column_encrypt
column_encrypt : Transparent column-level encryption with encrypted_text and encrypted_bytea types
Overview
| ID | Extension | Package | Version | Category | License | Language |
|---|---|---|---|---|---|---|
| 7030 | column_encrypt
|
column_encrypt
|
4.0 |
SEC
|
PostgreSQL
|
C
|
| Attribute | Has Binary | Has Library | Need Load | Has DDL | Relocatable | Trusted |
|---|---|---|---|---|---|---|
--sLd--
|
No
|
Yes
|
Yes
|
Yes
|
no
|
no
|
| Relationships | |
|---|---|
| Schemas | encrypt |
| Requires | pgcrypto
|
| See Also | pg_enigma
pgsodium
pgcryptokey
pgcrypto
pg_tde
pgsmcrypto
sslutils
|
fixed encrypt schema; create schema encrypt before CREATE EXTENSION; preload column_encrypt;
Packages
| Type | Repo | Version | PG Major Compatibility | Package Pattern | Dependencies |
|---|---|---|---|---|---|
| EXT | PIGSTY
|
4.0 |
18
17
16
15
14
|
column_encrypt |
pgcrypto |
| RPM | PIGSTY
|
4.0 |
18
17
16
15
14
|
column_encrypt_$v |
- |
| DEB | PIGSTY
|
4.0 |
18
17
16
15
14
|
postgresql-$v-column-encrypt |
- |
| Linux / PG | PG18 | PG17 | PG16 | PG15 | PG14 |
|---|---|---|---|---|---|
el8.x86_64
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
el8.aarch64
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
el9.x86_64
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
el9.aarch64
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
el10.x86_64
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
el10.aarch64
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
d12.x86_64
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
d12.aarch64
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
d13.x86_64
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
d13.aarch64
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
u22.x86_64
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
u22.aarch64
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
u24.x86_64
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
u24.aarch64
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
u26.x86_64
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
u26.aarch64
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
PIGSTY 4.0
|
Source
pig build pkg column_encrypt; # build rpm/debInstall
Make sure PGDG and PIGSTY repo available:
pig repo add pgsql -u # add both repo and update cacheInstall this extension with pig:
pig install column_encrypt; # install via package name, for the active PG version
pig install column_encrypt -v 18; # install for PG 18
pig install column_encrypt -v 17; # install for PG 17
pig install column_encrypt -v 16; # install for PG 16
pig install column_encrypt -v 15; # install for PG 15
pig install column_encrypt -v 14; # install for PG 14Config this extension to shared_preload_libraries:
shared_preload_libraries = 'column_encrypt';Create this extension with:
CREATE EXTENSION column_encrypt CASCADE; -- requires pgcryptoUsage
Sources: README, v4.0 release, SQL objects
column_encrypt provides transparent column-level encryption for PostgreSQL. It defines encrypted_text and encrypted_bytea types, encrypts values through type input functions, decrypts through output functions, and manages data-encryption keys through the encrypt schema.
Enable
Load the shared library at server start, restart PostgreSQL, then create the schema and extension:
shared_preload_libraries = 'column_encrypt'CREATE EXTENSION pgcrypto;
CREATE SCHEMA IF NOT EXISTS encrypt;
CREATE EXTENSION column_encrypt;Add encrypt to search_path or schema-qualify the encrypted types and functions.
Register And Load Keys
SELECT encrypt.register_key('my-secret-data-key', 'my-master-passphrase');
SELECT encrypt.load_key('my-master-passphrase');
SELECT * FROM encrypt.keys();
SELECT * FROM encrypt.status();The extension uses a two-tier key model with key-encryption keys and data-encryption keys. Ciphertext carries a key-version header so older values can still be decrypted after rotation.
Encrypt Columns
CREATE TABLE secure_data (
id bigint GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
ssn encrypt.encrypted_text,
payload encrypt.encrypted_bytea
);
INSERT INTO secure_data (ssn, payload)
VALUES ('888-999-2045', decode('aabbcc', 'hex'));
SELECT id, ssn FROM secure_data;Without a loaded key, decrypting encrypted values raises an error.
Key Operations
Common functions include encrypt.activate_key, encrypt.revoke_key, encrypt.rotate, encrypt.verify, encrypt.unload_key, encrypt.loaded_cipher_key_versions, and encrypt.blind_index.
Use blind indexes for lookup patterns that cannot expose plaintext values directly:
SELECT encrypt.blind_index('888-999-2045', 'lookup-hmac-key');Notes
The extension intentionally rejects binary send/receive for encrypted values. Equality and hash semantics are based on decrypted plaintext; range ordering is not supported. After upgrading from older ciphertext-hash behavior, rebuild hash indexes on encrypted columns.