Logo
加解密规则

语法清单 #

语法描述类型
CREATE ENCRYPT RULE创建加密规则RDL
ALTER ENCRYPT RULE修改加密规则RDL
DROP ENCRYPT RULE删除加密规则RDL
SHOW ENCRYPT RULES查看加密规则RQL
select [,string] … [,] decrypt({tableName}, {encryptColumn}, {encryptValue}), [,string] …查询解密结果RQL

1. 创建加密规则 #

CreateEncryptRule ::=
  'CREATE' 'ENCRYPT' 'RULE' ifNotExists? encryptDefinition (',' encryptDefinition)* (',' queryWithPlainOrCipher)?

ifNotExists ::=
  'IF' 'NOT' 'EXISTS'

encryptDefinition ::=
  ruleName '(' 'COLUMNS' '(' columnDefinition (',' columnDefinition)*  ')' (',' queryWithPlainOrCipher)? ')'

columnDefinition ::=
  '(' 'NAME' '=' columnName (',' 'DATA_TYPE' '=' dataType)? (',' 'PLAIN' '=' plainColumnName)? ',' 'CIPHER' '=' cipherColumnName (',' 'CIPHER_DATA_TYPE' '=' dataType)? (',' 'ASSISTED_QUERY' '=' assistedQueryColumnName (',' 'ASSISTED_QUERY_DATA_TYPE' '=' dataType)?)? (',' 'LIKE_QUERY' '=' likeQueryColumnName (',' 'LIKE_QUERY_DATA_TYPE' '=' dataType)?)? ',' encryptAlgorithmDefinition (',' assistedQueryAlgorithmDefinition)? (',' likeQueryAlgorithmDefinition)? (',' queryWithPlainOrCipher)? ')'

encryptAlgorithmDefinition ::=
  'ENCRYPT_ALGORITHM' '(' 'TYPE' '(' 'NAME' '=' encryptAlgorithmType (',' propertiesDefinition)? ')'

assistedQueryAlgorithmDefinition ::=
  'ASSISTED_QUERY_ALGORITHM' '(' 'TYPE' '(' 'NAME' '=' encryptAlgorithmType (',' propertiesDefinition)? ')'

likeQueryAlgorithmDefinition ::=
  'LIKE_QUERY_ALGORITHM' '(' 'TYPE' '(' 'NAME' '=' encryptAlgorithmType (',' propertiesDefinition)? ')'

propertiesDefinition ::=
  'PROPERTIES' '(' key '=' value (',' key '=' value)* ')'

queryWithPlainOrCipher ::=
    : ('QUERY_WITH_CIPHER_COLUMN' | 'QUERY_WITH_PLAIN') '=' ('TRUE' | 'FALSE')
    ;

