标签
Postgresql,对称加密,非对称加密,Symmetric,ASymmetric,public,private,pgcrypto,区块链
背景
对称加密方法,指加密和解密使用同一把密钥的方法。优势是加密速度快,缺陷是密钥只有一把,安全性较低。
非对称加密方法,指加密和解密用到一对钥匙,一把为私钥,一把为公钥。通常的用法是公钥用于加密,私钥用于解密。优势是更加安全,你自己只要保护好私钥,就可以保证别人给你发的数据无法被篡改、窃听。缺陷是加解密效率比对称加密更差一些。
混合加密,指发送大量加密数据前,首先使用非对称加密,将对称加密的密钥加密发送给对端,然后双方使用对称加密通讯。时长更改对称加密的密钥来保证安全。
Postgresql pgcrypto插件,同时支持对称和非对称加密,详细用法参考:
https://www.postgresql.org/docs/devel/static/pgcrypto.html
用法介绍
一、对称加密
加密和解密使用同一把钥匙。
1、加密
postgres=# \x
Expanded display is on.
postgres=# select pgp_sym_encrypt('需要加密的文字,你好呀,我是digoal.','this is password','cipher-algo=aes256,compress-algo=2');
-[ RECORD 1 ]---+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
pgp_sym_encrypt | \xc30d040903022bdfd5bc64a755e072d27001818495e940d555f02711fed0cce27265d8955af6a669c6996dfd805dbfdf45c0e81ceb7aff8ced8dad51a812127043674720e054e4bf8738048b5e57df3b87b1f786270db0dddb14a9bc89701a53fc6d9a597861a818f7bb38f085ca7c413af25c68344f4676f62aa1a72c76183369
2、解密
# select pgp_sym_decrypt('\xc30d040903022bdfd5bc64a755e072d27001818495e940d555f02711fed0cce27265d8955af6a669c6996dfd805dbfdf45c0e81ceb7aff8ced8dad51a812127043674720e054e4bf8738048b5e57df3b87b1f786270db0dddb14a9bc89701a53fc6d9a597861a818f7bb38f085ca7c413af25c68344f4676f62aa1a72c76183369','this is password'); -[ RECORD 1 ]---+------------------------------------ pgp_sym_decrypt | 需要加密的文字,你好呀,我是digoal.
二、非对称加密
由于非对称加解密使用的是一对公钥和密钥,首先需要生成一对公钥和密钥。
使用gpg --gen-key
可以生成。
以Linux系统为例。
安装、启动rng-tools
为了快速生成随机数,需要安装rng-tools。(产生公钥与密钥时,需要一些随机数)
yum install -y rng-tools
rngd
read error
hwrng: no available rng
Unable to open file: /dev/tpm0
# ps -ewf|grep rngd
root 14762 1 0 14:52 ? 00:00 rngd
root 14767 12394 52 pts/4 00 grep --color=auto rngd
生成一对公钥和密钥
1、
# gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation,Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY,to the extent permitted by law.
2、输入KEY类别,选择2
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (only)
Your selection? 2
3、选择KEY的长度
DSA keys may be between 1024 and 3072 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
4、输入KEY的有效时间,这里输入的是10年
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 10y
Key expires at Thu 24 Feb 2028 02:52:09 PM CST
5、是否正确
Is this correct? (y/N) y
6、输入KEY的标识
GnuPG needs to construct a user ID identify your key.
Real name: digoal
Email address: digoal@126.com
Comment: test
You selected this USER-ID:
"digoal (test) <digoal@126.com>"
7、确认
Change (N)ame,(C)omment,(E)mail or (O)kay/(Q)uit? O
8、输入私有密钥的保护密码
You need a Passphrase to protect your secret key.
假设这里输入了 hello123
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Enter passphrase x
x x
x x
x Passphrase ********____________ x
x x
x <OK> <Cancel> x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Please re-enter this passphrase x
x x
x Passphrase Cancel> x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj
生成好后,也能设置密码
# gpg --passwd "digoal (test) <digoal@126.com>"
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Please enter the passphrase to unlock the secret key for the OpenPGP certificate: x
x "digoal (test) <digoal@126.com>" x
x 2048-bit DSA key,ID 42CF57DB,x
x created 2018-02-26. x
x x
x x
x Passphrase ****_______ x
x x
x <OK> <Cancel> x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj
Enter the new passphrase for this secret key.
9、生成密钥过程中,需要机器有一定的随机输入,所以我们前面启动了rngd
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard,move the mouse,utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: WARNING: some OpenPGP programs can't handle a DSA key with this digest size We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard,utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy.