1<!-- doc/src/sgml/pgcrypto.sgml -->
2
3<sect1 id="pgcrypto" xreflabel="pgcrypto">
4 <title>pgcrypto</title>
5
6 <indexterm zone="pgcrypto">
7  <primary>pgcrypto</primary>
8 </indexterm>
9
10 <indexterm zone="pgcrypto">
11  <primary>encryption</primary>
12  <secondary>for specific columns</secondary>
13 </indexterm>
14
15 <para>
16  The <filename>pgcrypto</filename> module provides cryptographic functions for
17  <productname>PostgreSQL</productname>.
18 </para>
19
20 <sect2>
21  <title>General Hashing Functions</title>
22
23  <sect3>
24   <title><function>digest()</function></title>
25
26   <indexterm>
27    <primary>digest</primary>
28   </indexterm>
29
30<synopsis>
31digest(data text, type text) returns bytea
32digest(data bytea, type text) returns bytea
33</synopsis>
34
35   <para>
36    Computes a binary hash of the given <parameter>data</parameter>.
37    <parameter>type</parameter> is the algorithm to use.
38    Standard algorithms are <literal>md5</literal>, <literal>sha1</literal>,
39    <literal>sha224</literal>, <literal>sha256</literal>,
40    <literal>sha384</literal> and <literal>sha512</literal>.
41    If <filename>pgcrypto</filename> was built with
42    OpenSSL, more algorithms are available, as detailed in
43    <xref linkend="pgcrypto-with-without-openssl"/>.
44   </para>
45
46   <para>
47    If you want the digest as a hexadecimal string, use
48    <function>encode()</function> on the result.  For example:
49<programlisting>
50CREATE OR REPLACE FUNCTION sha1(bytea) returns text AS $$
51    SELECT encode(digest($1, 'sha1'), 'hex')
52$$ LANGUAGE SQL STRICT IMMUTABLE;
53</programlisting>
54   </para>
55  </sect3>
56
57  <sect3>
58   <title><function>hmac()</function></title>
59
60   <indexterm>
61    <primary>hmac</primary>
62   </indexterm>
63
64<synopsis>
65hmac(data text, key text, type text) returns bytea
66hmac(data bytea, key bytea, type text) returns bytea
67</synopsis>
68
69   <para>
70    Calculates hashed MAC for <parameter>data</parameter> with key <parameter>key</parameter>.
71    <parameter>type</parameter> is the same as in <function>digest()</function>.
72   </para>
73
74   <para>
75    This is similar to <function>digest()</function> but the hash can only be
76    recalculated knowing the key.  This prevents the scenario of someone
77    altering data and also changing the hash to match.
78   </para>
79
80   <para>
81    If the key is larger than the hash block size it will first be hashed and
82    the result will be used as key.
83   </para>
84  </sect3>
85 </sect2>
86
87 <sect2>
88  <title>Password Hashing Functions</title>
89
90  <para>
91   The functions <function>crypt()</function> and <function>gen_salt()</function>
92   are specifically designed for hashing passwords.
93   <function>crypt()</function> does the hashing and <function>gen_salt()</function>
94   prepares algorithm parameters for it.
95  </para>
96
97  <para>
98   The algorithms in <function>crypt()</function> differ from the usual
99   MD5 or SHA1 hashing algorithms in the following respects:
100  </para>
101
102  <orderedlist>
103   <listitem>
104    <para>
105     They are slow.  As the amount of data is so small, this is the only
106     way to make brute-forcing passwords hard.
107    </para>
108   </listitem>
109   <listitem>
110    <para>
111     They use a random value, called the <firstterm>salt</firstterm>, so that users
112     having the same password will have different encrypted passwords.
113     This is also an additional defense against reversing the algorithm.
114    </para>
115   </listitem>
116   <listitem>
117    <para>
118     They include the algorithm type in the result, so passwords hashed with
119     different algorithms can co-exist.
120    </para>
121   </listitem>
122   <listitem>
123    <para>
124     Some of them are adaptive &mdash; that means when computers get
125     faster, you can tune the algorithm to be slower, without
126     introducing incompatibility with existing passwords.
127    </para>
128   </listitem>
129  </orderedlist>
130
131  <para>
132   <xref linkend="pgcrypto-crypt-algorithms"/> lists the algorithms
133   supported by the <function>crypt()</function> function.
134  </para>
135
136  <table id="pgcrypto-crypt-algorithms">
137   <title>Supported Algorithms for <function>crypt()</function></title>
138   <tgroup cols="6">
139    <thead>
140     <row>
141      <entry>Algorithm</entry>
142      <entry>Max Password Length</entry>
143      <entry>Adaptive?</entry>
144      <entry>Salt Bits</entry>
145      <entry>Output Length</entry>
146      <entry>Description</entry>
147     </row>
148    </thead>
149    <tbody>
150     <row>
151      <entry><literal>bf</literal></entry>
152      <entry>72</entry>
153      <entry>yes</entry>
154      <entry>128</entry>
155      <entry>60</entry>
156      <entry>Blowfish-based, variant 2a</entry>
157     </row>
158     <row>
159      <entry><literal>md5</literal></entry>
160      <entry>unlimited</entry>
161      <entry>no</entry>
162      <entry>48</entry>
163      <entry>34</entry>
164      <entry>MD5-based crypt</entry>
165     </row>
166     <row>
167      <entry><literal>xdes</literal></entry>
168      <entry>8</entry>
169      <entry>yes</entry>
170      <entry>24</entry>
171      <entry>20</entry>
172      <entry>Extended DES</entry>
173     </row>
174     <row>
175      <entry><literal>des</literal></entry>
176      <entry>8</entry>
177      <entry>no</entry>
178      <entry>12</entry>
179      <entry>13</entry>
180      <entry>Original UNIX crypt</entry>
181     </row>
182    </tbody>
183   </tgroup>
184  </table>
185
186  <sect3>
187   <title><function>crypt()</function></title>
188
189   <indexterm>
190    <primary>crypt</primary>
191   </indexterm>
192
193<synopsis>
194crypt(password text, salt text) returns text
195</synopsis>
196
197   <para>
198    Calculates a crypt(3)-style hash of <parameter>password</parameter>.
199    When storing a new password, you need to use
200    <function>gen_salt()</function> to generate a new <parameter>salt</parameter> value.
