CREATE COLUMN ENCRYPTION KEY
Description
Creates a CEK that can be used to encrypt a specified column in a table.
Precautions
- This syntax is specific to a fully-encrypted database.
- When using gsql to connect to a database server, you need to use the -C parameter to enable the fully-encrypted database.
- The CEK object created using this syntax can be used for column-level encryption. When defining a column in a table, you can specify a CEK object to encrypt the column.
Syntax
CREATE COLUMN ENCRYPTION KEY column_encryption_key_name WITH VALUES(CLIENT_MASTER_KEY = client_master_key_name, ALGORITHM = algorithm_type [, ENCRYPTED_VALUE = encrypted_value]);
Parameters
- column_encryption_key_name
Key object name. In the same namespace, the name must be unique.
Value range: a string. It must comply with the naming convention.
- CLIENT_MASTER_KEY
CMK, which is used to encrypt a specified CEK. The value is the name of a CMK. The CMK object is created using the CREATE CLIENT MASTER KEY syntax.
- ALGORITHM
Specifies an encryption algorithm to be used by the CEK. The value can be AEAD_AES_256_CBC_HMAC_SHA256, AEAD_AES_128_CBC_HMAC_SHA256, AEAD_AES_256_CTR_HMAC_SHA256, AES_256_GCM, or SM4_SM3.
The data expansion rates of different encryption algorithms are sorted as follows: AEAD_AES_256_CTR_HMAC_SHA256 < AES_256_GCM < AEAD_AES_256_CBC_HMAC_SHA256 = AEAD_AES_128_CBC_HMAC_SHA256 = SM4_SM3. The AEAD_AES_256_CTR_HMAC_SHA256 and AES_256_GCM encryption algorithms are recommended.
If KEY_STORE (master key) is set to third_kms, you do not need to provide the ALGORITHM parameter.
- ENCRYPTED_VALUE (optional)
A key password specified by a user. The key password length ranges from 28 to 256 characters. The derived 28-character key meets the AES-128 security requirements. If the user needs to use AES-256, the key password length must be 39 characters. If the user does not specify the key password length, a 256-character key is automatically generated.
- SM algorithm constraints: SM2, SM3, and SM4 are Chinese national cryptography standards. To avoid legal risks, these algorithms must be used together. If you specify the SM4 algorithm to encrypt CEKs when creating a CMK, you must specify the SM3 and SM4 algorithms (SM4_SM3) to encrypt data when creating CEKs.
- Constraints on the ENCRYPTED_VALUE column: If the CMK generated by Huawei KMS is used to encrypt the CEK and the ENCRYPTED_VALUE column is used to transfer the key in the CREATE COLUMN ENCRYPTION KEY syntax, the length of the input key must be an integer multiple of 16 bytes.
Helpful Links
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot