Encrypt #
Syntax #
CREATE ENCRYPT RULE
CreateEncryptRule ::=
'CREATE' 'ENCRYPT' 'RULE' ifNotExists? encryptDefinition (',' encryptDefinition)*
ifNotExists ::=
'IF' 'NOT' 'EXISTS'
encryptDefinition ::=
ruleName '(' 'COLUMNS' '(' columnDefinition (',' columnDefinition)* ')' (',' 'QUERY_WITH_CIPHER_COLUMN' '=' ('TRUE' | 'FALSE'))? ')'
columnDefinition ::=
'(' 'NAME' '=' columnName (',' 'DATA_TYPE' '=' dataType)? (',' 'PLAIN' '=' plainColumnName (',' 'PLAIN_DATA_TYPE' '=' dataType)?)? ',' 'CIPHER' '=' cipherColumnName (',' 'CIPHER_DATA_TYPE' '=' dataType)? (',' 'ASSISTED_QUERY_COLUMN' '=' assistedQueryColumnName (',' 'ASSISTED_QUERY_DATA_TYPE' '=' dataType)?)? (',' 'LIKE_QUERY_COLUMN' '=' likeQueryColumnName (',' 'LIKE_QUERY_DATA_TYPE' '=' dataType)?)? ',' encryptAlgorithmDefinition (',' assistedQueryAlgorithmDefinition)? (',' likeQueryAlgorithmDefinition)? ')'
encryptAlgorithmDefinition ::=
'ENCRYPT_ALGORITHM' '(' 'TYPE' '(' 'NAME' '=' encryptAlgorithmType (',' propertiesDefinition)? ')'
assistedQueryAlgorithmDefinition ::=
'ASSISTED_QUERY_ALGORITHM' '(' 'TYPE' '(' 'NAME' '=' encryptAlgorithmType (',' propertiesDefinition)? ')'
likeQueryAlgorithmDefinition ::=
'LIKE_QUERY_ALGORITHM' '(' 'TYPE' '(' 'NAME' '=' encryptAlgorithmType (',' propertiesDefinition)? ')'
propertiesDefinition ::=
'PROPERTIES' '(' key '=' value (',' key '=' value)* ')'
tableName ::=
identifier
columnName ::=
identifier
dataType ::=
string
plainColumnName ::=
identifier
cipherColumnName ::=
identifier
assistedQueryColumnName ::=
identifier
likeQueryColumnName ::=
identifier
encryptAlgorithmType ::=
string
key ::=
string
value ::=
literal
ALTER ENCRYPT RULE
ALTEREncryptRule ::=
'ALTER' 'ENCRYPT' 'RULE' encryptDefinition (',' encryptDefinition)*
encryptDefinition ::=
ruleName '(' 'COLUMNS' '(' columnDefinition (',' columnDefinition)* ')' (',' 'QUERY_WITH_CIPHER_COLUMN' '=' ('TRUE' | 'FALSE'))? ')'
columnDefinition ::=
'(' 'NAME' '=' columnName (',' 'DATA_TYPE' '=' dataType)? (',' 'PLAIN' '=' plainColumnName (',' 'PLAIN_DATA_TYPE' '=' dataType)?)? ',' 'CIPHER' '=' cipherColumnName (',' 'CIPHER_DATA_TYPE' '=' dataType)? (',' 'ASSISTED_QUERY_COLUMN' '=' assistedQueryColumnName (',' 'ASSISTED_QUERY_DATA_TYPE' '=' dataType)?)? (',' 'LIKE_QUERY_COLUMN' '=' likeQueryColumnName (',' 'LIKE_QUERY_DATA_TYPE' '=' dataType)?)? ',' encryptAlgorithmDefinition (',' assistedQueryAlgorithmDefinition)? (',' likeQueryAlgorithmDefinition)? ')'
encryptAlgorithmDefinition ::=
'ENCRYPT_ALGORITHM' '(' 'TYPE' '(' 'NAME' '=' encryptAlgorithmType (',' propertiesDefinition)? ')'
assistedQueryAlgorithmDefinition ::=
'ASSISTED_QUERY_ALGORITHM' '(' 'TYPE' '(' 'NAME' '=' encryptAlgorithmType (',' propertiesDefinition)? ')'
likeQueryAlgorithmDefinition ::=
'LIKE_QUERY_ALGORITHM' '(' 'TYPE' '(' 'NAME' '=' encryptAlgorithmType (',' propertiesDefinition)? ')'
propertiesDefinition ::=
'PROPERTIES' '(' key '=' value (',' key '=' value)* ')'
tableName ::=
identifier
columnName ::=
identifier
dataType ::=
string
plainColumnName ::=
identifier
cipherColumnName ::=
identifier
assistedQueryColumnName ::=
identifier
likeQueryColumnName ::=
identifier
encryptAlgorithmType ::=
string
key ::=
string
value ::=
literal
DROP ENCRYPT RULE
DropEncryptRule ::=
'DROP' 'ENCRYPT' 'RULE' ifExists? encryptRuleName (',' encryptRuleName)*
ifExists ::=
'IF' 'EXISTS'
encryptRuleName ::=
identifier
Parameters Explained #
| name | DateType | Description |
|---|---|---|
| tableName | IDENTIFIER | Table name |
| columnName | IDENTIFIER | Logic column name |
| plainColumnName | IDENTIFIER | Plain column name |
| cipherColumnName | IDENTIFIER | Cipher column name |
| encryptAlgorithmType | STRING | Encryption algorithm type name |
| ASSISTED_QUERY_COLUMN | IDENTIFIER | Auxiliary query column |
| LIKE_QUERY_COLUMN | IDENTIFIER | Fuzzy query column |
| ASSISTED_QUERY_ALGORITHM | STRING | Auxiliary query algorithm |
| LIKE_QUERY_ALGORITHM | STRING | Fuzzy query algorithm |
| LIKE_QUERY_DATA_TYPE | IDENTIFIER Fuzzy query column data type| | ENCRYPT_ALGORITHM | STRING Encryption algorithm name| | ASSISTED_QUERY_ALGORITHM| STRING Auxiliary query algorithm| | LIKE_QUERY_ALGORITHM| STRING Fuzzy query algorithm|
Notes #
- PLAIN specifies the plain column, CIPHER specifies the cipher column
encryptAlgorithmTypespecifies the encryption algorithm type, please refer to Encryption Algorithm- Duplicate tableName will not be created
- queryWithCipherColumn support uppercase or lowercase true or false
ASSISTED_QUERY_COLUMNAuxiliary query column: This field is used for auxiliary query when the user’s CIPHER field and corresponding encryption algorithm do not support query. For example, if the results of multiple encrypts for the same value are different based on the encryption algorithm configured by the user, the CIPHER field cannot be used for query. In this case, auxiliary query columns are required for query. The algorithm corresponding to the auxiliary query column can generally use an irreversible algorithm, but the result of multiple encryptions of the same value must be the same.LIKE_QUERY_COLUMNFuzzy query column: Columns used to help users perform like queries. Generally, the CIPHER (encryption field) algorithm does not support the like query. Therefore, to use the like query, you need to configure the fuzzy query column and the corresponding fuzzy query algorithm.ASSISTED_QUERY_ALGORITHMAuxiliary query algorithm: Algorithm of auxiliary query columns. Generally, the algorithm is not reversible, and the result of multiple encryption is consistent.LIKE_QUERY_ALGORITHMFuzzy query algorithm: Indicates the algorithm for fuzzy query columns. Like_query_algorithm supports the like query algorithm.
Example #
CREATE ENCRYPT RULE t_encrypt (
COLUMNS(
(NAME=user_id,PLAIN=user_plain,CIPHER=user_cipher,ENCRYPT_ALGORITHM(TYPE(NAME='AES',PROPERTIES('aes-key-value'='123456abc')))),
(NAME=order_id, CIPHER =order_cipher,ENCRYPT_ALGORITHM(TYPE(NAME='MD5')))
),QUERY_WITH_CIPHER_COLUMN=true),
t_encrypt_2 (
COLUMNS(
(NAME=user_id,DATA_TYPE='int(11)',PLAIN=user_plain,PLAIN_DATA_TYPE='int(11)',CIPHER=user_cipher,CIPHER_DATA_TYPE='varchar(255)',ENCRYPT_ALGORITHM(TYPE(NAME='AES',PROPERTIES('aes-key-value'='123456abc')))),
(NAME=order_id, CIPHER=order_cipher,ENCRYPT_ALGORITHM(TYPE(NAME='MD5')))
), QUERY_WITH_CIPHER_COLUMN=FALSE);
ALTER ENCRYPT RULE t_encrypt (
COLUMNS(
(NAME=user_id,PLAIN=user_plain,CIPHER=user_cipher,ENCRYPT_ALGORITHM(TYPE(NAME='AES',PROPERTIES('aes-key-value'='123456abc')))),
(NAME=order_id,CIPHER=order_cipher,CIPHER_DATA_TYPE='varchar(255)',ENCRYPT_ALGORITHM(TYPE(NAME='MD5')))
), QUERY_WITH_CIPHER_COLUMN=TRUE);
DROP ENCRYPT RULE t_encrypt,t_encrypt_2;
KeyManager Syntax #
createEncryptKeyManager
: CREATE ENCRYPT KEY MANAGER keyManagerName keyManagerDefinition
;
alterEncryptKeyManager
: ALTER ENCRYPT KEY MANAGER keyManagerName keyManagerDefinition
;
dropEncryptKeyManager
: DROP ENCRYPT KEY MANAGER ifExists? keyManagerName
;
keyManagerDefinition:
(TYPE(NAME=keyManagerName, PROPERTIES([keyManagerProperties]))
);)
keyManagerProperties:
keyManagerProperty [, keyManagerProperty] ...
keyManagerProperty:
key=value
Parameters Explained #
| name | DateType | Description |
|---|---|---|
| keyManagerName | STRING | Name of key manager |
Example #
-- local
CREATE ENCRYPT KEY MANAGER local_key_manage (
TYPE(NAME='LOCAL',PROPERTIES("aes-key-value"="123456abc"))
);
ALTER ENCRYPT KEY MANAGER local_key_manage (
TYPE(NAME='LOCAL',PROPERTIES("aes-key-value"="123456abcd"))
);
-- aws
CREATE ENCRYPT KEY MANAGER aws_key_manage (
TYPE(NAME='SphereEx:AWS_KMS',PROPERTIES(
"access-key"="aaaaa",
"secret-key"="bbbbb",
"aws-region"="us-east-1",
"secret-name"="testA"))
);
ALTER ENCRYPT KEY MANAGER aws_key_manage (
TYPE(NAME='SphereEx:AWS_KMS',PROPERTIES(
"access-key"="aaaaa",
"secret-key"="bbbbb",
"aws-region"="us-east-1",
"secret-name"="testB"))
);