1.加密等值查询概述随着企业数据上云,数据安全和隐私保护面临越来越严峻的挑战。秘密数据库将解决数据全生命周期的隐私保护问题,涵盖网络传输、数据存储、数据运行状态;进一步地,秘密数据库可以实现云场景下数据隐私权的分离,即实现数据拥有者与实际数据管理者的数据读取能力分离。加密等价查询会优先解决密文数据的等价查询问题。密态等价查询目前支持客户端工具gsql和JDBC。下面介绍如何使用客户端工具进行密态等值查询相关操作。2、使用gsql操作秘库操作步骤以操作系统用户omm登录主节点。执行以下命令启用秘密状态开关并连接到秘密状态数据库。gsql-pPORTpostgres-r-C这里需要将PORT替换为实际值。创建客户端主密钥CMK和列加密密钥CEK。--创建客户端加密主密钥(CMK)openGauss=#CREATECLIENTMASTERKEYImgCMK1WITH(KEY_STORE=localkms,KEY_PATH="key_path_value1",ALGORITHM=RSA_2048);openGauss=#CREATECLIENTMASTERKEYImgCMKWITH(KEY_STORE=localkms,KEY_PATH="key_path_value2",ALGORITHM=RSA_2048);openGauss=#CREATECOLUMNENCRYPTIONKEYImgCEK1WITHVALUES(CLIENT_MASTER_KEY=ImgCMK1,ALGORITHM=AEAD_AES_256_CBC_HMAC_SHA256);CREATECOLUMNENCRYPTIONKEYopenGauss=#使用值创建列加密密钥ImgCEK(CLIENT_MASTER_KEY=ImgCMK,ALGORITHM=AEAD_AES_256_CBC_HMAC_SHA256);CREATECOLUMNENCRYPTIONKEY查询存储密钥信息的系统表,结果如下:openGauss=#SELECT*FROMgs_client_global_keys;全局键名|键名空间|密钥所有者|key_acl|创建日期----------------+------------+------------+---------+--------------------------imgcmk1|2200|10||2021-04-2111:04:00.656617imgcmk|2200|10||2021-04-2111:04:05.389746(2行)openGauss=#SELECTcolumn_key_name,column_key_distributed_id,global_key_id,key_ownerFROMgs_column_keys;column_key_name|column_key_distributed_id|global_key_id|key_owner----------------+------------------------+-------------+------------imgcek1|760411027|16392|10imgcek|3618369306|16398|10(2行)创建加密表:openGauss=#CREATETABLEcreditcard_info(id_numberint,nametextencryptedwith(column_encryption_key=ImgCEK,encryption_type=DETERMINISTIC),credit_cardvarchar(19)encryptedwith(column_encryption_key=ImgCEK1,encryption_type=DETERMINISTIC));注意:未指定“DISTRIBUTEBY”子句。默认使用'id_number'作为分布列。提示:请使用'DISTRIBUTEBY'子句指定合适的数据分布列。CREATETABLE查询表的详细信息如下,修饰符值为加密则表示该列是加密列openGauss=#\dcreditcard_info表“public.creditcard_info”列|类型|修饰符------------+--------------------+------------id_number|整数|姓名|文字|加密信用卡|性格变化|encrypted向加密表中插入数据并执行等效查询。openGauss=#INSERTINTOcreditcard_infoVALUES(1,'joe','6217986500001288393');INSERT01openGauss=#INSERTINTOcreditcard_infoVALUES(2,'joy','6219985678349800033');INSERT01openGauss_#select*fromcreditcardinfo其中*名字='乔';编号|姓名|信用卡------------+------+---------------------1|乔|6217986500001288393(1行)注:使用非机密客户端查看加密表数据时,为密文openGauss=#selectid_number,namefromcreditcard_info;编号|名称-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------1|\x011aefabd754ded0a536a96664790622487c4d366d313aecd5839e410a46d29cba96a60e4831000000ee79056a114c9a6c041bb552b78052e912a8b7306091420734|\x011aefabd76853108eb406c0f90e7c773b71648fa6e2b8028cf634b49aec65b4fcfb376f3531000000f7471c8686682de215d09aa87113f6fb03884be2031ef4dd967afc6f7901646b(2行)(可选)更改和更新加密表openGauss=#ALTERTABLEcreditcard_infoADDCOLUMNageintENCRYPTEDWITH(COLUMN_ENCRYPTION_KEY=ImgCEK,ENCRYPTION_TYPE=DETERMINISTIC);ALTERTABLEopenGauss=#\dcreditcard_info表“public.creditcard_info”|---+--------------------+------------id_number|整数|姓名|文字|加密信用卡|性格变化|加密时代|整数|encryptedopenGauss=#ALTERTABLEcreditcard_infoDROPCOLUMNage;ALTERTABLEopenGauss=#updatecreditcard_infosetcredit_card='80000000011111111'wherename='joy';更新1openGauss=#select*fromcreditcard_infowherename='joy';编号|姓名|信用卡------------+------+--------------------2|喜悦|80000000011111111(1行)3.