Updated on 2024-05-07 GMT+08:00

CREATE CLIENT MASTER KEY

Description

The encrypted equality query feature adopts a multi-level encryption model. The master key encrypts the column key, and the column key encrypts data. This syntax is used to create a master key object.

Precautions

  • This syntax is specific to a fully-encrypted database.
  • When connecting to the database, you need to enable the connection parameters of the encrypted equality query feature on the database driver side before running this syntax.
  • The master key is provided by an external key manager. This syntax processes only information such as the key source and key ID. The following external key managers are supported:
    1. Huawei Cloud KMS huawei_kms
  • Before using this syntax, set environment variables for the external key manager on the database driver side. For details, see section "Setting Encrypted Equality Query" in Feature Guide.

Syntax

CREATE CLIENT MASTER KEY client_master_key_name WITH (KEY_STORE = key_store_name, KEY_PATH = "key_path_value", ALGORITHM = algorithm_type)

Parameters

  • client_master_key_name

    This parameter is used as the name of a key object. In the same namespace, the value of this parameter must be unique.

    Value range: a string. It must comply with the naming convention.

  • KEY_STORE

    External key manager. For details about the value, see Table 1.

  • KEY_PATH

    Each key is managed by an external key manager and the key path format varies depending on the key manager. The value is a character string. For details, see Table 1. A character string is enclosed in single or double quotation marks. If the length of a character string exceeds 64 characters, only single quotation marks can be used.

  • ALGORITHM

    Encryption algorithm used by the key. For details about the value, see Table 1.

    Table 1 Parameter values for different key managers

    KEY_STORE

    KEY_PATH

    ALGORITHM

    huawei_kms

    Format: '{KmsApiUrl}/{Key ID}'

    Reference: 'https://kms.{Project}.myhuaweicloud.com/v1.0/{Project ID}/kms/{Key ID}'

    Example: 'https://kms.cn-north-4.myhuaweicloud.com/v1.0/00000000000000000000000000000000/kms/00000000-0000-0000-0000-000000000000'

    AES_256