Skip to content
column_encrypt

column_encrypt

column_encrypt : Transparent column-level encryption with encrypted_text and encrypted_bytea types

Overview

ID Extension Package Version Category License Language
7030
column_encrypt
column_encrypt
4.0
SEC
PostgreSQL
C
Attribute Has Binary Has Library Need Load Has DDL Relocatable Trusted
--sLd--
No
Yes
Yes
Yes
no
no
Relationships
Schemas encrypt
Requires
pgcrypto
See Also
pg_enigma
pgsodium
pgcryptokey
pgcrypto
pg_tde
pgsmcrypto
sslutils

fixed encrypt schema; create schema encrypt before CREATE EXTENSION; preload column_encrypt;

Packages

Type Repo Version PG Major Compatibility Package Pattern Dependencies
EXT
PIGSTY
4.0
18
17
16
15
14
column_encrypt pgcrypto
RPM
PIGSTY
4.0
18
17
16
15
14
column_encrypt_$v -
DEB
PIGSTY
4.0
18
17
16
15
14
postgresql-$v-column-encrypt -
Linux / PG PG18 PG17 PG16 PG15 PG14
el8.x86_64
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
el8.aarch64
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
el9.x86_64
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
el9.aarch64
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
el10.x86_64
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
el10.aarch64
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
d12.x86_64
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
d12.aarch64
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
d13.x86_64
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
d13.aarch64
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
u22.x86_64
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
u22.aarch64
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
u24.x86_64
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
u24.aarch64
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
u26.x86_64
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
u26.aarch64
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
PIGSTY 4.0
Package Version OS ORG SIZE File URL
column_encrypt_18 4.0 el8.x86_64 pigsty 55.2 KiB column_encrypt_18-4.0-1PIGSTY.el8.x86_64.rpm
column_encrypt_18 4.0 el8.aarch64 pigsty 54.9 KiB column_encrypt_18-4.0-1PIGSTY.el8.aarch64.rpm
column_encrypt_18 4.0 el9.x86_64 pigsty 51.4 KiB column_encrypt_18-4.0-1PIGSTY.el9.x86_64.rpm
column_encrypt_18 4.0 el9.aarch64 pigsty 51.0 KiB column_encrypt_18-4.0-1PIGSTY.el9.aarch64.rpm
column_encrypt_18 4.0 el10.x86_64 pigsty 51.6 KiB column_encrypt_18-4.0-1PIGSTY.el10.x86_64.rpm
column_encrypt_18 4.0 el10.aarch64 pigsty 51.3 KiB column_encrypt_18-4.0-1PIGSTY.el10.aarch64.rpm
postgresql-18-column-encrypt 4.0 d12.x86_64 pigsty 61.9 KiB postgresql-18-column-encrypt_4.0-1PIGSTY~bookworm_amd64.deb
postgresql-18-column-encrypt 4.0 d12.aarch64 pigsty 61.2 KiB postgresql-18-column-encrypt_4.0-1PIGSTY~bookworm_arm64.deb
postgresql-18-column-encrypt 4.0 d13.x86_64 pigsty 61.9 KiB postgresql-18-column-encrypt_4.0-1PIGSTY~trixie_amd64.deb
postgresql-18-column-encrypt 4.0 d13.aarch64 pigsty 61.2 KiB postgresql-18-column-encrypt_4.0-1PIGSTY~trixie_arm64.deb
postgresql-18-column-encrypt 4.0 u22.x86_64 pigsty 63.4 KiB postgresql-18-column-encrypt_4.0-1PIGSTY~jammy_amd64.deb
postgresql-18-column-encrypt 4.0 u22.aarch64 pigsty 62.9 KiB postgresql-18-column-encrypt_4.0-1PIGSTY~jammy_arm64.deb
postgresql-18-column-encrypt 4.0 u24.x86_64 pigsty 62.5 KiB postgresql-18-column-encrypt_4.0-1PIGSTY~noble_amd64.deb
postgresql-18-column-encrypt 4.0 u24.aarch64 pigsty 61.5 KiB postgresql-18-column-encrypt_4.0-1PIGSTY~noble_arm64.deb
postgresql-18-column-encrypt 4.0 u26.x86_64 pigsty 62.7 KiB postgresql-18-column-encrypt_4.0-1PIGSTY~resolute_amd64.deb
postgresql-18-column-encrypt 4.0 u26.aarch64 pigsty 62.1 KiB postgresql-18-column-encrypt_4.0-1PIGSTY~resolute_arm64.deb

Source

pig build pkg column_encrypt;		# build rpm/deb

Install

Make sure PGDG and PIGSTY repo available:

pig repo add pgsql -u   # add both repo and update cache

Install this extension with pig:

pig install column_encrypt;		# install via package name, for the active PG version

pig install column_encrypt -v 18;   # install for PG 18
pig install column_encrypt -v 17;   # install for PG 17
pig install column_encrypt -v 16;   # install for PG 16
pig install column_encrypt -v 15;   # install for PG 15
pig install column_encrypt -v 14;   # install for PG 14

Config this extension to shared_preload_libraries:

shared_preload_libraries = 'column_encrypt';

Create this extension with:

CREATE EXTENSION column_encrypt CASCADE; -- requires pgcrypto

Usage

Sources: README, v4.0 release, SQL objects

column_encrypt provides transparent column-level encryption for PostgreSQL. It defines encrypted_text and encrypted_bytea types, encrypts values through type input functions, decrypts through output functions, and manages data-encryption keys through the encrypt schema.

Enable

Load the shared library at server start, restart PostgreSQL, then create the schema and extension:

shared_preload_libraries = 'column_encrypt'
CREATE EXTENSION pgcrypto;
CREATE SCHEMA IF NOT EXISTS encrypt;
CREATE EXTENSION column_encrypt;

Add encrypt to search_path or schema-qualify the encrypted types and functions.

Register And Load Keys

SELECT encrypt.register_key('my-secret-data-key', 'my-master-passphrase');
SELECT encrypt.load_key('my-master-passphrase');

SELECT * FROM encrypt.keys();
SELECT * FROM encrypt.status();

The extension uses a two-tier key model with key-encryption keys and data-encryption keys. Ciphertext carries a key-version header so older values can still be decrypted after rotation.

Encrypt Columns

CREATE TABLE secure_data (
  id bigint GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
  ssn encrypt.encrypted_text,
  payload encrypt.encrypted_bytea
);

INSERT INTO secure_data (ssn, payload)
VALUES ('888-999-2045', decode('aabbcc', 'hex'));

SELECT id, ssn FROM secure_data;

Without a loaded key, decrypting encrypted values raises an error.

Key Operations

Common functions include encrypt.activate_key, encrypt.revoke_key, encrypt.rotate, encrypt.verify, encrypt.unload_key, encrypt.loaded_cipher_key_versions, and encrypt.blind_index.

Use blind indexes for lookup patterns that cannot expose plaintext values directly:

SELECT encrypt.blind_index('888-999-2045', 'lookup-hmac-key');

Notes

The extension intentionally rejects binary send/receive for encrypted values. Equality and hash semantics are based on decrypted plaintext; range ordering is not supported. After upgrading from older ciphertext-hash behavior, rebuild hash indexes on encrypted columns.

Last updated on