column_encrypt

透明列级加密扩展,提供 encrypted_text 与 encrypted_bytea 类型

概览

扩展包名版本分类许可证语言
column_encrypt4.0SECPostgreSQLC
ID扩展名BinLibLoadCreateTrustReloc模式
7030column_encryptencrypt
相关扩展pgcrypto pg_enigma pgsodium pgcryptokey pgcrypto pg_tde pgsmcrypto sslutils

fixed encrypt schema; create schema encrypt before CREATE EXTENSION; preload column_encrypt;

版本

类型仓库版本PG 大版本包名依赖
EXTPIGSTY4.01817161514column_encryptpgcrypto
RPMPIGSTY4.01817161514column_encrypt_$v-
DEBPIGSTY4.01817161514postgresql-$v-column-encrypt-
OS / PGPG18PG17PG16PG15PG14
el8.x86_64
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
el8.aarch64
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
el9.x86_64
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
el9.aarch64
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
el10.x86_64
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
el10.aarch64
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
d12.x86_64
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
d12.aarch64
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
d13.x86_64
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
d13.aarch64
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
u22.x86_64
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
u22.aarch64
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
u24.x86_64
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
u24.aarch64
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
u26.x86_64
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
u26.aarch64
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0

构建

您可以使用 pig build 命令构建 column_encrypt 扩展的 RPM / DEB 包:

pig build pkg column_encrypt         # 构建 RPM / DEB 包

安装

您可以直接安装 column_encrypt 扩展包的预置二进制包,首先确保 PGDGPIGSTY 仓库已经添加并启用:

pig repo add pgsql -u          # 添加仓库并更新缓存

使用 pig 或者是 apt/yum/dnf 安装扩展:

pig install column_encrypt;          # 当前活跃 PG 版本安装
pig ext install -y column_encrypt -v 18  # PG 18
pig ext install -y column_encrypt -v 17  # PG 17
pig ext install -y column_encrypt -v 16  # PG 16
pig ext install -y column_encrypt -v 15  # PG 15
pig ext install -y column_encrypt -v 14  # PG 14
dnf install -y column_encrypt_18       # PG 18
dnf install -y column_encrypt_17       # PG 17
dnf install -y column_encrypt_16       # PG 16
dnf install -y column_encrypt_15       # PG 15
dnf install -y column_encrypt_14       # PG 14
apt install -y postgresql-18-column-encrypt   # PG 18
apt install -y postgresql-17-column-encrypt   # PG 17
apt install -y postgresql-16-column-encrypt   # PG 16
apt install -y postgresql-15-column-encrypt   # PG 15
apt install -y postgresql-14-column-encrypt   # PG 14

预加载配置

shared_preload_libraries = 'column_encrypt';

创建扩展

CREATE EXTENSION column_encrypt CASCADE;  -- 依赖: pgcrypto

用法

来源:READMEv4.0 releaseSQL objects

column_encrypt 为 PostgreSQL 提供透明列级加密。它定义 encrypted_textencrypted_bytea 类型,通过类型输入函数加密写入值,通过输出函数解密读取值,并在 encrypt schema 中管理数据加密密钥。

启用

先在服务器启动时加载共享库,重启 PostgreSQL,然后创建 schema 和扩展:

shared_preload_libraries = 'column_encrypt'
CREATE EXTENSION pgcrypto;
CREATE SCHEMA IF NOT EXISTS encrypt;
CREATE EXTENSION column_encrypt;

可以把 encrypt 加入 search_path,也可以显式使用 schema 前缀。

注册与加载密钥

SELECT encrypt.register_key('my-secret-data-key', 'my-master-passphrase');
SELECT encrypt.load_key('my-master-passphrase');

SELECT * FROM encrypt.keys();
SELECT * FROM encrypt.status();

扩展使用两层密钥模型,包括密钥加密密钥和数据加密密钥。密文携带 key version 头部,因此轮换密钥后仍可解密旧值。

加密列

CREATE TABLE secure_data (
  id bigint GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
  ssn encrypt.encrypted_text,
  payload encrypt.encrypted_bytea
);

INSERT INTO secure_data (ssn, payload)
VALUES ('888-999-2045', decode('aabbcc', 'hex'));

SELECT id, ssn FROM secure_data;

当前会话没有加载密钥时,读取加密值会报解密错误。

密钥操作

常用函数包括 encrypt.activate_keyencrypt.revoke_keyencrypt.rotateencrypt.verifyencrypt.unload_keyencrypt.loaded_cipher_key_versionsencrypt.blind_index

不能直接暴露明文值的查找场景,可以使用 blind index:

SELECT encrypt.blind_index('888-999-2045', 'lookup-hmac-key');

注意事项

扩展有意拒绝加密值的 binary send/receive。相等和哈希语义基于解密后的明文;不支持范围排序。从旧的密文哈希语义升级后,需要重建加密列上的哈希索引。


最后修改 2026-07-02: extension update 2026-07-02 (d4da20c)