Updated on 2024-08-20 GMT+08:00

CREATE COLUMN ENCRYPTION KEY

Description

Creates a CEK that can be used to encrypt a specified column in a table.

Precautions

  • This syntax is specific to a fully-encrypted database.
  • When using gsql to connect to a database server, you need to use the -C parameter to enable the fully-encrypted database.
  • The CEK object created using this syntax can be used for column-level encryption. When defining a column in a table, you can specify a CEK object to encrypt the column.

Syntax

CREATE COLUMN ENCRYPTION KEY column_encryption_key_name WITH VALUES(CLIENT_MASTER_KEY = client_master_key_name, ALGORITHM = algorithm_type [, ENCRYPTED_VALUE = encrypted_value]);

Parameters

  • column_encryption_key_name

    Key object name. In the same namespace, the name must be unique.

    Value range: a string. It must comply with the naming convention.

  • CLIENT_MASTER_KEY

    CMK, which is used to encrypt a specified CEK. The value is the name of a CMK. The CMK object is created using the CREATE CLIENT MASTER KEY syntax.

  • ALGORITHM

    Specifies an encryption algorithm to be used by the CEK. The value can be AEAD_AES_256_CBC_HMAC_SHA256, AEAD_AES_128_CBC_HMAC_SHA256, AEAD_AES_256_CTR_HMAC_SHA256, AES_256_GCM, or SM4_SM3.

    The data expansion rates of different encryption algorithms are sorted as follows: AEAD_AES_256_CTR_HMAC_SHA256 < AES_256_GCM < AEAD_AES_256_CBC_HMAC_SHA256 = AEAD_AES_128_CBC_HMAC_SHA256 = SM4_SM3. The AEAD_AES_256_CTR_HMAC_SHA256 and AES_256_GCM encryption algorithms are recommended.

    If KEY_STORE (master key) is set to third_kms, you do not need to provide the ALGORITHM parameter.

  • ENCRYPTED_VALUE (optional)
    A key password specified by a user. The key password length ranges from 28 to 256 characters. The derived 28-character key meets the AES-128 security requirements. If the user needs to use AES-256, the key password length must be 39 characters. If the user does not specify the key password length, a 256-character key is automatically generated.
    • SM algorithm constraints: SM2, SM3, and SM4 are Chinese national cryptography standards. To avoid legal risks, these algorithms must be used together. If you specify the SM4 algorithm to encrypt CEKs when creating a CMK, you must specify the SM3 and SM4 algorithms (SM4_SM3) to encrypt data when creating CEKs.
    • Constraints on the ENCRYPTED_VALUE column: If the CMK generated by Huawei KMS is used to encrypt the CEK and the ENCRYPTED_VALUE column is used to transfer the key in the CREATE COLUMN ENCRYPTION KEY syntax, the length of the input key must be an integer multiple of 16 bytes.