Client guide

Updated at:
Copy as MD

This guide describes how to connect to and use a Fully Encrypted Database from a client application.

Prerequisites

  • You have enabled Fully Encrypted Database. For more information, see Enable Fully Encrypted Database.

  • You have defined which columns contain sensitive data. For more information, see Define or convert sensitive data.

    Test table used in this guide

    The price, miles, and secret columns are sensitive data.

    CREATE TABLE example (
        id      INTEGER,
        name    VARCHAR,
        price   enc_int4,
        miles   enc_float4,
        secret  enc_text,
        PRIMARY KEY (id)
    );
  • Obtain the database connection details: hostname, port, database name, username, and password. For instructions on how to find the public and internal endpoints for your instance, see View or modify connection endpoints and ports.

  • The application described in this article is developed by using Java. Make sure that you have a Java development environment. We recommend that you use Java version 1.8 or later, Maven version 3.9.2, and IntelliJ IDEA Community Edition 2022.3.2 as the development tool.

Notes

Please securely store your master key (MEK).

Client examples

The Fully Encrypted Database feature encrypts sensitive data in query results. To enable your application to process encrypted data, connect using one of the following client access methods:

Access method

Description

Code changes

Application

EncJDBC

Automatically detects encrypted data types and handles encryption and decryption.

(Recommended) Requires almost no changes to your business logic code.

EncDB SDK

You must call encryption and decryption functions from the EncDB SDK to process plaintext or ciphertext.

Required.

psql command-line tool

Connects directly to the database for queries. Only ciphertext for encrypted columns is displayed.

For queries only. No code modification is required, as this method is not for application development.

Visual interaction tools such as the DMS console

EncJDBC

Download driver and dependencies

  1. Download the EncJDBC driver.

    EncJDBC depends on the community-provided PostgreSQL driver to work.

    RDS PostgreSQL minor version

    Server-side plugin version

    Client dependency

    20230830 or later

    1.1.13 or later

    encjdbc-1.0.6.jar

  2. Configure Maven dependencies.

    Note

    This guide uses a Maven project as an example.

    1. Run the following command to install the EncJDBC dependency package to your local repository:

      mvn install:install-file -DgroupId=com.alibaba.encdb -DartifactId=<jar_name> -Dversion=<jar_version> -Dpackaging=jar -Dfile=<jar_filename>

      Example:

      mvn install:install-file -DgroupId=com.alibaba.encdb -DartifactId=encjdbc -Dversion=1.0.6 -Dpackaging=jar -Dfile=D:\encdb\libs\encjdbc-1.0.6.jar
      Note
      • In this example, the EncDB dependency packages are in the D:\encdb\libs directory.

      • This example uses Maven version 3.9.2. If you encounter an installation error, upgrade your Maven version and try again.

    2. After installing the EncJDBC dependency in the local repository, you need to add the following dependency to the pom.xml file of your Maven project.

      <dependencies>
         ...
         <dependency>
            <groupId>com.alibaba.encdb</groupId>
            <artifactId>encjdbc</artifactId>
            <version>1.0.6</version>
         </dependency>
         <!-- https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on -->
         <dependency>
           <groupId>org.bouncycastle</groupId>
           <artifactId>bcprov-jdk15on</artifactId>
           <version>1.62</version>
         </dependency>
         <!-- https://mvnrepository.com/artifact/org.bouncycastle/bcpkix-jdk15on -->
         <dependency>
           <groupId>org.bouncycastle</groupId>
           <artifactId>bcpkix-jdk15on</artifactId>
           <version>1.62</version>
         </dependency>
         <dependency>
           <groupId>com.alibaba.fastjson2</groupId>
           <artifactId>fastjson2</artifactId>
           <version>2.0.2</version>
         </dependency>
         <!-- https://mvnrepository.com/artifact/org.postgresql/postgresql -->
         <dependency>
           <groupId>org.postgresql</groupId>
           <artifactId>postgresql</artifactId>
           <version>42.2.23</version>
         </dependency>
         <dependency>
           <groupId>com.google.guava</groupId>
           <artifactId>guava</artifactId>
           <version>24.1.1-jre</version>
         </dependency>
         <dependency>
           <groupId>com.alibaba</groupId>
           <artifactId>druid</artifactId>
           <version>1.2.4</version>
         </dependency>
         <dependency>
           <groupId>org.jgrapht</groupId>
           <artifactId>jgrapht-core</artifactId>
           <!-- jgrapht does not support java 1.8 since 1.5.0 -->
           <version>1.4.0</version>
        </dependency>
         ...
      </dependencies>

