CREATE COLUMN ENCRYPTION KEY
Description
Creates a CEK that can be used to encrypt a specified column in a table.
Precautions
This syntax is specific to a fully-encrypted database.
When using gsql to connect to a database server, you need to use the -C parameter to enable the fully-encrypted database.
The CEK object created using this syntax can be used for column-level encryption. When defining a column in a table, you can specify a CEK object to encrypt the column.
Syntax
CREATE COLUMN ENCRYPTION KEY column_encryption_key_name WITH VALUES(CLIENT_MASTER_KEY = client_master_key_name, ALGORITHM = algorithm_type, ENCRYPTED_VALUE = encrypted_value);
Parameters
- column_encryption_key_name
This parameter is used as the name of a key object. In the same namespace, the value of this parameter must be unique.
Value range: a string. It must comply with the naming convention.
- CLIENT_MASTER_KEY
Specifies the CMK used to encrypt the CEK. The value is the CMK object name, which is created using the CREATE CLIENT MASTER KEY syntax.
- ALGORITHM
Encryption algorithm to be used by the CEK. The value can be AEAD_AES_256_CBC_HMAC_SHA256, AEAD_AES_128_CBC_HMAC_SHA256, AEAD_AES_256_CTR_HMAC_SHA256, AES_256_GCM, or SM4_SM3.
The data expansion rates of different encryption algorithms are sorted as follows: AEAD_AES_256_CTR_HMAC_SHA256 < AES_256_GCM < AEAD_AES_256_CBC_HMAC_SHA256 = AEAD_AES_128_CBC_HMAC_SHA256 = SM4_SM3. The AEAD_AES_256_CTR_HMAC_SHA256 and AES_256_GCM encryption algorithms are recommended.
- ENCRYPTED_VALUE (optional)
A key password specified by a user. The key password length ranges from 28 to 256 characters. The derived 28-character key meets the AES128 security requirements. If the user needs to use AES256, the key password length must be 39 characters. If the user does not specify the key password length, a 256-character key is automatically generated.
- SM algorithm constraints: SM2, SM3, and SM4 are Chinese national cryptography standards. To avoid legal risks, these algorithms must be used together. If you specify the SM4 algorithm to encrypt CEKs when creating a CMK, you must specify the SM3 and SM4 algorithms (SM4_SM3) to encrypt data when creating CEKs.
- Constraints on the ENCRYPTED_VALUE column: If the CMK generated by Huawei KMS is used to encrypt the CEK and the ENCRYPTED_VALUE column is used to transfer the key in the CREATE COLUMN ENCRYPTION KEY syntax, the length of the input key must be an integer multiple of 16 bytes.
Example (Using gsql to Connect to the Database Server)
Before using this syntax, you need to enable KMS and configure parameters for accessing KMS. For details, see "Setting Encrypted Equality Queries" in Feature Guide.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