201    To check a password, pass the stored hash value as <parameter>salt</parameter>,
202    and test whether the result matches the stored value.
203   </para>
204   <para>
205    Example of setting a new password:
206<programlisting>
207UPDATE ... SET pswhash = crypt('new password', gen_salt('md5'));
208</programlisting>
209   </para>
210   <para>
211    Example of authentication:
212<programlisting>
213SELECT (pswhash = crypt('entered password', pswhash)) AS pswmatch FROM ... ;
214</programlisting>
215    This returns <literal>true</literal> if the entered password is correct.
216   </para>
217  </sect3>
218
219  <sect3>
220   <title><function>gen_salt()</function></title>
221
222  <indexterm>
223   <primary>gen_salt</primary>
224  </indexterm>
225
226<synopsis>
227gen_salt(type text [, iter_count integer ]) returns text
228</synopsis>
229
230   <para>
231    Generates a new random salt string for use in <function>crypt()</function>.
232    The salt string also tells <function>crypt()</function> which algorithm to use.
233   </para>
234
235   <para>
236    The <parameter>type</parameter> parameter specifies the hashing algorithm.
237    The accepted types are: <literal>des</literal>, <literal>xdes</literal>,
238    <literal>md5</literal> and <literal>bf</literal>.
239   </para>
240
241   <para>
242    The <parameter>iter_count</parameter> parameter lets the user specify the iteration
243    count, for algorithms that have one.
244    The higher the count, the more time it takes to hash
245    the password and therefore the more time to break it.  Although with
246    too high a count the time to calculate a hash may be several years
247    &mdash; which is somewhat impractical.  If the <parameter>iter_count</parameter>
248    parameter is omitted, the default iteration count is used.
249    Allowed values for <parameter>iter_count</parameter> depend on the algorithm and
250    are shown in <xref linkend="pgcrypto-icfc-table"/>.
251   </para>
252
253   <table id="pgcrypto-icfc-table">
254    <title>Iteration Counts for <function>crypt()</function></title>
255    <tgroup cols="4">
256     <thead>
257      <row>
258       <entry>Algorithm</entry>
259       <entry>Default</entry>
260       <entry>Min</entry>
261       <entry>Max</entry>
262      </row>
263     </thead>
264     <tbody>
265      <row>
266       <entry><literal>xdes</literal></entry>
267       <entry>725</entry>
268       <entry>1</entry>
269       <entry>16777215</entry>
270      </row>
271      <row>
272       <entry><literal>bf</literal></entry>
273       <entry>6</entry>
274       <entry>4</entry>
275       <entry>31</entry>
276      </row>
277     </tbody>
278    </tgroup>
279   </table>
280
281   <para>
282    For <literal>xdes</literal> there is an additional limitation that the
283    iteration count must be an odd number.
284   </para>
285
286   <para>
287    To pick an appropriate iteration count, consider that
288    the original DES crypt was designed to have the speed of 4 hashes per
289    second on the hardware of that time.
290    Slower than 4 hashes per second would probably dampen usability.
291    Faster than 100 hashes per second is probably too fast.
292   </para>
293
294   <para>
295    <xref linkend="pgcrypto-hash-speed-table"/> gives an overview of the relative slowness
296    of different hashing algorithms.
297    The table shows how much time it would take to try all
298    combinations of characters in an 8-character password, assuming
299    that the password contains either only lower case letters, or
300    upper- and lower-case letters and numbers.
301    In the <literal>crypt-bf</literal> entries, the number after a slash is
302    the <parameter>iter_count</parameter> parameter of
303    <function>gen_salt</function>.
