CREATE CLIENT MASTER KEY

Function

CREATE CLIENT MASTER KEY creates a client master key (CMK).

Precautions

When using gsql to connect to the database, you need to add the -C option to enable the encrypted database function.

Before creating a CMK, you need to use KeyTool to generate a key.

Syntax

CREATE CLIENT MASTER KEY client_master_key_name WITH '(' master_key_params ')';

master_key_params:

KEY_STORE '=' key_store_value ',' KEY_PATH '=' key_path_value ',' ALGORITHM '=' algorithm_value

Parameter Description

• client_master_key_name

  Name of the CMK in the same namespace. The value must be unique.

  Value range: a string. It must comply with the naming convention.

• mater_key_params

  Parameters involved in creating a CMK, including:

  • KEY_STORE: Currently, the value is gs_ktool.
  • KEY_PATH: The value is the ID of the key generated by KeyTool, for example, gs_ktool/1.
  • ALGORITHM: An algorithm used to encrypt the column encryption key. Currently, only **AES_256_CBC **is supported.

Examples

-- Create the dev_ce user.
postgres=# CREATE USER dev_ce PASSWORD 'dev@1234';
-- Connect to an encrypted database.
gsql -p 57101 postgres -U dev_ce -r -C
gsql ((GaussDB Kernel V500R001C20 build e1aa9b47) compiled at 2020-11-24 20:03:57 commit 1093 last mr 1793 debug)
Non-SSL connection (SSL connection is recommended when requiring high-security)
Type "help" for help.

postgres=>
-- Use Key_Tool to create a key.
postgres=> \! gs_ktool -g
-- Create a CMK.
postgres=> CREATE CLIENT MASTER KEY ImgCMK WITH ( KEY_STORE = gs_ktool , KEY_PATH = "gs_ktool/1" , ALGORITHM = AES_256_CBC);