时间戳

首页 > 技术文章 > KingbaseES 支持列加密

KingbaseES 支持列加密

kingbase 2021-09-30 16:06 原文

KINGBASE 列加密支持 sm4 和 rc4 加密算法,具体算法在 initdb 时指定,默认是 sm4。要使用列加密,必须 shared_preload_libraries = 'sysencrypt'

一、列加密

分别创建两张表:加密与非加密

test=# create table t1_encrypt(name text encrypted);
CREATE TABLE
test=# create table t1_noencrypt(name text);
CREATE TABLE
test=# insert into t1_encrypt values('kingbase');
INSERT 0 1
test=# insert into t1_noencrypt values('kingbase');
INSERT 0 1

用hexdump 查看加密情况

加密表:

[kingbase@dbhost03 61904]$ hexdump -c 71512
0000000  \0  \0  \0  \0   P 344   E 224  \0  \0  \0  \0      \0 240 037
0000010  \0     004      \0  \0  \0  \0 320 237   R  \0 240 237   R  \0
0000020  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0
*
0001fa0 001 334 003  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0
0001fe0 001  \0 001 020 002  \b 030  \0   # 314   N 223 345   f 272   N
0001ff0 211 246 225 375 026 372   f 206 365  \0  \0  \0  \0  \0  \0  \0
0002000

非加密表:可以看到kingbase是明文的

[kingbase@dbhost03 61904]$ hexdump -c 71518
0000000  \0  \0  \0  \0 270 344   E 224  \0  \0  \0  \0 034  \0 330 037
0000010  \0     004      \0  \0  \0  \0 330 237   B  \0  \0  \0  \0  \0
0000020  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0
*
0001fd0  \0  \0  \0  \0  \0  \0  \0  \0 002 334 003  \0  \0  \0  \0  \0
0001fe0  \0  \0  \0  \0  \0  \0  \0  \0 001  \0 001  \0 002  \b 030  \0
0001ff0 023   k   i   n   g   b   a   s   e  \0  \0  \0  \0  \0  \0  \0
0002000

二、列加密使用限制

1、表空间加密与列加密不能同时使用

如果表空间已启用加密,不能再在该表空间上创建含有加密列的表。具体报错如下:

test=# CREATE TABLE t1(id INT, name VARCHAR(100) encrypted) TABLESPACE tsp1;
ERROR:  Column encryption and tablepspace encryption cannot be userd at the same time.

2、关闭wallet后,不能创建、删除加密表

test=# closeup wallet with password "Kingbase";
WARNING:  wallet alread closed
CLOSE WALLET
test=# drop table t1_encrypt;
ERROR:  wallet status is closed, open wallet and try again
test=# create table t2_encrypt(name text encrypted);
ERROR:  wallet status is closed, open wallet and try again

3、无法修改列为加密或非加密

test=# alter table t1_encrypt alter column name type text;
ERROR:  cannot modify encrypted column type.
test=# alter table t1_noencrypt alter column name set encrypted;
ERROR:  syntax error at or near "encrypted"
LINE 1: alter table t1_noencrypt alter column name set encrypted;

4、加密列不支持blob , clob

test=# create table t1_encrypt(name clob encrypted);
ERROR:  BLOB, CLOB or composite type columns can't be encrypted

 

推荐阅读