| From: | Michel Pelletier <pelletier(dot)michel(at)gmail(dot)com> |
|---|---|
| To: | pgsql-announce(at)postgresql(dot)org |
| Subject: | pgsodium 1.2.0 released! |
| Date: | 2020-07-23 15:46:26 |
| Message-ID: | CACxu=v+zTE_PVRWZrn+8WbVvihKddvPZ4WatC40suEp1xhQeHA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-announce |
Greetings PostgreSQL community members,
pgsodium is an encryption library for postgres that provides modern
cryptographic functions based on the libsodium encryption library. This
release brings many changes, cleanups, tests, and includes some new
functionality.
https://github.com/michelp/pgsodium/releases/tag/1.2.0
pgsodium provides several features not available in pgcrypto, most notably
Server Managed Keys which are keys used by id and context, never by raw
value. This allows SQL to safely encrypt and decrypt data without ever
having to expose the key in SQL itself. Some other novel features include:
- Secretbox Authenticated Encryption
- Public Key Encryption/Signing
- Anonymous Sealed Boxes
- AEAD Constructions
- Key Derivation
- End-to-End Encryption with Key Exchange API
There are a few breaking changes with 1.1.1, most noticeably, API access is
revoked on PUBLIC by default, and there are now three layered security
roles with access to the API. If you wish to use the pgsodium API you must
either grant access yourself, or preferably use one of the three built in
layers of API access:
- The least privileged role (pgsodium_keyiduser) can only use API
functions by key id, it can never see or use raw bytea keys.
- The next layer role (pgsodium_keyholder) can see and use keys and
keypairs, but not generate or derive them.
- The highest privilege role (pgsodium_keymaker) can do everything
including make and derive keys and keypairs.
Many encryption patterns require only the minimal key id privilege and a
column encryption example is provided in the documentation. Key ids make
interaction with the pgsodium API completely "keyless". This can be used
for secret key encryption patterns in the API like `crypto_secretbox`,
`crypto_auth` and `crypto_aead_ietf`. Public key functionality can not be
used by key id.
1.2.0 also wraps the IETF ChaCha20-Poly1305 construction for Authenticated
Encryption with Additional Data (AEAD) in libsodium as the
`crypto_aead_ietf` API.
`pgsodium_derive()` is deprecated and is not called `derive_key()`.
Several related fixes were made to the multipart public key signing, and
many more tests and error checks have been added.
Please check it out!
https://github.com/michelp/pgsodium/releases/tag/1.2.0
-Michel
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Gilles Darold | 2020-07-26 06:42:41 | pgBadger v11.3 released |
| Previous Message | Akshay Joshi | 2020-07-23 13:44:40 | pgAdmin 4 v4.24 released |