The lt_sm extension provides SM cryptographic functions for LightDB, including sm2, sm3, sm4 algorithms. Data can be encrypted and decrypted using the above algorithm.
Notice the current lt_sm extension is an experimental trial version.
SM2 is asymmetric encryption, there is a pair of keys, the private key is used for encryption, and the public key is used for decryption.
SM2 has a total of four functions:
gm_sm2_genprikey(local_storage bool) return text
generate the SM2 private key for encrypting data.
The input parameter true
indicates that the key is stored in the database, and the return value is true at this time.
The input parameter false
indicates that the key is imported from the outside when the database is restarted,
and the return value is the private key string of text type.
-- Generate SM2 private key using local storage SELECT gm_sm2_genprikey(true); gm_sm2_genprikey ------------------ true -- Generate SM2 private key using external import SELECT gm_sm2_genprikey(false); gm_sm2_genprikey ------------------------------------------------------------------ -----BEGIN EC PRIVATE KEY----- + MHcCAQEEIMattGsrutK0T7YFtJ/nRL3HzUTSoBuW+l78TYuthSEXoAoGCCqBHM9V+ AYItoUQDQgAEv12xwVT9SD4/qOqB8EYZkbMyl2APj3sOBHq0krHUSlQ0UbVOcJls+ v1JkxGQSJ+EGXbmuhRErwiAu9gTd8+umlw== + -----END EC PRIVATE KEY----- +
gm_sm2_genpubkey((local_storage bool) return text
generate the SM2 public key for decrypting data.
The input parameter true
indicates that the key is stored in the database, and the return value is true at this time.
The input parameter false
indicates that the key is imported from the outside when the database is restarted,
and the return value is the private key string of text type.
Note that the private key must be generated using the
gm_sm2_genprikey()
function before the public key can be generated using this function.
-- Generate SM2 public key using local storage SELECT gm_sm2_genpubkey(true); gm_sm2_genprikey ------------------ true -- Generate SM2 public key using external import SELECT gm_sm2_genpubkey(false); gm_sm2_genpubkey ------------------------------------------------------------------ -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAEv12xwVT9SD4/qOqB8EYZkbMyl2AP+ j3sOBHq0krHUSlQ0UbVOcJlsv1JkxGQSJ+EGXbmuhRErwiAu9gTd8+umlw== + -----END PUBLIC KEY----- +
gm_sm2_encrypt(plaintext bytea) return bytea
encrypt plaintext into ciphertext,
input parameter as plaintext and return value as ciphertext.
-- Encrypt plaintext to generate ciphertext select gm_sm2_encrypt('恒生电子LightDB_001'); gm_sm2_encrypt ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- \x043f115fde4ad84ca331e6d6edbeb806d09ffa6094f8d52a57a39c7c6c587bcd06eb72146f3d503923af813fa67de1c5f484e5b657c83d9f332b9263d08d6b2a42ae6bd733bec7f6b17ebc74783ebc7eba0dff68b269edfa44a54751527f7204d4e30a2ddb44ebbb5ea1864657e86225100b00e581ac6e84
gm_sm2_decrypt(ciphertext bytea) return bytea
decrypt the ciphertext into plaintext,
the input parameter is the ciphertext and the return value is the plaintext.
-- Decrypt ciphertext to generate plaintext select gm_sm2_decrypt('\x043f115fde4ad84ca331e6d6edbeb806d09ffa6094f8d52a57a39c7c6c587bcd06eb72146f3d503923af813fa67de1c5f484e5b657c83d9f332b9263d08d6b2a42ae6bd733bec7f6b17ebc74783ebc7eba0dff68b269edfa44a54751527f7204d4e30a2ddb44ebbb5ea1864657e86225100b00e581ac6e84'); gm_sm2_decrypt -------------------------------------------------- \xe68192e7949fe794b5e5ad904c6967687444425f303031 -- Convert the decrypted binary plaintext to display select convert_from('\xe68192e7949fe794b5e5ad904c6967687444425f303031', 'SQL_ASCII'); convert_from --------------------- 恒生电子LightDB_001
SM3 is a cryptographic hash algorithm, mainly used for digital signature and verification, message authentication code generation and verification, random number generation, etc.
