timreibe
commented
1 year ago As a workaround, I created an update trigger, which sets a new key_id and nonce and encryptes the secret value again with both.
- Setup Database
In this case, I have a column named
ownerwhich references to my (supabase) users table.CREATE TABLE table_name1 ( id uuid PRIMARY KEY NOT NULL DEFAULT uuid_generate_v4(), owner uuid NOT NULL REFERENCES auth.users (id), key_id uuid NOT NULL REFERENCES pgsodium.key(id) DEFAULT (pgsodium.create_key()).id, nonce bytea NOT NULL DEFAULT pgsodium.crypto_aead_det_noncegen(), secret_column text NOT NULL DEFAULT 'undefined'::text );
SECURITY LABEL FOR pgsodium ON COLUMN table_name1.secret_column IS 'ENCRYPT WITH KEY COLUMN key_id NONCE nonce ASSOCIATED owner';
CREATE VIEW decrypted_table_name1 AS SELECT id, convert_from(pgsodium.crypto_aead_det_decrypt( pg_catalog.decode(secret_column, 'base64'), pg_catalog.convert_to(owner::text, 'utf8'), key_id::uuid, nonce ), 'utf8') AS secret_column FROM table_name1;
- **Create Trigger**
```pgsql
create or replace function set_table_name1_pgsodium_values()
returns trigger
as
$$
begin
new.key_id := (pgsodium.create_key()).id;
new.nonce := pgsodium.crypto_aead_det_noncegen();
new.secret_column := pg_catalog.encode(
pgsodium.crypto_aead_det_encrypt(
pg_catalog.convert_to(new.secret_column, 'utf8'),
pg_catalog.convert_to(old.owner::text, 'utf8'),
new.key_id,
new.nonce
),
'base64');
return new;
end ;
$$
language plpgsql;
create trigger trg_set_table_name1_pgsodium_values
before update
on table_name1
for each row
execute procedure set_table_name1_pgsodium_values();
ioguix
Hi everyone,
following my setup in #73, I have a secret value stored in
secret_column, which is encrypted at insert. Now, when updating the value, I expect it to be encrypted again, but it won't. Edit: It is stored as clear text.Is this behavior expected, or is this, again, an issue I have with supabase?
Kind regards Tim
edit: I added the database setup scripts in my comment below