304   </para>
305
306   <table id="pgcrypto-hash-speed-table">
307    <title>Hash Algorithm Speeds</title>
308    <tgroup cols="5">
309     <thead>
310      <row>
311       <entry>Algorithm</entry>
312       <entry>Hashes/sec</entry>
313       <entry>For <literal>[a-z]</literal></entry>
314       <entry>For <literal>[A-Za-z0-9]</literal></entry>
315       <entry>Duration relative to <literal>md5 hash</literal></entry>
316      </row>
317     </thead>
318     <tbody>
319      <row>
320       <entry><literal>crypt-bf/8</literal></entry>
321       <entry>1792</entry>
322       <entry>4 years</entry>
323       <entry>3927 years</entry>
324       <entry>100k</entry>
325      </row>
326      <row>
327       <entry><literal>crypt-bf/7</literal></entry>
328       <entry>3648</entry>
329       <entry>2 years</entry>
330       <entry>1929 years</entry>
331       <entry>50k</entry>
332      </row>
333      <row>
334       <entry><literal>crypt-bf/6</literal></entry>
335       <entry>7168</entry>
336       <entry>1 year</entry>
337       <entry>982 years</entry>
338       <entry>25k</entry>
339      </row>
340      <row>
341       <entry><literal>crypt-bf/5</literal></entry>
342       <entry>13504</entry>
343       <entry>188 days</entry>
344       <entry>521 years</entry>
345       <entry>12.5k</entry>
346      </row>
347      <row>
348       <entry><literal>crypt-md5</literal></entry>
349       <entry>171584</entry>
350       <entry>15 days</entry>
351       <entry>41 years</entry>
352       <entry>1k</entry>
353      </row>
354      <row>
355       <entry><literal>crypt-des</literal></entry>
356       <entry>23221568</entry>
357       <entry>157.5 minutes</entry>
358       <entry>108 days</entry>
359       <entry>7</entry>
360      </row>
361      <row>
362       <entry><literal>sha1</literal></entry>
363       <entry>37774272</entry>
364       <entry>90 minutes</entry>
365       <entry>68 days</entry>
366       <entry>4</entry>
367      </row>
368      <row>
369       <entry><literal>md5</literal> (hash)</entry>
370       <entry>150085504</entry>
371       <entry>22.5 minutes</entry>
372       <entry>17 days</entry>
373       <entry>1</entry>
374      </row>
375     </tbody>
376    </tgroup>
377   </table>
378
379   <para>
380    Notes:
381   </para>
382
383   <itemizedlist>
384    <listitem>
385     <para>
386     The machine used is an Intel Mobile Core i3.
387     </para>
388    </listitem>
389    <listitem>
390     <para>
391      <literal>crypt-des</literal> and <literal>crypt-md5</literal> algorithm numbers are
392      taken from John the Ripper v1.6.38 <literal>-test</literal> output.
393     </para>
394    </listitem>
395    <listitem>
396     <para>
397      <literal>md5 hash</literal> numbers are from mdcrack 1.2.
398     </para>
399    </listitem>
400    <listitem>
401     <para>
402      <literal>sha1</literal> numbers are from lcrack-20031130-beta.
403     </para>
404    </listitem>
405    <listitem>
406     <para>
407      <literal>crypt-bf</literal> numbers are taken using a simple program that
408      loops over 1000 8-character passwords.  That way I can show the speed
409      with different numbers of iterations.  For reference: <literal>john
410      -test</literal> shows 13506 loops/sec for <literal>crypt-bf/5</literal>.
411      (The very small
412      difference in results is in accordance with the fact that the
413      <literal>crypt-bf</literal> implementation in <filename>pgcrypto</filename>
414      is the same one used in John the Ripper.)
415     </para>
416    </listitem>
417   </itemizedlist>
418
419   <para>
420    Note that <quote>try all combinations</quote> is not a realistic exercise.
421    Usually password cracking is done with the help of dictionaries, which
422    contain both regular words and various mutations of them.  So, even
423    somewhat word-like passwords could be cracked much faster than the above
424    numbers suggest, while a 6-character non-word-like password may escape
425    cracking.  Or not.
426   </para>
427  </sect3>
428 </sect2>
429
430 <sect2>
431  <title>PGP Encryption Functions</title>
432
433  <para>
434   The functions here implement the encryption part of the OpenPGP (RFC 4880)
435   standard.  Supported are both symmetric-key and public-key encryption.
436  </para>
437
438  <para>
439   An encrypted PGP message consists of 2 parts, or <firstterm>packets</firstterm>:
440  </para>
441  <itemizedlist>
442   <listitem>
443    <para>
444     Packet containing a session key &mdash; either symmetric-key or public-key
445     encrypted.
446    </para>
447   </listitem>
448   <listitem>
449    <para>
450     Packet containing data encrypted with the session key.
451    </para>
452   </listitem>
453  </itemizedlist>
454
455  <para>
456   When encrypting with a symmetric key (i.e., a password):
457  </para>
458  <orderedlist>
459   <listitem>
460    <para>
461     The given password is hashed using a String2Key (S2K) algorithm.  This is
462     rather similar to <function>crypt()</function> algorithms &mdash; purposefully
463     slow and with random salt &mdash; but it produces a full-length binary
464     key.
465    </para>
466   </listitem>
467   <listitem>
468    <para>
469     If a separate session key is requested, a new random key will be
470     generated.  Otherwise the S2K key will be used directly as the session
471     key.
472    </para>
473   </listitem>
474   <listitem>
475    <para>
476     If the S2K key is to be used directly, then only S2K settings will be put
477     into the session key packet.  Otherwise the session key will be encrypted
478     with the S2K key and put into the session key packet.
479    </para>
480   </listitem>
481  </orderedlist>
482
483  <para>
484   When encrypting with a public key:
485  </para>
486  <orderedlist>
487   <listitem>
488    <para>
489     A new random session key is generated.
490    </para>
491   </listitem>
492   <listitem>
493    <para>
494     It is encrypted using the public key and put into the session key packet.
495    </para>
496   </listitem>
497  </orderedlist>
498
499  <para>
500   In either case the data to be encrypted is processed as follows:
501  </para>
502  <orderedlist>
503   <listitem>
504    <para>
505     Optional data-manipulation: compression, conversion to UTF-8,
506     and/or conversion of line-endings.
507    </para>
508   </listitem>
509   <listitem>
510    <para>
511     The data is prefixed with a block of random bytes.  This is equivalent
512     to using a random IV.
513    </para>
514   </listitem>
515   <listitem>
516    <para>
517     An SHA1 hash of the random prefix and data is appended.
518    </para>
519   </listitem>
520   <listitem>
521    <para>
522     All this is encrypted with the session key and placed in the data packet.
523    </para>
524   </listitem>
525  </orderedlist>
526
527  <sect3>
528   <title><function>pgp_sym_encrypt()</function></title>
529
530   <indexterm>
531    <primary>pgp_sym_encrypt</primary>
532   </indexterm>
533
534   <indexterm>
535    <primary>pgp_sym_encrypt_bytea</primary>
536   </indexterm>
537
538<synopsis>
539pgp_sym_encrypt(data text, psw text [, options text ]) returns bytea
540pgp_sym_encrypt_bytea(data bytea, psw text [, options text ]) returns bytea
541</synopsis>
542   <para>
543    Encrypt <parameter>data</parameter> with a symmetric PGP key <parameter>psw</parameter>.
544    The <parameter>options</parameter> parameter can contain option settings,
545    as described below.
546   </para>
547  </sect3>
548
549  <sect3>
550   <title><function>pgp_sym_decrypt()</function></title>
551
552   <indexterm>
553    <primary>pgp_sym_decrypt</primary>
554   </indexterm>
555
556   <indexterm>
557    <primary>pgp_sym_decrypt_bytea</primary>
558   </indexterm>
559
560<synopsis>
561pgp_sym_decrypt(msg bytea, psw text [, options text ]) returns text
562pgp_sym_decrypt_bytea(msg bytea, psw text [, options text ]) returns bytea
563</synopsis>
564   <para>
565    Decrypt a symmetric-key-encrypted PGP message.
566   </para>
567   <para>
568    Decrypting <type>bytea</type> data with <function>pgp_sym_decrypt</function> is disallowed.
569    This is to avoid outputting invalid character data.  Decrypting
570    originally textual data with <function>pgp_sym_decrypt_bytea</function> is fine.
571   </para>
572   <para>
573    The <parameter>options</parameter> parameter can contain option settings,
574    as described below.
575   </para>
576  </sect3>
577
578  <sect3>
579   <title><function>pgp_pub_encrypt()</function></title>
580
581   <indexterm>
582    <primary>pgp_pub_encrypt</primary>
583   </indexterm>
584
585   <indexterm>
586    <primary>pgp_pub_encrypt_bytea</primary>
587   </indexterm>
588
589<synopsis>
590pgp_pub_encrypt(data text, key bytea [, options text ]) returns bytea
591pgp_pub_encrypt_bytea(data bytea, key bytea [, options text ]) returns bytea
592</synopsis>
593   <para>
594    Encrypt <parameter>data</parameter> with a public PGP key <parameter>key</parameter>.
595    Giving this function a secret key will produce an error.
596   </para>
597   <para>
598    The <parameter>options</parameter> parameter can contain option settings,
599    as described below.
600   </para>
601  </sect3>
602
603  <sect3>
604   <title><function>pgp_pub_decrypt()</function></title>
605
606   <indexterm>
607    <primary>pgp_pub_decrypt</primary>
608   </indexterm>
609
610   <indexterm>
611    <primary>pgp_pub_decrypt_bytea</primary>
612   </indexterm>
613
614<synopsis>
615pgp_pub_decrypt(msg bytea, key bytea [, psw text [, options text ]]) returns text
616pgp_pub_decrypt_bytea(msg bytea, key bytea [, psw text [, options text ]]) returns bytea
617</synopsis>
618   <para>
619    Decrypt a public-key-encrypted message.  <parameter>key</parameter> must be the
620    secret key corresponding to the public key that was used to encrypt.
621    If the secret key is password-protected, you must give the password in
622    <parameter>psw</parameter>.  If there is no password, but you want to specify
623    options, you need to give an empty password.
624   </para>
625   <para>
626    Decrypting <type>bytea</type> data with <function>pgp_pub_decrypt</function> is disallowed.
627    This is to avoid outputting invalid character data.  Decrypting
628    originally textual data with <function>pgp_pub_decrypt_bytea</function> is fine.
629   </para>
630   <para>
631    The <parameter>options</parameter> parameter can contain option settings,
632    as described below.
633   </para>
634  </sect3>
635
636  <sect3>
637   <title><function>pgp_key_id()</function></title>
638
639   <indexterm>
640    <primary>pgp_key_id</primary>
641   </indexterm>
642
643<synopsis>
644pgp_key_id(bytea) returns text
645</synopsis>
646   <para>
647    <function>pgp_key_id</function> extracts the key ID of a PGP public or secret key.
648    Or it gives the key ID that was used for encrypting the data, if given
649    an encrypted message.
650   </para>
651   <para>
652    It can return 2 special key IDs:
653   </para>
654   <itemizedlist>
655    <listitem>
656     <para>
657      <literal>SYMKEY</literal>
658     </para>
659     <para>
660      The message is encrypted with a symmetric key.
661     </para>
662    </listitem>
663    <listitem>
664     <para>
665      <literal>ANYKEY</literal>
666     </para>
667     <para>
668      The message is public-key encrypted, but the key ID has been removed.
669      That means you will need to try all your secret keys on it to see
670      which one decrypts it.  <filename>pgcrypto</filename> itself does not produce
671      such messages.
672     </para>
673    </listitem>
674   </itemizedlist>
675   <para>
676    Note that different keys may have the same ID.   This is rare but a normal
677    event. The client application should then try to decrypt with each one,
678    to see which fits &mdash; like handling <literal>ANYKEY</literal>.
679   </para>
680  </sect3>
681
682  <sect3>
683   <title><function>armor()</function>, <function>dearmor()</function></title>
684
685   <indexterm>
686    <primary>armor</primary>
687   </indexterm>
688
689   <indexterm>
690    <primary>dearmor</primary>
691   </indexterm>
692
693<synopsis>
694armor(data bytea [ , keys text[], values text[] ]) returns text
695dearmor(data text) returns bytea
696</synopsis>
697   <para>
698    These functions wrap/unwrap binary data into PGP ASCII-armor format,
699    which is basically Base64 with CRC and additional formatting.
700   </para>
701
702   <para>
703    If the <parameter>keys</parameter> and <parameter>values</parameter> arrays are specified,
704    an <firstterm>armor header</firstterm> is added to the armored format for each
705    key/value pair. Both arrays must be single-dimensional, and they must
706    be of the same length.  The keys and values cannot contain any non-ASCII
707    characters.
