inserting Data into the Encrypted Table and Viewing the Data in the JDBC Environment
// Insert data.
int rc4 = stmt.executeUpd ate(“INSERT INTO creditcard_info VALUES (1,‘joe’,‘62179 86500001288393’ );”);
// Query the encrypted table.
ResultSet rs = null;
rs = stmt.executeQue ry(“select * from creditcard_info where name = ‘joe’;”);
// Close the statement object.
stmt.close();
The preceding describes how to use the fully-encrypted database features. For details, see the corresponding sections in the official document. However, for a common user, the functions described above are sufficient to ensure smooth implementation of daily work. In the future, fully-encrypted databases will evolve to be easier to use and provide higher performance. Stay tuned!