search

cockroachdb / cockroach

CockroachDB - the open source, cloud-native distributed SQL database.
https://www.cockroachlabs.com
Other
29.52k stars 3.7k forks source link

sql,server,*: Add support for Column level encryption #72106

Open fabiog1901 opened 2 years ago

fabiog1901 commented 2 years ago

Other database systems support creation of encrypted columns that allow users to pass an encryption key when inserting and reading data. This prevents users without the encryption key from seeing sensitive information like PII when accessing the tables or storing records without encryption on the marked columns. This can be useful for compliance scenarios such as adhering to GDPR and especially PCI.

For an example, you can see PGCrypto's (a PG extension) docs here: https://www.postgresql.org/docs/10/pgcrypto.html#id-1.11.7.35.7

An inbound customer request specifically mentioned Oracle’s implementation. Docs can be found here: Advanced Security Guide.

Note that this feature specifically refers to either symmetric-key or public-key encryption and not hashing functions.

Update 2023-09-06 from @rafiss:

We've now merged support for the encrypt and decrypt builtin functions. I will leave this issue open to track any further enhancements we may want to add later. For example, we could do something similar to the Oracle syntax to make the functions directly usable from DDL.

CREATE TABLE employee (
     first_name VARCHAR2(128),
     last_name VARCHAR2(128),
     empID NUMBER ENCRYPT NO SALT,
     salary NUMBER(6) ENCRYPT USING '3DES168');

There is a pretty extensive amount of syntax, so we are not prioritizing it right now.

Jira issue: CRDB-10947

ajwerner commented 2 years ago

This is a super broad issue that cuts across many layers. I'm fine putting it in the sql schema cold storage but this cuts through key management and execution at least as much as SQL schema.