708   </para>
709  </sect3>
710
711  <sect3>
712   <title><function>pgp_armor_headers</function></title>
713
714   <indexterm>
715    <primary>pgp_armor_headers</primary>
716   </indexterm>
717
718<synopsis>
719pgp_armor_headers(data text, key out text, value out text) returns setof record
720</synopsis>
721   <para>
722    <function>pgp_armor_headers()</function> extracts the armor headers from
723    <parameter>data</parameter>.  The return value is a set of rows with two columns,
724    key and value.  If the keys or values contain any non-ASCII characters,
725    they are treated as UTF-8.
726   </para>
727  </sect3>
728
729  <sect3>
730   <title>Options for PGP Functions</title>
731
732   <para>
733    Options are named to be similar to GnuPG.  An option's value should be
734    given after an equal sign; separate options from each other with commas.
735    For example:
736<programlisting>
737pgp_sym_encrypt(data, psw, 'compress-algo=1, cipher-algo=aes256')
738</programlisting>
739   </para>
740
741   <para>
742    All of the options except <literal>convert-crlf</literal> apply only to
743    encrypt functions.  Decrypt functions get the parameters from the PGP
744    data.
745   </para>
746
747   <para>
748    The most interesting options are probably
749    <literal>compress-algo</literal> and <literal>unicode-mode</literal>.
750    The rest should have reasonable defaults.
751   </para>
752
753  <sect4>
754   <title>cipher-algo</title>
755
756   <para>
757    Which cipher algorithm to use.
758   </para>
759<literallayout>
760Values: bf, aes128, aes192, aes256 (OpenSSL-only: <literal>3des</literal>, <literal>cast5</literal>)
761Default: aes128
762Applies to: pgp_sym_encrypt, pgp_pub_encrypt
763</literallayout>
764  </sect4>
765
766  <sect4>
767   <title>compress-algo</title>
768
769   <para>
770    Which compression algorithm to use.  Only available if
771    <productname>PostgreSQL</productname> was built with zlib.
772   </para>
773<literallayout>
774Values:
775  0 - no compression
776  1 - ZIP compression
777  2 - ZLIB compression (= ZIP plus meta-data and block CRCs)
778Default: 0
779Applies to: pgp_sym_encrypt, pgp_pub_encrypt
780</literallayout>
781  </sect4>
782
783  <sect4>
784   <title>compress-level</title>
785
786   <para>
787    How much to compress.  Higher levels compress smaller but are slower.
788    0 disables compression.
789   </para>
790<literallayout>
791Values: 0, 1-9
792Default: 6
793Applies to: pgp_sym_encrypt, pgp_pub_encrypt
794</literallayout>
795  </sect4>
796
797  <sect4>
798   <title>convert-crlf</title>
799
800   <para>
801    Whether to convert <literal>\n</literal> into <literal>\r\n</literal> when
802    encrypting and <literal>\r\n</literal> to <literal>\n</literal> when
803    decrypting.  RFC 4880 specifies that text data should be stored using
804    <literal>\r\n</literal> line-feeds.  Use this to get fully RFC-compliant
805    behavior.
806   </para>
807<literallayout>
808Values: 0, 1
809Default: 0
810Applies to: pgp_sym_encrypt, pgp_pub_encrypt, pgp_sym_decrypt, pgp_pub_decrypt
811</literallayout>
812  </sect4>
813
814  <sect4>
815   <title>disable-mdc</title>
816
817   <para>
818    Do not protect data with SHA-1.  The only good reason to use this
819    option is to achieve compatibility with ancient PGP products, predating
820    the addition of SHA-1 protected packets to RFC 4880.
821    Recent gnupg.org and pgp.com software supports it fine.
822   </para>
823<literallayout>
824Values: 0, 1
825Default: 0
826Applies to: pgp_sym_encrypt, pgp_pub_encrypt
827</literallayout>
828  </sect4>
829
830  <sect4>
831   <title>sess-key</title>
832
833   <para>
834    Use separate session key.  Public-key encryption always uses a separate
835    session key; this option is for symmetric-key encryption, which by default
836    uses the S2K key directly.
837   </para>
838<literallayout>
839Values: 0, 1
840Default: 0
841Applies to: pgp_sym_encrypt
842</literallayout>
843  </sect4>
844
845  <sect4>
846   <title>s2k-mode</title>
847
848   <para>
849    Which S2K algorithm to use.
850   </para>
851<literallayout>
852Values:
853  0 - Without salt.  Dangerous!
854  1 - With salt but with fixed iteration count.
855  3 - Variable iteration count.
856Default: 3
857Applies to: pgp_sym_encrypt
858</literallayout>
859  </sect4>
860
861  <sect4>
862   <title>s2k-count</title>
863
864   <para>
865    The number of iterations of the S2K algorithm to use.  It must
866    be a value between 1024 and 65011712, inclusive.
867   </para>
868<literallayout>
869Default: A random value between 65536 and 253952
870Applies to: pgp_sym_encrypt, only with s2k-mode=3
871</literallayout>
872  </sect4>
873
874  <sect4>
875   <title>s2k-digest-algo</title>
876
877   <para>
878    Which digest algorithm to use in S2K calculation.
879   </para>
880<literallayout>
881Values: md5, sha1
882Default: sha1
883Applies to: pgp_sym_encrypt
884</literallayout>
885  </sect4>
886
887  <sect4>
888   <title>s2k-cipher-algo</title>
889
890   <para>
891    Which cipher to use for encrypting separate session key.
892   </para>
893<literallayout>
894Values: bf, aes, aes128, aes192, aes256
895Default: use cipher-algo
896Applies to: pgp_sym_encrypt
897</literallayout>
898  </sect4>
899
900  <sect4>
901   <title>unicode-mode</title>
902
903   <para>
904    Whether to convert textual data from database internal encoding to
905    UTF-8 and back.  If your database already is UTF-8, no conversion will
906    be done, but the message will be tagged as UTF-8.  Without this option
907    it will not be.