Client query example

Warning

The code shown in this example is for demonstration purposes only. Do not set password or mek in plaintext in your production code. We recommend that you use other methods, such as external configuration files or environment variables, to handle these values and then reference them in your code.

  • URL configuration

    You can use EncJDBC like any other JDBC. However, you first need to configure the following information related to your data security in EncJDBC.

    // Prepare your connection details: hostname, port, database name (dbname), username, and password.
    // For more details, see the data security parameters section.
    String mek=...;
    String encAlgo=...;
    String dbUrl = String.format("encjdbc:postgresql://%s:%s/%s?mek=%s&enc_algo=%s", hostname, port, dbname, mek, encAlgo);
    Class.forName("com.alibaba.encdb.encjdbc.EncDriver");
    Connection dbConnection = DriverManager.getConnection(dbUrl, username, password);
    // ... Run queries ...

    Data security parameters

    Parameter

    Sample value

    Description

    mek

    0x00112233445566778899aabbccddeeff

    The user-defined master key (MEK).

    You can generate an MEK using tools like OpenSSL (openssl rand -hex 16), a random function in your programming language, or by retrieving it from a third-party Key Management Service (KMS).

    The value must be a 32-character hexadecimal string.

    Warning

    The master key (MEK) is the root credential for accessing your encrypted data. For security, Fully Encrypted Database does not store or manage your MEK, nor does it provide generation or backup services for it. You are responsible for generating and securely backing up your MEK. If you lose the key, you will permanently lose access to your data. We strongly recommend that you back up your MEK in a secure location.

    enc_algo

    SM4_128_CBC

    The encryption algorithm. Valid values:

    • International algorithms:

      • AES_128_GCM

      • AES_128_CBC

      • AES_128_ECB

    • Chinese cryptographic algorithms:

      • SM4_128_GCM

      • SM4_128_CBC (Default)

      • SM4_128_ECB

    Note
    • CTR encryption algorithms are not supported.

    • The AES_128_ECB and SM4_128_ECB algorithms are less secure. Use them with caution. We strongly recommend using a more secure algorithm.

    enc_scheme

    RND

    The encryption scheme. Valid values:

    • RND (Default): randomized encryption.

    • DET: deterministic encryption.

    Note

    When enc_algo is set to AES_128_ECB or SM4_128_ECB, this parameter has no effect.

    dek_gen_mode

    ENCLAVE

    The method for generating the data key (DEK). Valid values:

    • ENCLAVE (Default): The database server generates the data key (DEK) inside a trusted enclave.

    • LOCAL: The client generates the data key (DEK).

    stateless

    true

    Stateless mode for the encrypted database. Valid values:

    • true (Default): The MEK does not expire when the connection is closed.

    • false: The MEK expires when the connection is closed.

    Note
    • In a URL configuration, you can concatenate multiple parameters with &.

    • The mek and other parameters are processed locally on the client and securely distributed to the server by using envelope encryption, ensuring that the mek is never leaked.

