I want to replace PostgreSQL encryption function ‘pgp_sym_encrypt’ and ‘pgp_sym_decrypt’ mechanism with HSM (hardware security module). Can i implement it to replace existing algorithm with HSM.
‘pgp_sym_encrypt’ and ‘pgp_sym_decrypt’ mechanism with HSM (hardware security module)
1.4k views Asked by ajkush At
2
If your client is paying you to find this out, it'd be nice if you would do some research and work on it, not just ask Stack Overflow.
The
pgp_sym_
functions are incontrib/pgcrypto/pgp-pgsql.c
. They're wrappers fordecrypt_internal
, and in turn around the functions exposed inpgp.h
and implemented in thepgp*.c
files.You'll see that pgcrypto has its own OpenPGP implementation. That means it's not using GnuPG as a library, and therefore cannot simply use GnuPG's support for hardware security modules directly.
If you want support for HSMs, you will need to implement it yourself in the
pgcrypto
extension. You may be able to uselibgcrypt
andGPGME
functions to help you out, and/or functionality in OpenSSL. It depends on what HSM you're using; it might just a client library that does most of what you want.It may be simpler, if your HSM has a client library that has functionality you want, to wrap that with PostgreSQL user-defined functions and expose it to SQL as a new contrib module.
Either way, you will have to do a lot of reading and a lot of research. You will need to know the C programming language and be comfortable working with it. You will need to understand how user-defined functions in PostgreSQL work. If you can't manage any of that, you'll need to subcontract the work to somebody who does, give them access to a sample of the HSM in question, and pay them for their time. (No, I'm not fishing for work, I already have too much).