908   </para>
909<literallayout>
910Values: 0, 1
911Default: 0
912Applies to: pgp_sym_encrypt, pgp_pub_encrypt
913</literallayout>
914  </sect4>
915  </sect3>
916
917 <sect3>
918  <title>Generating PGP Keys with GnuPG</title>
919
920  <para>
921   To generate a new key:
922<programlisting>
923gpg --gen-key
924</programlisting>
925  </para>
926  <para>
927   The preferred key type is <quote>DSA and Elgamal</quote>.
928  </para>
929  <para>
930   For RSA encryption you must create either DSA or RSA sign-only key
931   as master and then add an RSA encryption subkey with
932   <literal>gpg --edit-key</literal>.
933  </para>
934  <para>
935   To list keys:
936<programlisting>
937gpg --list-secret-keys
938</programlisting>
939  </para>
940  <para>
941   To export a public key in ASCII-armor format:
942<programlisting>
943gpg -a --export KEYID > public.key
944</programlisting>
945  </para>
946  <para>
947   To export a secret key in ASCII-armor format:
948<programlisting>
949gpg -a --export-secret-keys KEYID > secret.key
950</programlisting>
951  </para>
952  <para>
953   You need to use <function>dearmor()</function> on these keys before giving them to
954   the PGP functions.  Or if you can handle binary data, you can drop
955   <literal>-a</literal> from the command.
956  </para>
957  <para>
958   For more details see <literal>man gpg</literal>,
959   <ulink url="https://www.gnupg.org/gph/en/manual.html">The GNU
960   Privacy Handbook</ulink> and other documentation on
961   <ulink url="https://www.gnupg.org/"></ulink>.
962  </para>
963 </sect3>
964
965 <sect3>
966  <title>Limitations of PGP Code</title>
967
968  <itemizedlist>
969   <listitem>
970    <para>
971    No support for signing.  That also means that it is not checked
972    whether the encryption subkey belongs to the master key.
973    </para>
974   </listitem>
975   <listitem>
976    <para>
977    No support for encryption key as master key.  As such practice
978    is generally discouraged, this should not be a problem.
979    </para>
980   </listitem>
981   <listitem>
982    <para>
983    No support for several subkeys.  This may seem like a problem, as this
984    is common practice.  On the other hand, you should not use your regular
985    GPG/PGP keys with <filename>pgcrypto</filename>, but create new ones,
986    as the usage scenario is rather different.
987    </para>
988   </listitem>
989  </itemizedlist>
990  </sect3>
991 </sect2>
992
993 <sect2>
994  <title>Raw Encryption Functions</title>
995
996  <para>
997   These functions only run a cipher over data; they don't have any advanced
998   features of PGP encryption.  Therefore they have some major problems:
999  </para>
1000  <orderedlist>
1001   <listitem>
1002    <para>
1003    They use user key directly as cipher key.
1004    </para>
1005   </listitem>
1006   <listitem>
1007    <para>
1008    They don't provide any integrity checking, to see
1009    if the encrypted data was modified.
1010    </para>
1011   </listitem>
1012   <listitem>
1013    <para>
1014    They expect that users manage all encryption parameters
1015    themselves, even IV.
1016    </para>
1017   </listitem>
1018   <listitem>
1019    <para>
1020    They don't handle text.
1021    </para>
1022   </listitem>
1023  </orderedlist>
1024  <para>
1025   So, with the introduction of PGP encryption, usage of raw
1026   encryption functions is discouraged.
1027  </para>
1028
1029  <indexterm>
1030   <primary>encrypt</primary>
1031  </indexterm>
1032
1033  <indexterm>
1034   <primary>decrypt</primary>
1035  </indexterm>
1036
1037  <indexterm>
1038   <primary>encrypt_iv</primary>
1039  </indexterm>
1040
1041  <indexterm>
1042   <primary>decrypt_iv</primary>
1043  </indexterm>
1044
1045<synopsis>
1046encrypt(data bytea, key bytea, type text) returns bytea
1047decrypt(data bytea, key bytea, type text) returns bytea
1048
1049encrypt_iv(data bytea, key bytea, iv bytea, type text) returns bytea
1050decrypt_iv(data bytea, key bytea, iv bytea, type text) returns bytea
1051</synopsis>
1052
1053  <para>
1054   Encrypt/decrypt data using the cipher method specified by
1055   <parameter>type</parameter>.  The syntax of the
1056   <parameter>type</parameter> string is:
1057
1058<synopsis>
1059<replaceable>algorithm</replaceable> <optional> <literal>-</literal> <replaceable>mode</replaceable> </optional> <optional> <literal>/pad:</literal> <replaceable>padding</replaceable> </optional>
1060</synopsis>
1061   where <replaceable>algorithm</replaceable> is one of:
1062
1063  <itemizedlist>
1064   <listitem><para><literal>bf</literal> &mdash; Blowfish</para></listitem>
1065   <listitem><para><literal>aes</literal> &mdash; AES (Rijndael-128, -192 or -256)</para></listitem>
1066  </itemizedlist>
1067   and <replaceable>mode</replaceable> is one of:
1068  <itemizedlist>
1069   <listitem>
1070    <para>
1071    <literal>cbc</literal> &mdash; next block depends on previous (default)
1072    </para>
1073   </listitem>
1074   <listitem>
1075    <para>
1076    <literal>ecb</literal> &mdash; each block is encrypted separately (for
1077    testing only)
1078    </para>
1079   </listitem>
1080  </itemizedlist>
1081   and <replaceable>padding</replaceable> is one of:
1082  <itemizedlist>
1083   <listitem>
1084    <para>
1085    <literal>pkcs</literal> &mdash; data may be any length (default)
1086    </para>
1087   </listitem>
1088   <listitem>
1089    <para>
1090    <literal>none</literal> &mdash; data must be multiple of cipher block size
1091    </para>
1092   </listitem>
1093  </itemizedlist>
1094  </para>
1095  <para>
1096   So, for example, these are equivalent:
1097<programlisting>
1098encrypt(data, 'fooz', 'bf')
1099encrypt(data, 'fooz', 'bf-cbc/pad:pkcs')
1100</programlisting>
1101  </para>
1102  <para>
1103   In <function>encrypt_iv</function> and <function>decrypt_iv</function>, the
1104   <parameter>iv</parameter> parameter is the initial value for the CBC mode;
1105   it is ignored for ECB.