tableName ::=
  identifier

columnName ::=
  identifier

dataType ::=
  string

plainColumnName ::=
  identifier

cipherColumnName ::=
  identifier

assistedQueryColumnName ::=
  identifier

likeQueryColumnName ::=
  identifier

encryptAlgorithmType ::=
  string

key ::=
  string

value ::=
  literal

参数说明

名称数据类型说明
tableNameIDENTIFIER表名称
columnNameIDENTIFIER逻辑列名称
DATA_TYPEIDENTIFIER逻辑列数据类型
PLAINIDENTIFIER明文列名称
CIPHERIDENTIFIER加密列名称
CIPHER_DATA_TYPEIDENTIFIER加密列数据类型
ASSISTED_QUERY_COLUMNIDENTIFIER辅助查询列 1.5.0 前参数,已做兼容,目前可用
ASSISTED_QUERYIDENTIFIER辅助查询列 1.5.0 后参数,推荐使用
ASSISTED_QUERY_DATA_TYPEIDENTIFIER辅助查询列数据类型
LIKE_QUERY_COLUMNIDENTIFIER模糊查询列 1.5.0 前参数,已做兼容,目前可用
LIKE_QUERYIDENTIFIER模糊查询列 1.5.0 后参数,推荐使用
LIKE_QUERY_DATA_TYPEIDENTIFIER模糊查询列数据类型
ENCRYPT_ALGORITHMSTRING加密算法名称
ASSISTED_QUERY_ALGORITHMSTRING辅助查询算法
LIKE_QUERY_ALGORITHMSTRING模糊查询算法
  • PLAIN 指定明文数据列,CIPHER 指定密文数据列,创建加密规则后,Proxy 将禁止对明文列、密文列进行除 ADD COLUMN 外的 DDL 操作
  • encryptAlgorithmType 指定加密算法类型,请参考 加密算法
  • 重复的 tableName 将无法被创建
  • QUERY_WITH_CIPHER_COLUMN 使用密文列查询:支持大写或小写的 true 或 false,支持表级别和列级别以及全局级别的设置,与 QUERY_WITH_PLAIN 互斥
  • QUERY_WITH_PLAIN 使用明文列查询:支持大写或小写的 true 或 false,支持表级别和列级别以及全局级别的设置,与 QUERY_WITH_CIPHER_COLUMN 互斥
  • ASSISTED_QUERY 辅助查询列:不能与逻辑列重名,在用户的 CIPHER (加密字段)以及对应的加密算法无法支持查询时,可以配置该字段用来辅助查询。例如用户配置的加密算法对于同一个值进行多次加密的结果不同,那么就无法使用 CIPHER (加密字段)进行查询,这时候就需要使用辅助查询列进行查询。辅助查询列对应的算法一般可以使用不可逆的算法,但是对于同一个值进行多次加密的结果需要相同
  • LIKE_QUERY 模糊查询列:不能与逻辑列重名,用于帮助用户进行 like 查询时使用的列。一般 CIPHER (加密字段) 配置的算法无法支持 like 查询,所以当用户需要使用 like查询时,需要配置模糊查询列以及对应的模糊查询算法
  • ASSISTED_QUERY_ALGORITHM 辅助查询算法:即辅助查询列对应的算法。一般是不可逆,并且多次加密结果一致的算法
  • LIKE_QUERY_ALGORITHM 模糊查询算法:即模糊查询列对应的算法,可以支持 like 查询的算法

示例

创建数据加密规则

CREATE ENCRYPT RULE t_encrypt (
  COLUMNS (
    (
      NAME=merchant_name, DATA_TYPE='varchar(20)', 
      PLAIN=merchant_name_plain, 
      CIPHER=merchant_name_cipher, CIPHER_DATA_TYPE='varchar(100)', 
      ASSISTED_QUERY=merchant_name_assisted, ASSISTED_QUERY_DATA_TYPE='varchar(100)', 
      LIKE_QUERY=merchant_name_like, LIKE_QUERY_DATA_TYPE='varchar(50)', 
      ENCRYPT_ALGORITHM(TYPE(NAME='AES',PROPERTIES('aes-key-value'='123456abc'))), 
      ASSISTED_QUERY_ALGORITHM(TYPE(NAME='MD5',PROPERTIES('salt'='121212'))), 
      LIKE_QUERY_ALGORITHM(TYPE(NAME='CHAR_DIGEST_LIKE',PROPERTIES('delta'='2'))), QUERY_WITH_CIPHER_COLUMN=true
    )
  ), QUERY_WITH_PLAIN=true
);

使用 ifNotExists 子句创建数据加密规则

CREATE ENCRYPT RULE IF NOT EXISTS t_encrypt (
  COLUMNS (
    (
      NAME=merchant_name, DATA_TYPE='varchar(20)', 
      PLAIN=merchant_name_plain, 
      CIPHER=merchant_name_cipher, CIPHER_DATA_TYPE='varchar(100)', 
      ASSISTED_QUERY=merchant_name_assisted, ASSISTED_QUERY_DATA_TYPE='varchar(100)', 
      LIKE_QUERY=merchant_name_like, LIKE_QUERY_DATA_TYPE='varchar(50)', 
      ENCRYPT_ALGORITHM(TYPE(NAME='AES',PROPERTIES('aes-key-value'='123456abc'))), 
      ASSISTED_QUERY_ALGORITHM(TYPE(NAME='MD5',PROPERTIES('salt'='121212'))), 
      LIKE_QUERY_ALGORITHM(TYPE(NAME='CHAR_DIGEST_LIKE',PROPERTIES('delta'='2'))), QUERY_WITH_CIPHER_COLUMN=true
    )
  ), QUERY_WITH_PLAIN=true
);

