pgsodium
pgsodium
pgsodium : Postgres extension for libsodium functions
Overview
| ID | Extension | Package | Version | Category | License | Language |
|---|---|---|---|---|---|---|
| 7020 | pgsodium
|
pgsodium
|
3.1.9 |
SEC
|
BSD 3-Clause
|
C
|
| Attribute | Has Binary | Has Library | Need Load | Has DDL | Relocatable | Trusted |
|---|---|---|---|---|---|---|
--sLd--
|
No
|
Yes
|
Yes
|
Yes
|
no
|
no
|
| Relationships | |
|---|---|
| Schemas | pgsodium |
| Need By | supabase_vault
|
| See Also | pgsmcrypto
pgcryptokey
pgcrypto
anon
pg_tde
sslutils
faker
|
+fix missing pg17
Packages
| Type | Repo | Version | PG Major Compatibility | Package Pattern | Dependencies |
|---|---|---|---|---|---|
| EXT | PIGSTY
|
3.1.9 |
18
17
16
15
14
|
pgsodium |
- |
| RPM | PIGSTY
|
3.1.9 |
18
17
16
15
14
|
pgsodium_$v |
- |
| DEB | PIGSTY
|
3.1.9 |
18
17
16
15
14
|
postgresql-$v-pgsodium |
- |
| Linux / PG | PG18 | PG17 | PG16 | PG15 | PG14 |
|---|---|---|---|---|---|
el8.x86_64
|
PGDG 3.1.9
|
PGDG 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
el8.aarch64
|
PGDG 3.1.9
|
PGDG 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
el9.x86_64
|
PGDG 3.1.9
|
PGDG 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
el9.aarch64
|
PGDG 3.1.9
|
PGDG 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
el10.x86_64
|
PGDG 3.1.9
|
PGDG 3.1.9
|
PGDG 3.1.9
|
PGDG 3.1.9
|
PGDG 3.1.9
|
el10.aarch64
|
PGDG 3.1.9
|
PGDG 3.1.9
|
PGDG 3.1.9
|
PGDG 3.1.9
|
PGDG 3.1.9
|
d12.x86_64
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
d12.aarch64
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
d13.x86_64
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
d13.aarch64
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
u22.x86_64
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
u22.aarch64
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
u24.x86_64
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
u24.aarch64
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
u26.x86_64
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
u26.aarch64
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
PIGSTY 3.1.9
|
Source
pig build pkg pgsodium; # build rpm/debInstall
Make sure PGDG and PIGSTY repo available:
pig repo add pgsql -u # add both repo and update cacheInstall this extension with pig:
pig install pgsodium; # install via package name, for the active PG version
pig install pgsodium -v 18; # install for PG 18
pig install pgsodium -v 17; # install for PG 17
pig install pgsodium -v 16; # install for PG 16
pig install pgsodium -v 15; # install for PG 15
pig install pgsodium -v 14; # install for PG 14Config this extension to shared_preload_libraries:
shared_preload_libraries = 'pgsodium';Create this extension with:
CREATE EXTENSION pgsodium;Usage
pgsodium: libsodium-based cryptographic functions for PostgreSQL
pgsodium is an encryption library extension for PostgreSQL using the libsodium library. It provides a direct SQL interface to libsodium, server-managed key derivation, and Transparent Column Encryption (TCE).
CREATE EXTENSION pgsodium;Generating Random Data
SELECT pgsodium.randombytes_random();
SELECT pgsodium.randombytes_buf(16); -- 16 random bytes
SELECT pgsodium.randombytes_uniform(100); -- random int 0-99Secret Key Encryption (Authenticated)
SELECT * FROM pgsodium.crypto_secretbox_keygen();
SELECT pgsodium.crypto_secretbox('message', nonce, key);
SELECT pgsodium.crypto_secretbox_open(ciphertext, nonce, key);Public Key Encryption
SELECT * FROM pgsodium.crypto_box_new_keypair();
SELECT pgsodium.crypto_box('message', nonce, public_key, secret_key);
SELECT pgsodium.crypto_box_open(ciphertext, nonce, public_key, secret_key);Public Key Signatures
SELECT * FROM pgsodium.crypto_sign_new_keypair();
SELECT pgsodium.crypto_sign('message', secret_key);
SELECT pgsodium.crypto_sign_open(signed_message, public_key);Password Hashing
SELECT pgsodium.crypto_pwhash_str('my_password');
SELECT pgsodium.crypto_pwhash_str_verify(hash, 'my_password');Hashing
SELECT pgsodium.crypto_generichash('data');
SELECT pgsodium.crypto_shorthash('data', key);Server Key Management
pgsodium can load an external root key into memory that is never accessible to SQL. Sub-keys are derived by key id:
SELECT * FROM pgsodium.create_key();
-- Returns a UUID key id for use with TCE or encryption functionsTransparent Column Encryption (TCE)
CREATE TABLE private.users (
id bigserial PRIMARY KEY,
secret text
);
SECURITY LABEL FOR pgsodium ON COLUMN private.users.secret
IS 'ENCRYPT WITH KEY ID dfc44293-fa78-4a1a-9ef9-7e600e63e101';Encrypted data is stored on disk and automatically decrypted via a generated view.
Security Roles
pgsodium_keyiduser– less privileged, can only access keys by UUIDpgsodium_keymaker– more privileged, can work with raw keys
Last updated on