1106   It is clipped or padded with zeroes if not exactly block size.
1107   It defaults to all zeroes in the functions without this parameter.
1108  </para>
1109 </sect2>
1110
1111 <sect2>
1112  <title>Random-Data Functions</title>
1113
1114  <indexterm>
1115   <primary>gen_random_bytes</primary>
1116  </indexterm>
1117
1118<synopsis>
1119gen_random_bytes(count integer) returns bytea
1120</synopsis>
1121  <para>
1122   Returns <parameter>count</parameter> cryptographically strong random bytes.
1123   At most 1024 bytes can be extracted at a time.  This is to avoid
1124   draining the randomness generator pool.
1125  </para>
1126
1127  <indexterm>
1128   <primary>gen_random_uuid</primary>
1129  </indexterm>
1130
1131<synopsis>
1132gen_random_uuid() returns uuid
1133</synopsis>
1134  <para>
1135   Returns a version 4 (random) UUID.
1136  </para>
1137 </sect2>
1138
1139 <sect2>
1140  <title>Notes</title>
1141
1142  <sect3>
1143   <title>Configuration</title>
1144
1145   <para>
1146    <filename>pgcrypto</filename> configures itself according to the findings of the
1147    main PostgreSQL <literal>configure</literal> script.  The options that
1148    affect it are <literal>--with-zlib</literal> and
1149    <literal>--with-openssl</literal>.
1150   </para>
1151
1152   <para>
1153    When compiled with zlib, PGP encryption functions are able to
1154    compress data before encrypting.
1155   </para>
1156
1157   <para>
1158    When compiled with OpenSSL, there will be more algorithms available.
1159    Also public-key encryption functions will be faster as OpenSSL
1160    has more optimized BIGNUM functions.
1161   </para>
1162
1163   <table id="pgcrypto-with-without-openssl">
1164    <title>Summary of Functionality with and without OpenSSL</title>
1165    <tgroup cols="3">
1166     <thead>
1167      <row>
1168       <entry>Functionality</entry>
1169       <entry>Built-in</entry>
1170       <entry>With OpenSSL</entry>
1171      </row>
1172     </thead>
1173     <tbody>
1174      <row>
1175       <entry>MD5</entry>
1176       <entry>yes</entry>
1177       <entry>yes</entry>
1178      </row>
1179      <row>
1180       <entry>SHA1</entry>
1181       <entry>yes</entry>
1182       <entry>yes</entry>
1183      </row>
1184      <row>
1185       <entry>SHA224/256/384/512</entry>
1186       <entry>yes</entry>
1187       <entry>yes</entry>
1188      </row>
1189      <row>
1190       <entry>Other digest algorithms</entry>
1191       <entry>no</entry>
1192       <entry>yes (Note 1)</entry>
1193      </row>
1194      <row>
1195       <entry>Blowfish</entry>
1196       <entry>yes</entry>
1197       <entry>yes</entry>
1198      </row>
1199      <row>
1200       <entry>AES</entry>
1201       <entry>yes</entry>
1202       <entry>yes</entry>
1203      </row>
1204      <row>
1205       <entry>DES/3DES/CAST5</entry>
1206       <entry>no</entry>
1207       <entry>yes</entry>
1208      </row>
1209      <row>
1210       <entry>Raw encryption</entry>
1211       <entry>yes</entry>
1212       <entry>yes</entry>
1213      </row>
1214      <row>
1215       <entry>PGP Symmetric encryption</entry>
1216       <entry>yes</entry>
1217       <entry>yes</entry>
1218      </row>
1219      <row>
1220       <entry>PGP Public-Key encryption</entry>
1221       <entry>yes</entry>
1222       <entry>yes</entry>
1223      </row>
1224     </tbody>
1225    </tgroup>
1226   </table>
1227
1228   <para>
1229    When compiled against <productname>OpenSSL</productname> 3.0.0 and later
1230    versions, the legacy provider must be activated in the
1231    <filename>openssl.cnf</filename> configuration file in order to use older
1232    ciphers like DES or Blowfish.
1233   </para>
1234
1235   <para>
1236    Notes:
1237   </para>
1238
1239   <orderedlist>
1240    <listitem>
1241     <para>
1242      Any digest algorithm OpenSSL supports is automatically picked up.
1243      This is not possible with ciphers, which need to be supported
1244      explicitly.
1245     </para>
1246    </listitem>
1247   </orderedlist>
1248  </sect3>
1249
1250  <sect3>
1251   <title>NULL Handling</title>
1252
1253   <para>
1254    As is standard in SQL, all functions return NULL, if any of the arguments
1255    are NULL.  This may create security risks on careless usage.