2. 修改加密规则 #

ALTEREncryptRule ::=
  'ALTER' 'ENCRYPT' 'RULE' encryptDefinition (',' encryptDefinition)* (',' queryWithPlainOrCipher)?

encryptDefinition ::=
  ruleName '(' 'COLUMNS' '(' columnDefinition (',' columnDefinition)*  ')' (',' queryWithPlainOrCipher)? ')'

columnDefinition ::=
  '(' 'NAME' '=' columnName (',' 'DATA_TYPE' '=' dataType)? (',' 'PLAIN' '=' plainColumnName)? ',' 'CIPHER' '=' cipherColumnName (',' 'CIPHER_DATA_TYPE' '=' dataType)? (',' 'ASSISTED_QUERY' '=' assistedQueryColumnName (',' 'ASSISTED_QUERY_DATA_TYPE' '=' dataType)?)? (',' 'LIKE_QUERY' '=' likeQueryColumnName (',' 'LIKE_QUERY_DATA_TYPE' '=' dataType)?)? ',' encryptAlgorithmDefinition (',' assistedQueryAlgorithmDefinition)? (',' likeQueryAlgorithmDefinition)? (',' queryWithPlainOrCipher)? ')' 

encryptAlgorithmDefinition ::=
  'ENCRYPT_ALGORITHM' '(' 'TYPE' '(' 'NAME' '=' encryptAlgorithmType (',' propertiesDefinition)? ')'

assistedQueryAlgorithmDefinition ::=
  'ASSISTED_QUERY_ALGORITHM' '(' 'TYPE' '(' 'NAME' '=' encryptAlgorithmType (',' propertiesDefinition)? ')'

likeQueryAlgorithmDefinition ::=
  'LIKE_QUERY_ALGORITHM' '(' 'TYPE' '(' 'NAME' '=' encryptAlgorithmType (',' propertiesDefinition)? ')'

propertiesDefinition ::=
  'PROPERTIES' '(' key '=' value (',' key '=' value)* ')'

queryWithPlainOrCipher ::=
    : ('QUERY_WITH_CIPHER_COLUMN' | 'QUERY_WITH_PLAIN') '=' ('TRUE' | 'FALSE')
    ;

tableName ::=
  identifier

columnName ::=
  identifier

dataType ::=
  string

plainColumnName ::=
  identifier

cipherColumnName ::=
  identifier

assistedQueryColumnName ::=
  identifier

likeQueryColumnName ::=
  identifier

encryptAlgorithmType ::=
  string

key ::=
  string

value ::=
  literal

参数说明

名称数据类型说明
tableNameIDENTIFIER表名称
columnNameIDENTIFIER逻辑列名称
DATA_TYPEIDENTIFIER逻辑列数据类型
PLAINIDENTIFIER明文列名称
CIPHERIDENTIFIER加密列名称
CIPHER_DATA_TYPEIDENTIFIER加密列数据类型
ASSISTED_QUERY_COLUMNIDENTIFIER辅助查询列 1.5.0 前参数,已做兼容,目前可用,等同于 ASSISTED_QUERY
ASSISTED_QUERYIDENTIFIER辅助查询列 1.5.0 后参数,推荐使用,等同于 ASSISTED_QUERY_COLUMN
ASSISTED_QUERY_DATA_TYPEIDENTIFIER辅助查询列数据类型
LIKE_QUERY_COLUMNIDENTIFIER模糊查询列 1.5.0 前参数,已做兼容,目前可用,等同于 LIKE_QUERY
LIKE_QUERYIDENTIFIER模糊查询列 1.5.0 后参数,推荐使用,等同于 LIKE_QUERY_COLUMN
LIKE_QUERY_DATA_TYPEIDENTIFIER模糊查询列数据类型
ENCRYPT_ALGORITHMSTRING加密算法名称
ASSISTED_QUERY_ALGORITHMSTRING辅助查询算法
LIKE_QUERY_ALGORITHMSTRING模糊查询算法
  • PLAIN 指定明文数据列,CIPHER 指定密文数据列,创建加密规则后,Proxy 将禁止对明文列、密文列进行除 ADD COLUMN 外的 DDL 操作
  • encryptAlgorithmType 指定加密算法类型,请参考 加密算法
  • 重复的 tableName 将无法被创建
  • QUERY_WITH_CIPHER_COLUMN 使用密文列查询:支持大写或小写的 true 或 false,支持表级别和列级别以及全局级别的设置,与 QUERY_WITH_PLAIN 互斥
  • QUERY_WITH_PLAIN 使用明文列查询:支持大写或小写的 true 或 false,支持表级别和列级别以及全局级别的设置,与 QUERY_WITH_CIPHER_COLUMN 互斥
  • ASSISTED_QUERY 辅助查询列:不能与逻辑列重名,在用户的 CIPHER (加密字段)以及对应的加密算法无法支持查询时,可以配置该字段用来辅助查询。例如用户配置的加密算法对于同一个值进行多次加密的结果不同,那么就无法使用 CIPHER (加密字段)进行查询,这时候就需要使用辅助查询列进行查询。辅助查询列对应的算法一般可以使用不可逆的算法,但是对于同一个值进行多次加密的结果需要相同
  • LIKE_QUERY 模糊查询列:不能与逻辑列重名,用于帮助用户进行 like 查询时使用的列。一般 CIPHER (加密字段) 配置的算法无法支持 like 查询,所以当用户需要使用 like查询时,需要配置模糊查询列以及对应的模糊查询算法
  • ASSISTED_QUERY_ALGORITHM 辅助查询算法:即辅助查询列对应的算法。一般是不可逆,并且多次加密结果一致的算法
  • LIKE_QUERY_ALGORITHM 模糊查询算法:即模糊查询列对应的算法,可以支持 like 查询的算法

示例

ALTER ENCRYPT RULE t_encrypt (
  COLUMNS (
    (
      NAME=merchant_name, DATA_TYPE='varchar(20)', 
      PLAIN=merchant_name_plain, 
      CIPHER=merchant_name_cipher, CIPHER_DATA_TYPE='varchar(100)', 
      ASSISTED_QUERY=merchant_name_assisted, ASSISTED_QUERY_DATA_TYPE='varchar(100)', 
      LIKE_QUERY=merchant_name_like, LIKE_QUERY_DATA_TYPE='varchar(50)', 
      ENCRYPT_ALGORITHM(TYPE(NAME='AES',PROPERTIES('aes-key-value'='123456abc'))), 
      ASSISTED_QUERY_ALGORITHM(TYPE(NAME='MD5',PROPERTIES('salt'='121212'))), 
      LIKE_QUERY_ALGORITHM(TYPE(NAME='CHAR_DIGEST_LIKE',PROPERTIES('delta'='2'))), QUERY_WITH_CIPHER_COLUMN=true
    )
  ), QUERY_WITH_PLAIN=true
);

3. 删除加密规则 #

示例

删除加密规则

DROP ENCRYPT RULE t_encrypt, t_encrypt_2;

使用 ifExists 删除加密规则

DROP ENCRYPT RULE IF EXISTS t_encrypt, t_encrypt_2;

4. 查看加密规则 #

SHOW ENCRYPT RULES [FROM databaseName]

示例

查询所有的数据加密规则

mysql> SHOW ENCRYPT RULES FROM encrypt_db;
+------------+---------------+-----------------+----------------------+------------------+---------------------+-----------------+------------------------+--------------------------+--------------------+----------------------+----------------+-------------------------+---------------------+----------------------+------------------+------------------+--------------------------+
| table      | logic_column  | logic_data_type | cipher_column        | cipher_data_type | plain_column        | plain_data_type | assisted_query_column  | assisted_query_data_type | like_query_column  | like_query_data_type | encryptor_type | encryptor_props         | assisted_query_type | assisted_query_props | like_query_type  | like_query_props | query_with_plain         |
+------------+---------------+-----------------+----------------------+------------------+---------------------+-----------------+------------------------+--------------------------+--------------------+----------------------+----------------+-------------------------+---------------------+----------------------+------------------+------------------+--------------------------+
| t_merchant | merchant_name | varchar(20)     | merchant_name_cipher | varchar(100)     | merchant_name_plain | varchar(20)     | merchant_name_assisted | varchar(100)             | merchant_name_like | varchar(50)          | AES            | aes-key-value=123456abc | MD5                 | salt=121212          | CHAR_DIGEST_LIKE | delta=2          | true                     |
+------------+---------------+-----------------+----------------------+------------------+---------------------+-----------------+------------------------+--------------------------+--------------------+----------------------+----------------+-------------------------+---------------------+----------------------+------------------+------------------+--------------------------+
1 rows in set (0.78 sec)

