devbox
凡人多烦事01
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

PostgreSQL 对称加密、非对称加密用法介绍

作者:凡人多烦事01 | 2024-02-22 08:22:02

postgresql 对称加密

点击有惊喜


标签

PostgreSQL , 对称加密 , 非对称加密 , Symmetric , ASymmetric , public , private , pgcrypto , 区块链

背景

对称加密方法,指加密和解密使用同一把密钥的方法。优势是加密速度快,缺陷是密钥只有一把,安全性较低。

非对称加密方法,指加密和解密用到一对钥匙,一把为私钥,一把为公钥。通常的用法是公钥用于加密,私钥用于解密。优势是更加安全,你自己只要保护好私钥,就可以保证别人给你发的数据无法被篡改、窃听。缺陷是加解密效率比对称加密更差一些。

混合加密,指发送大量加密数据前,首先使用非对称加密,将对称加密的密钥加密发送给对端,然后双方使用对称加密通讯。时长更改对称加密的密钥来保证安全。

PostgreSQL pgcrypto插件,同时支持对称和非对称加密,详细用法参考:

https://www.postgresql.org/docs/devel/static/pgcrypto.html

用法介绍

一、对称加密

加密和解密使用同一把钥匙。

1、加密

  1. postgres=# \x  
  2. Expanded display is on.  
  3. postgres=# select pgp_sym_encrypt('需要加密的文字,你好呀,我是digoal.', 'this is password', 'cipher-algo=aes256, compress-algo=2');  
  4. -[ RECORD 1 ]---+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------  
  5. pgp_sym_encrypt | \xc30d040903022bdfd5bc64a755e072d27001818495e940d555f02711fed0cce27265d8955af6a669c6996dfd805dbfdf45c0e81ceb7aff8ced8dad51a812127043674720e054e4bf8738048b5e57df3b87b1f786270db0dddb14a9bc89701a53fc6d9a597861a818f7bb38f085ca7c413af25c68344f4676f62aa1a72c76183369

2、解密

  1. postgres=# select pgp_sym_decrypt('\xc30d040903022bdfd5bc64a755e072d27001818495e940d555f02711fed0cce27265d8955af6a669c6996dfd805dbfdf45c0e81ceb7aff8ced8dad51a812127043674720e054e4bf8738048b5e57df3b87b1f786270db0dddb14a9bc89701a53fc6d9a597861a818f7bb38f085ca7c413af25c68344f4676f62aa1a72c76183369', 'this is password');  
  2. -[ RECORD 1 ]---+------------------------------------  
  3. pgp_sym_decrypt | 需要加密的文字,你好呀,我是digoal.

二、非对称加密

由于非对称加解密使用的是一对公钥和密钥,首先需要生成一对公钥和密钥。

使用gpg --gen-key 可以生成。

以Linux系统为例。

安装、启动rng-tools

为了快速生成随机数,需要安装rng-tools。(产生公钥与密钥时,需要一些随机数)

yum install -y rng-tools

启动rngd,生成随机数

  1. rngd  
  2.   
  3. read error  
  4.   
  5. hwrng: no available rng  
  6. Unable to open file: /dev/tpm0  
  1. # ps -ewf|grep rngd  
  2. root     14762     1  0 14:52 ?        00:00:00 rngd  
  3. root     14767 12394  0 14:52 pts/4    00:00:00 grep --color=auto rngd
生成一对公钥和密钥

1、

  1. # gpg --gen-key  
  2. gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.  
  3. This is free software: you are free to change and redistribute it.  
  4. There is NO WARRANTY, to the extent permitted by law.

2、输入KEY类别,选择2

  1. Please select what kind of key you want:  
  2.    (1) RSA and RSA (default)  
  3.    (2) DSA and Elgamal  
  4.    (3) DSA (sign only)  
  5.    (4) RSA (sign only)  
  6. Your selection? 2

3、选择KEY的长度

  1. DSA keys may be between 1024 and 3072 bits long.  
  2. What keysize do you want? (2048)   
  3. Requested keysize is 2048 bits

4、输入KEY的有效时间,这里输入的是10年

  1. Please specify how long the key should be valid.  
  2.          0 = key does not expire  
  3.       <n>  = key expires in n days  
  4.       <n>w = key expires in n weeks  
  5.       <n>m = key expires in n months  
  6.       <n>y = key expires in n years  
  7. Key is valid for? (0) 10y  
  8. Key expires at Thu 24 Feb 2028 02:52:09 PM CST

5、是否正确

Is this correct? (y/N) y

6、输入KEY的标识

  1. GnuPG needs to construct a user ID to identify your key.  
  2.   
  3. Real name: digoal  
  4. Email address: digoal@126.com  
  5. Comment: test  
  6. You selected this USER-ID:  
  7.     "digoal (test) <digoal@126.com>"

7、确认

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

8、输入私有密钥的保护密码

  1. You need a Passphrase to protect your secret key.  
  2. 假设这里输入了 hello123  
  3.   
  4. lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk  
  5. x Enter passphrase                                    x  
  6. x                                                     x  
  7. x                                                     x  
  8. x Passphrase ********________________________________ x  
  9. x                                                     x  
  10. x       <OK>                             <Cancel>     x  
  11. mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj  
  12.   
  13. lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk  
  14. x Please re-enter this passphrase                     x  
  15. x                                                     x  
  16. x Passphrase ********________________________________ x  
  17. x                                                     x  
  18. x       <OK>                             <Cancel>     x  
  19. mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

生成好后,也能设置密码

  1. # gpg --passwd "digoal (test) <digoal@126.com>"  
  2.   
  3. lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk  
  4. x Please enter the passphrase to unlock the secret key for the OpenPGP certificate:  x  
  5. x "digoal (test) <digoal@126.com>"                                                   x  
  6. x 2048-bit DSA key, ID 42CF57DB,                                                     x  
  7. x created 2018-02-26.                                                                x  
  8. x                                                                                    x  
  9. x                                                                                    x  
  10. x Passphrase *********______________________________________________________________ x  
  11. x                                                                                    x  
  12. x            <OK>                                                  <Cancel>          x  
  13. mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj  
  14.   
  15. Enter the new passphrase for this secret key.  
  16.   
  17. lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk  
  18. x Enter passphrase                                    x  
  19. x                                                     x  
  20. x                                                     x  
  21. x Passphrase ********________________________________ x  
  22. x                                                     x  
  23. x       <OK>                             <Cancel>     x  
  24. mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj  
  25.   
  26.   
  27. lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk  
  28. x Please re-enter this passphrase                     x  
  29. x                                                     x  
  30. x Passphrase ********________________________________ x  
  31. x                                                     x  
  32. x       <OK>                             <Cancel>     x  
  33. mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

9、生成密钥过程中,需要机器有一定的随机输入,所以我们前面启动了rngd

  1. We need to generate a lot of random bytes. It is a good idea to perform  
  2. some other action (type on the keyboard, move the mouse, utilize the  
  3. disks) during the prime generation; this gives the random number  
  4. generator a better chance to gain enough entropy.  
  5. gpg: WARNING: some OpenPGP programs can't handle a DSA key with this digest size  
  6. We need to generate a lot of random bytes. It is a good idea to perform  
  7. some other action (type on the keyboard, move the mouse, utilize the  
  8. disks) during the prime generation; this gives the random number  
  9. generator a better chance to gain enough entropy.

点击有惊喜


声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/凡人多烦事01/article/detail/129270
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号