1256   </para>
1257  </sect3>
1258
1259  <sect3>
1260   <title>Security Limitations</title>
1261
1262   <para>
1263    All <filename>pgcrypto</filename> functions run inside the database server.
1264    That means that all
1265    the data and passwords move between <filename>pgcrypto</filename> and client
1266    applications in clear text.  Thus you must:
1267   </para>
1268
1269   <orderedlist>
1270    <listitem>
1271     <para>Connect locally or use SSL connections.</para>
1272    </listitem>
1273    <listitem>
1274     <para>Trust both system and database administrator.</para>
1275    </listitem>
1276   </orderedlist>
1277
1278   <para>
1279    If you cannot, then better do crypto inside client application.
1280   </para>
1281
1282   <para>
1283    The implementation does not resist
1284    <ulink url="https://en.wikipedia.org/wiki/Side-channel_attack">side-channel
1285    attacks</ulink>.  For example, the time required for
1286    a <filename>pgcrypto</filename> decryption function to complete varies among
1287    ciphertexts of a given size.
1288   </para>
1289  </sect3>
1290
1291  <sect3>
1292   <title>Useful Reading</title>
1293
1294   <itemizedlist>
1295    <listitem>
1296     <para><ulink url="https://www.gnupg.org/gph/en/manual.html"></ulink></para>
1297     <para>The GNU Privacy Handbook.</para>
1298    </listitem>
1299    <listitem>
1300     <para><ulink url="https://www.openwall.com/crypt/"></ulink></para>
1301     <para>Describes the crypt-blowfish algorithm.</para>
1302    </listitem>
1303    <listitem>
1304     <para>
1305      <ulink url="https://www.iusmentis.com/security/passphrasefaq/"></ulink>
1306     </para>
1307     <para>How to choose a good password.</para>
1308    </listitem>
1309    <listitem>
1310     <para><ulink url="http://world.std.com/~reinhold/diceware.html"></ulink></para>
1311     <para>Interesting idea for picking passwords.</para>
1312    </listitem>
1313    <listitem>
1314     <para>
1315      <ulink url="http://www.interhack.net/people/cmcurtin/snake-oil-faq.html"></ulink>
1316     </para>
1317     <para>Describes good and bad cryptography.</para>
1318    </listitem>
1319   </itemizedlist>
1320  </sect3>
1321
1322  <sect3>
1323   <title>Technical References</title>
1324
1325   <itemizedlist>
1326    <listitem>
1327     <para><ulink url="https://tools.ietf.org/html/rfc4880"></ulink></para>
1328     <para>OpenPGP message format.</para>
1329    </listitem>
1330    <listitem>
1331     <para><ulink url="https://tools.ietf.org/html/rfc1321"></ulink></para>
1332     <para>The MD5 Message-Digest Algorithm.</para>
1333    </listitem>
1334    <listitem>
1335     <para><ulink url="https://tools.ietf.org/html/rfc2104"></ulink></para>
1336     <para>HMAC: Keyed-Hashing for Message Authentication.</para>
1337    </listitem>
1338    <listitem>
1339     <para>
1340      <ulink url="https://www.usenix.org/legacy/events/usenix99/provos.html"></ulink>
1341     </para>
1342     <para>Comparison of crypt-des, crypt-md5 and bcrypt algorithms.</para>
1343    </listitem>
1344    <listitem>
1345     <para>
1346      <ulink url="https://en.wikipedia.org/wiki/Fortuna_(PRNG)"></ulink>
1347     </para>
1348     <para>Description of Fortuna CSPRNG.</para>
1349    </listitem>
1350    <listitem>
1351     <para><ulink url="https://jlcooke.ca/random/"></ulink></para>
1352     <para>Jean-Luc Cooke Fortuna-based <filename>/dev/random</filename> driver for Linux.</para>
1353    </listitem>
1354   </itemizedlist>
1355  </sect3>
1356 </sect2>
1357
1358 <sect2>
1359  <title>Author</title>
1360
1361  <para>
1362   Marko Kreen <email>markokr@gmail.com</email>
1363  </para>
1364
1365  <para>
1366   <filename>pgcrypto</filename> uses code from the following sources:
1367  </para>
1368
1369  <informaltable>
1370   <tgroup cols="3">
1371    <thead>
1372     <row>
1373      <entry>Algorithm</entry>
1374      <entry>Author</entry>
1375      <entry>Source origin</entry>
1376     </row>
1377    </thead>
1378    <tbody>
1379     <row>
1380      <entry>DES crypt</entry>
1381      <entry>David Burren and others</entry>
1382      <entry>FreeBSD libcrypt</entry>
1383     </row>
1384     <row>
1385      <entry>MD5 crypt</entry>
1386      <entry>Poul-Henning Kamp</entry>
1387      <entry>FreeBSD libcrypt</entry>
1388     </row>
1389     <row>
1390      <entry>Blowfish crypt</entry>
1391      <entry>Solar Designer</entry>
1392      <entry>www.openwall.com</entry>
1393     </row>
1394     <row>
1395      <entry>Blowfish cipher</entry>
1396      <entry>Simon Tatham</entry>
1397      <entry>PuTTY</entry>
1398     </row>
1399     <row>
1400      <entry>Rijndael cipher</entry>
1401      <entry>Brian Gladman</entry>
1402      <entry>OpenBSD sys/crypto</entry>
1403     </row>
1404     <row>
1405      <entry>MD5 hash and SHA1</entry>
1406      <entry>WIDE Project</entry>
1407      <entry>KAME kame/sys/crypto</entry>
1408     </row>
1409     <row>
1410      <entry>SHA256/384/512 </entry>
1411      <entry>Aaron D. Gifford</entry>
1412      <entry>OpenBSD sys/crypto</entry>
1413     </row>
1414     <row>
1415      <entry>BIGNUM math</entry>
1416      <entry>Michael J. Fromberger</entry>
1417      <entry>dartmouth.edu/~sting/sw/imath</entry>
1418     </row>
1419    </tbody>
1420   </tgroup>
1421  </informaltable>
1422 </sect2>
1423
1424</sect1>
1425