查询指定加密规则

示例

mysql> SHOW ENCRYPT TABLE RULE t_encrypt;
+------------+---------------+-----------------+----------------------+------------------+---------------------+-----------------+------------------------+--------------------------+--------------------+----------------------+----------------+-------------------------+---------------------+----------------------+------------------+------------------+--------------------------+
| table      | logic_column  | logic_data_type | cipher_column        | cipher_data_type | plain_column        | plain_data_type | assisted_query_column  | assisted_query_data_type | like_query_column  | like_query_data_type | encryptor_type | encryptor_props         | assisted_query_type | assisted_query_props | like_query_type  | like_query_props | query_with_plain         |
| t_encrypt  | merchant_name | varchar(20)     | merchant_name_cipher | varchar(100)     | merchant_name_plain | varchar(20)     | merchant_name_assisted | varchar(100)             | merchant_name_like | varchar(50)          | AES            | aes-key-value=123456abc | MD5                 | salt=121212          | CHAR_DIGEST_LIKE | delta=2          | true                     |
+------------+---------------+-----------------+----------------------+------------------+---------------------+-----------------+------------------------+--------------------------+--------------------+----------------------+----------------+-------------------------+---------------------+----------------------+------------------+------------------+--------------------------+
2 rows in set (0.01 sec)

mysql> SHOW ENCRYPT TABLE RULE t_encrypt FROM encrypt_db;
+------------+---------------+-----------------+----------------------+------------------+---------------------+-----------------+------------------------+--------------------------+--------------------+----------------------+----------------+-------------------------+---------------------+----------------------+------------------+------------------+--------------------------+
| table      | logic_column  | logic_data_type | cipher_column        | cipher_data_type | plain_column        | plain_data_type | assisted_query_column  | assisted_query_data_type | like_query_column  | like_query_data_type | encryptor_type | encryptor_props         | assisted_query_type | assisted_query_props | like_query_type  | like_query_props | query_with_plain         |
+------------+---------------+-----------------+----------------------+------------------+---------------------+-----------------+------------------------+--------------------------+--------------------+----------------------+----------------+-------------------------+---------------------+----------------------+------------------+------------------+--------------------------+
| t_encrypt  | merchant_name | varchar(20)     | merchant_name_cipher | varchar(100)     | merchant_name_plain | varchar(20)     | merchant_name_assisted | varchar(100)             | merchant_name_like | varchar(50)          | AES            | aes-key-value=123456abc | MD5                 | salt=121212          | CHAR_DIGEST_LIKE | delta=2          | true                     |
+------------+---------------+-----------------+----------------------+------------------+---------------------+-----------------+------------------------+--------------------------+--------------------+----------------------+----------------+-------------------------+---------------------+----------------------+------------------+------------------+--------------------------+
2 rows in set (0.01 sec))

输出说明

说明
table逻辑表名
logic_column逻辑列名
logic_data_type逻辑列数据类型
cipher_column密文列名
cipher_data_type密文列数据类型
plain_column明文列名
plain_data_type明文列数据类型
assisted_query_column辅助查询列名
assisted_query_data_type辅助查询列数据类型
assisted_query_type辅助查询算法类型
assisted_query_props辅助查询算参数
like_query_column模糊查询列
like_query_data_type模糊查询列数据类型
like_query_type模糊查询算法类型
like_query_props模糊查询算参数
encryptor_type加密算法类型
encryptor_props加密算法参数
query_with_plain是否使用明文列进行查询

5. 查询解密结果 #

select 用法一致,提供 decrypt() 函数,tableName 为需要解密的表,encryptColumn 为需要解密的列, encryptValue 为需要解密的真实值。使用时需要配置对应的加密规则。

select [,string]  [,] decrypt({tableName}, {encryptColumn}, {encryptValue}), [,string]

示例

SELECT 'Lm04PRW+sp+mG/QuimAUew==', decrypt(t_user, pwd_cipher, 'Lm04PRW+sp+mG/QuimAUew==') UNION SELECT 'XXX', decrypt(t_user, pwd_cipher, 'XXX');