pgcrypto: column encryption in PostgreSQL need suggestions

Question

I have a table and I want to encrypt, few columns of it using pgcrypto functions of PostgreSQL. Lets say I want to use pgp_sym_encrypt( 'sample_name', 'someKey' , [options]).

I need suggestions on how and where to store the 'someKey'. I understand that KMS feature is not straight forward ( probably not yet fully implemented in PG- 12 ), but storing the 'someKey' in the code is not desirable, nor storing in some other database/servers.

I was hoping if I can generate a Random key to encrypt the data, but I also need to decrypt it while fetching - any suggestion on this please.

I am exploring options in learning phase, now.

score 1 · Answer 1 · answered Sep 29 '20 at 05:06

Approach that I am considering -

We have Azure Key Vault storage, and we can store the 'key' in the Azure KV. From the application level, we can pass the 'key' to the functions as a parameter. And we can use functions like pgp_sym_encrypt or pgp_sym_decrypt ( for symmetric encryption / decryption ), using that parameter.

No need of storing the key in DB itself.

Any suggestions is appreciable.

pgcrypto: column encryption in PostgreSQL need suggestions

1 Answers1