‘pgp_sym_encrypt’ and ‘pgp_sym_decrypt’ mechanism with HSM (hardware security module)

Question

I want to replace PostgreSQL encryption function ‘pgp_sym_encrypt’ and ‘pgp_sym_decrypt’ mechanism with HSM (hardware security module). Can i implement it to replace existing algorithm with HSM.

Answer 1

If your client is paying you to find this out, it'd be nice if you would do some research and work on it, not just ask Stack Overflow.

The pgp_sym_ functions are in contrib/pgcrypto/pgp-pgsql.c. They're wrappers for decrypt_internal, and in turn around the functions exposed in pgp.h and implemented in the pgp*.c files.

You'll see that pgcrypto has its own OpenPGP implementation. That means it's not using GnuPG as a library, and therefore cannot simply use GnuPG's support for hardware security modules directly.

If you want support for HSMs, you will need to implement it yourself in the pgcrypto extension. You may be able to use libgcrypt and GPGME functions to help you out, and/or functionality in OpenSSL. It depends on what HSM you're using; it might just a client library that does most of what you want.

It may be simpler, if your HSM has a client library that has functionality you want, to wrap that with PostgreSQL user-defined functions and expose it to SQL as a new contrib module.

Either way, you will have to do a lot of reading and a lot of research. You will need to know the C programming language and be comfortable working with it. You will need to understand how user-defined functions in PostgreSQL work. If you can't manage any of that, you'll need to subcontract the work to somebody who does, give them access to a sample of the HSM in question, and pay them for their time. (No, I'm not fishing for work, I already have too much).

Answer 2

Many HSM's can be programmed some of them will undoubtedly be both Turing complete and have enough memory to perform your encryption function (whatever that may be). So the answer is "yes".