CREATE CLIENT MASTER KEY
Function
CREATE CLIENT MASTER KEY creates a client master key (CMK).
Precautions
When using gsql to connect to the database, you need to add the -C option to enable the encrypted database function.
Before creating a CMK, you need to use KeyTool to generate a key.
Syntax
CREATE CLIENT MASTER KEY client_master_key_name WITH '(' master_key_params ')';
master_key_params:
KEY_STORE '=' key_store_value ',' KEY_PATH '=' key_path_value ',' ALGORITHM '=' algorithm_value
Parameter Description
client_master_key_name
Name of the CMK in the same namespace. The value must be unique.
Value range: a string. It must comply with the naming convention.
mater_key_params
Parameters involved in creating a CMK, including:
- KEY_STORE: Currently, the value is gs_ktool.
- KEY_PATH: The value is the ID of the key generated by KeyTool, for example, gs_ktool/1.
- ALGORITHM: An algorithm used to encrypt the column encryption key. Currently, only **AES_256_CBC **is supported.
Examples
-- Create the dev_ce user.
postgres=# CREATE USER dev_ce PASSWORD 'dev@1234';
-- Connect to an encrypted database.
gsql -p 57101 postgres -U dev_ce -r -C
gsql ((GaussDB Kernel V500R001C20 build e1aa9b47) compiled at 2020-11-24 20:03:57 commit 1093 last mr 1793 debug)
Non-SSL connection (SSL connection is recommended when requiring high-security)
Type "help" for help.
postgres=>
-- Use Key_Tool to create a key.
postgres=> \! gs_ktool -g
-- Create a CMK.
postgres=> CREATE CLIENT MASTER KEY ImgCMK WITH ( KEY_STORE = gs_ktool , KEY_PATH = "gs_ktool/1" , ALGORITHM = AES_256_CBC);
Feedback