PostgreSQL 对称加密、非对称加密用法介绍

点击有惊喜

标签

PostgreSQL , 对称加密 , 非对称加密 , Symmetric , ASymmetric , public , private , pgcrypto , 区块链

背景

对称加密方法，指加密和解密使用同一把密钥的方法。优势是加密速度快，缺陷是密钥只有一把，安全性较低。

非对称加密方法，指加密和解密用到一对钥匙，一把为私钥，一把为公钥。通常的用法是公钥用于加密，私钥用于解密。优势是更加安全，你自己只要保护好私钥，就可以保证别人给你发的数据无法被篡改、窃听。缺陷是加解密效率比对称加密更差一些。

混合加密，指发送大量加密数据前，首先使用非对称加密，将对称加密的密钥加密发送给对端，然后双方使用对称加密通讯。时长更改对称加密的密钥来保证安全。

PostgreSQL pgcrypto插件，同时支持对称和非对称加密，详细用法参考:

https://www.postgresql.org/docs/devel/static/pgcrypto.html

用法介绍

一、对称加密

加密和解密使用同一把钥匙。

1、加密

postgres=# \x
Expanded display is on.
postgres=# select pgp_sym_encrypt('需要加密的文字，你好呀，我是digoal.', 'this is password', 'cipher-algo=aes256, compress-algo=2');
-[ RECORD 1 ]---+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
pgp_sym_encrypt | \xc30d040903022bdfd5bc64a755e072d27001818495e940d555f02711fed0cce27265d8955af6a669c6996dfd805dbfdf45c0e81ceb7aff8ced8dad51a812127043674720e054e4bf8738048b5e57df3b87b1f786270db0dddb14a9bc89701a53fc6d9a597861a818f7bb38f085ca7c413af25c68344f4676f62aa1a72c76183369

2、解密

postgres=# select pgp_sym_decrypt('\xc30d040903022bdfd5bc64a755e072d27001818495e940d555f02711fed0cce27265d8955af6a669c6996dfd805dbfdf45c0e81ceb7aff8ced8dad51a812127043674720e054e4bf8738048b5e57df3b87b1f786270db0dddb14a9bc89701a53fc6d9a597861a818f7bb38f085ca7c413af25c68344f4676f62aa1a72c76183369', 'this is password');
-[ RECORD 1 ]---+------------------------------------
pgp_sym_decrypt | 需要加密的文字，你好呀，我是digoal.

二、非对称加密

由于非对称加解密使用的是一对公钥和密钥，首先需要生成一对公钥和密钥。

使用

gpg --gen-key

 可以生成。

以Linux系统为例。

安装、启动rng-tools

为了快速生成随机数，需要安装rng-tools。（产生公钥与密钥时，需要一些随机数）

yum install -y rng-tools

启动rngd，生成随机数

rngd

read error

hwrng: no available rng
Unable to open file: /dev/tpm0

# ps -ewf|grep rngd
root     14762     1  0 14:52 ?        00:00:00 rngd
root     14767 12394  0 14:52 pts/4    00:00:00 grep --color=auto rngd

生成一对公钥和密钥

1、

# gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

2、输入KEY类别，选择2

Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 2

3、选择KEY的长度

DSA keys may be between 1024 and 3072 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits

4、输入KEY的有效时间，这里输入的是10年

Please specify how long the key should be valid.
0 = key does not expire
<n>  = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 10y
Key expires at Thu 24 Feb 2028 02:52:09 PM CST

5、是否正确

Is this correct? (y/N) y

6、输入KEY的标识

GnuPG needs to construct a user ID to identify your key.

Real name: digoal
Email address: digoal@126.com
Comment: test
You selected this USER-ID:
"digoal (test) <digoal@126.com>"

7、确认

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

8、输入私有密钥的保护密码

You need a Passphrase to protect your secret key.
假设这里输入了 hello123

lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Enter passphrase                                    x
x                                                     x
x                                                     x
x Passphrase ********________________________________ x
x                                                     x
x       <OK>                             <Cancel>     x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Please re-enter this passphrase                     x
x                                                     x
x Passphrase ********________________________________ x
x                                                     x
x       <OK>                             <Cancel>     x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

生成好后，也能设置密码

# gpg --passwd "digoal (test) <digoal@126.com>"

lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Please enter the passphrase to unlock the secret key for the OpenPGP certificate:  x
x "digoal (test) <digoal@126.com>"                                                   x
x 2048-bit DSA key, ID 42CF57DB,                                                     x
x created 2018-02-26.                                                                x
x                                                                                    x
x                                                                                    x
x Passphrase *********______________________________________________________________ x
x                                                                                    x
x            <OK>                                                  <Cancel>          x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

Enter the new passphrase for this secret key.

lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Enter passphrase                                    x
x                                                     x
x                                                     x
x Passphrase ********________________________________ x
x                                                     x
x       <OK>                             <Cancel>     x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Please re-enter this passphrase                     x
x                                                     x
x Passphrase ********________________________________ x
x                                                     x
x       <OK>                             <Cancel>     x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

9、生成密钥过程中，需要机器有一定的随机输入，所以我们前面启动了rngd

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: WARNING: some OpenPGP programs can't handle a DSA key with this digest size
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

点击有惊喜