使用JDBC连接到一个密集的数据库。连接密集型数据库需要使用驱动包gsjdbc4.jar。具体的JDBC连接参数可以参考基于JDBC开发的章节。JDBC支持机密数据库相关操作,需要设置enable_ce=1。示例如下:publicstaticConnectiongetConnect(Stringusername,Stringpasswd){//驱动类。Stringdriver="org.postgresql.Driver";//数据库连接描述符。StringsourceURL="jdbc:postgresql://10.10.0.13:8000/postgres?enable_ce=1";连接conn=null;try{//加载驱动程序。Class.forName(驱动程序);}catch(异常e){e.printStackTrace();返回空值;}try{//创建连接。conn=DriverManager.getConnection(sourceURL,username,passwd);System.out.println("连接成功!");}catch(Exceptione){e.printStackTrace();返回空值;}返回康恩;};描述:【建议】使用JDBC操作机密数据库时,一个数据库连接对象对应一个线程,否则不同线程的更改可能会引起冲突。[建议]使用JDBC操作密态数据库时,不同连接对密态配置数据有变更,客户端调用isvalid方法保证连接能持有变更后的密态配置数据。此时需要保证参数refreshClientEncryption为1(默认值为1),在单个客户端操作加密数据的场景下,refreshClientEncryption参数可以设置为0。调用isValid方法刷新缓存示例//创建客户端主密钥Connectionconn1=DriverManager.getConnection("url","user","password");//conn1通过调用isValid刷新缓存try{if(!conn1.getConnection().isValid(60)){conn1.getFileWriter().writeLine("isValid连接1失败");}}catch(SQLExceptione){conn1.getFileWriter().writeLine("isValidFailedwitherror");e.printStackTrace();}执行加密状态等效查询相关的key语句//创建客户端主密钥Connectionconn=DriverManager.getConnection("url","user","password");Statementstmt=conn.createStatement();intrc=stmt.executeUpdate("CREATECLIENTMASTERKEYImgCMK1WITH(KEY_STORE=gs_ktool,KEY_PATH=\"gs_ktool/1\",ALGORITHM=AES_256_CBC;");intrc=stmt.executeUpdate("创建客户端MASTERKEYImgCMK1WITH(KEY_STORE=localkms,KEY_PATH=\"key_path_value\",ALGORITHM=RSA_2048);注意:在创建密钥之前,需要使用gs_ktool工具提前生成密钥才能成功创建CMK。//创建列加密密钥intrc2=stmt.executeUpdate("CREATECOLUMNENCRYPTIONKEYImgCEK1WITHVALUES(CLIENT_MASTER_KEY=ImgCMK1,ALGORITHM=AEAD_AES_256_CBC_HMAC_SHA256);");执行加密等价查询相关的加密表创建语句intrc3=stmt.executeUpdate("CREATETABLEcreditcard_info(id_numberint,namevarchar(50)encryptedwith(column_encryption_key=ImgCEK1,encryption_type=DETERMINISTIC),credit_cardvarchar(19)加密(column_encryption_key=ImgCEK1,encryption_type=DETERMINISTIC));");//插入数据intrc4=stmt.executeUpdate("INSERTINTOcreditcard_infoVALUES(1,'joe','6217986500001288393');//查询加密表ResultSetrs=null;rs=stmt.executeQuery("select*fromcreditcard_infowherename='joe';");//关闭语句对象stmt.close();执行加密表的预编译SQL语句//调用Connection的prepareStatement方法创建预编译语句对象。PreparedStatementpstmt=con.prepareStatement("INSERTINTOcreditcard_infoVALUES(?,?,?);");//调用PreparedStatement的setShort设置参数。pstmt.setInt(1,2);pstmt.setString(2,"joy");pstmt.setString(3,"6219985678349800033");//调用PreparedStatement的executeUpdate方法执行预编译的SQL语句。introwcount=pstmt.executeUpdate();//调用PreparedStatement的close方法关闭preparedstatement对象。pstmt.close();执行加密表的批量操作//调用Connection的prepareStatement方法创建预编译语句对象。Connectionconn=DriverManager.getConnection("url","user","password");PreparedStatementpstmt=conn.prepareStatement("INSERTINTObatch_table(id,name,address)VALUES(?,?,?)");//调用setShort为每条数据设置参数,调用addBatch确认设置该条。int循环计数=20;for(inti=1;i