SM3 has a total of one function:
gm_sm3_encrypt(plaintext bytea) return bytea
encrypt plaintext message to digest message,
the input parameter is the plaintext message and the return value is the digest message.
-- plaintext message to generate digest message select gm_sm3_encrypt('LightDB_002'); gm_sm3_encrypt -------------------------------------------------------------------- \x9de35b686bec17533e9ded7abfb039320bb08abbcec74eb0f44cf52b09e255c1
SM4 is symmetric encryption, using CTR-128bit mode, there is a key for encryption and decryption.
SM4 has a total of three functions:
gm_sm4_genkey((local_storage bool) return text
generate the SM4 key for encrypting and decrypting data.
The input parameter true
indicates that the key is stored in the database, and the return value is true at this time.
The input parameter false
indicates that the key is imported from the outside when the database is restarted,
and the return value is the key string of text type.
-- Generate SM4 key using local storage select gm_sm4_genkey(true); gm_sm4_genkey --------------- true -- Generate SM4 key using external import select gm_sm4_genkey(false); gm_sm4_genkey ---------------------------------- A98B1904E5A74CDA5B2135519B941703
gm_sm4_encrypt(plaintext bytea) return bytea
encrypt plaintext into ciphertext,
input parameter as plaintext and return value as ciphertext.
-- Encrypt plaintext to generate ciphertext select gm_sm4_encrypt('恒生电子LightDB_003'); gm_sm4_encrypt -------------------------------------------------- \x33e7117d0ce6f38ec2b78bfab08b991628771bedeeecf8
gm_sm4_decrypt(ciphertext bytea) return bytea
decrypt the ciphertext into plaintext,
the input parameter is the ciphertext and the return value is the plaintext.
-- Decrypt ciphertext to generate plaintext select gm_sm4_decrypt('\x33e7117d0ce6f38ec2b78bfab08b991628771bedeeecf8'); gm_sm4_decrypt -------------------------------------------------- \xe68192e7949fe794b5e5ad904c6967687444425f303033 -- Convert the decrypted binary plaintext to display select convert_from('\xe68192e7949fe794b5e5ad904c6967687444425f303033', 'SQL_ASCII'); convert_from --------------------- 恒生电子LightDB_003
lt_sm support two key management methods:
The key is stored locally, and the input parameter is true in the use key generation function. After the key is generated, the encryption and decryption functions can be used.
The key is imported from outside, and the input parameter of the generate key function is false. If the database is restarted, support for external import of key files.
-- When using lt_ctl, specify the -Y
parameter to pass in the key file
lt_ctl -D ./data -Y ./keyfile start
Among them, the key file needs to contain the keywords of username
, database
,
sm2 private key
, sm2 public key
, sm4 key
, use :
separate keyword and value:
-- key file format, the corresponding pre-keyword and ':' must contain username:lightdb database:postgres sm2 private key:-----BEGIN EC PRIVATE KEY----- MHcCAQEEIC4cBmYiht3Kf4e/xQMNR3C2pLkafZ8Lm9lUxae937SjoAoGCCqBHM9V AYItoUQDQgAEdqAwhgrpt7NNBVKWuyXy8ltIlcl1YQhyum1GE3G4QK3lfVBCgSYF O5+fNfThT1ppVC+Q11wJ/QJmciYVEDzY8A== -----END EC PRIVATE KEY----- sm2 public key:-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAEdqAwhgrpt7NNBVKWuyXy8ltIlcl1 YQhyum1GE3G4QK3lfVBCgSYFO5+fNfThT1ppVC+Q11wJ/QJmciYVEDzY8A== -----END PUBLIC KEY----- sm4 key:2DB5E313E60A123DBB1A517B5355A7AC