Help Center> GaussDB> Centralized> Setting Encrypted Equality Query> Encrypted Functions and Stored Procedures
Updated on 2023-10-23 GMT+08:00
View PDF

Encrypted Functions and Stored Procedures

In the current version, only encrypted functions and stored procedures in SQL or PL/pgSQL are supported. Because users are unaware of the creation and execution of functions or stored procedures in an encrypted stored procedure, the syntax has no difference from that of non-encrypted functions and stored procedures.

The gs_encrypted_proc system catalog is added to the function or stored procedure for encrypted equality query to store the returned original data type.

Creating and Executing a Function or Stored Procedure that Involves Encrypted Columns

  1. Create a key. For details, see Using gsql to Operate an Encrypted Database and Using JDBC to Operate an Encrypted Database.
  2. Create an encrypted table.

    1
2
3
4
5
6
    		 
    gaussdb=# CREATE TABLE creditcard_info (
gaussdb(#   id_number int,
gaussdb(#   name  text,
gaussdb(#   credit_card varchar(19) encrypted with (column_encryption_key = ImgCEK1, encryption_type = DETERMINISTIC)
gaussdb(# ) with (orientation=row);
CREATE TABLE

  3. Insert data.

    1
2
3
4
    		 
    gaussdb=# insert into creditcard_info values(1, 'Avi', '1234567890123456');
INSERT 0 1
gaussdb=# insert into creditcard_info values(2, 'Eli', '2345678901234567');
INSERT 0 1

  4. Create a function supporting encrypted equality query.

    1
2
3
4
5
6
7
8
    		 
    gaussdb=# CREATE FUNCTION f_encrypt_in_sql(val1 text, val2 varchar(19)) RETURNS text AS 'SELECT name from creditcard_info where name=$1 or credit_card=$2 LIMIT 1' LANGUAGE SQL;
CREATE FUNCTION
gaussdb=# CREATE FUNCTION f_encrypt_in_plpgsql (val1 text, val2 varchar(19), OUT c text) AS $$
gaussdb$# BEGIN
gaussdb$# SELECT into c name from creditcard_info where name=$1 or credit_card =$2 LIMIT 1;
gaussdb$# END; $$
gaussdb-# LANGUAGE plpgsql;
CREATE FUNCTION

  5. Execute the function.

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
    		 
    gaussdb=# SELECT f_encrypt_in_sql('Avi','1234567890123456');
 f_encrypt_in_sql
------------------
 Avi
(1 row)

gaussdb=# SELECT f_encrypt_in_plpgsql('Avi', val2=>'1234567890123456');
 f_encrypt_in_plpgsql
----------------------
 Avi
(1 row)

  • Because the query, that is, the dynamic query statement executed in a function or stored procedure, is compiled during execution, the table name and column name in the function or stored procedure must be known in the creation phase. The input parameter cannot be used as a table name or column name, or any connection mode.
  • In a function or stored procedure that executes dynamic clauses, data values to be encrypted cannot be contained in the clauses.
  • Among the RETURNS, IN, and OUT parameters, encrypted and non-encrypted parameters cannot be used together. Although the parameter types are all original, the actual types are different.
  • In advanced package interfaces, for example, dbe_output.print_line(), decryption is not performed on the interfaces whose output is printed on the server. This is because when the encrypted data type is forcibly converted into the plaintext original data type, the default value of the data type is printed.
  • In the current version, LANGUAGE of functions and stored procedures can only be SQL and PL/pgSQL, and does not support other procedural languages such as C and Java.
  • Other functions or stored procedures for querying encrypted columns cannot be executed in a function or stored procedure.
  • In the current version, default values cannot be assigned to variables in DEFAULT or DECLARE statements, and return values in DECLARE statements cannot be decrypted. You can use input parameters and output parameters instead when executing functions.
  • gs_dump cannot be used to back up functions involving encrypted columns.
  • Keys cannot be created in functions or stored procedures.
  • In this version, encrypted functions and stored procedures do not support triggers.
  • Encrypted equality query functions and stored procedures do not support the escape of the PL/pgSQL syntax. The CREATE FUNCTION AS'Syntax body' syntax whose syntax body is marked with single quotation marks ('') can be replaced with the CREATE FUNCTION AS $$Syntax body $$ syntax.
  • The definition of an encrypted column cannot be modified in an encrypted equality query function or stored procedure, including creating an encrypted table and adding an encrypted column. Because the function is executed on the server, the client cannot determine whether to refresh the cache. The column can be encrypted only after the client is disconnected or the cache of the encrypted column on the client is refreshed.
  • Encrypted functions and stored procedures do not support compilation check. When creating an encrypted function, do not set behavior_compat_options to 'allow_procedure_compile_check'.
  • Functions and stored procedures cannot be created using encrypted data types (byteawithoutorderwithequalcol, byteawithoutordercol, _byteawithoutorderwithequalcol or _byteawithoutordercol).
  • If an encrypted function returns a value of an encrypted type, the result cannot be an uncertain row type, for example, RETURN [SETOF] RECORD. You can replace it with a definite row type, for example, RETURN TABLE(columnname typename[, ...]).
  • When an encrypted function is created, the OID of the encrypted column corresponding to a parameter is added to the system catalog gs_encrypted_proc. Therefore, if a table with the same name is deleted and created again, the encrypted function may become invalid and you need to create the encrypted function again.