  • Complete code example

    // Replace the hostname, port, database name (dbname), username, and password with your instance's details.
    String hostname = "hostname";
    String port = "port";
    String dbname = "db";
    String username = "user";
    String password = "password";
    String mek="00112233445566778899aabbccddeeff";  // This is an example. Use a more complex key in production.
    String encAlgo="SM4_128_CBC";
    String dbUrl = String.format("encjdbc:postgresql://%s:%s/%s?mek=%s&enc_algo=%s", hostname, port, dbname, mek, encAlgo);
    Class.forName("com.alibaba.encdb.encjdbc.EncDriver");
    Connection dbConnection = DriverManager.getConnection(dbUrl, username, password);
    // create table
    dbConnection.createStatement().executeUpdate("DROP TABLE IF EXISTS example");
    dbConnection.createStatement().executeUpdate("CREATE TABLE example (id INTEGER, name VARCHAR, price enc_int4, miles enc_float4, secret enc_text, PRIMARY KEY (id))");
    // insert data
    PreparedStatement stmt = dbConnection.prepareStatement("INSERT INTO example (id, name, price, miles, secret) VALUES(?,?,?,?,?)");
    int price = 1234;
    float miles = 12.34f;
    String secret = "aliyun";
    stmt.setInt(1, 1);
    stmt.setString(2, "name");
    stmt.setInt(3, price);
    stmt.setFloat(4, miles);
    stmt.setString(5, secret);
    stmt.execute();
    // check plaintext data
    String sqlCmd = "SELECT * FROM example WHERE  price > ?";
    PreparedStatement stmt = dbConnection.prepareStatement(sqlCmd);
    stmt.setInt(1, 100);
    ResultSet rs = stmt.executeQuery();
    while (rs.next()){
        int id = rs.getInt(1);
        String name = rs.getString(2);
        int price = rs.getInt(3);
        float miles = rs.getFloat(4);
        String secret = rs.getString(5);
        System.out.println(id + ", " + name + ", " + price + ", " + miles + ", " + secret);  
    }

    Sample output:

    1, name, 1234, 12.34, aliyun

The preceding EncJDBC code example shows that you only need to modify the driver loading and URL configuration. The rest of the process is identical to standard database access. You do not need to modify any business-related code.

EncDB SDK

Download driver and dependencies

  1. Download the EncDB SDK driver.

    EncDB SDK depends on the PostgreSQL driver provided by the community.

    RDS PostgreSQL minor version

    Server-side plugin version

    Client dependency

    20230830 or later

    1.1.13 or later

    libencdb-1.2.12.jar

  2. Configure Maven dependencies.

    Note

    This guide uses a Maven project as an example.

    1. Run the following command to install the EncDB SDK dependency package to your local repository:

      mvn install:install-file -DgroupId=com.alibaba.encdb -DartifactId=<jar_name> -Dversion=<jar_version> -Dpackaging=jar -Dfile=<jar_filename>

      Example:

      mvn install:install-file -DgroupId=com.alibaba.encdb -DartifactId=libencdb -Dversion=1.2.12 -Dpackaging=jar -Dfile=D:\encdb\libs\libencdb-1.2.12.jar
      Note
      • In this example, the EncDB dependency package is located at the D:\encdb\libs path.

      • This example uses Maven version 3.9.2. If you encounter an installation error, upgrade your Maven version and try again.

    2. After you install the EncDB SDK dependency in your local repository, you need to add the following dependencies to the pom.xml file in your Maven project.

      <dependencies>
         ...
         <dependency>
            <groupId>com.alibaba.encdb</groupId>
            <artifactId>libencdb</artifactId>
            <version>1.2.12</version>
         </dependency>
         <!-- https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on -->
         <dependency>
           <groupId>org.bouncycastle</groupId>
           <artifactId>bcprov-jdk15on</artifactId>
           <version>1.70</version>
         </dependency>
         <!-- https://mvnrepository.com/artifact/org.bouncycastle/bcpkix-jdk15on -->
         <dependency>
           <groupId>org.bouncycastle</groupId>
           <artifactId>bcpkix-jdk15on</artifactId>
           <version>1.70</version>
         </dependency>
         <dependency>
            <groupId>com.google.code.gson</groupId>
            <artifactId>gson</artifactId>
            <version>2.10.1</version>
          </dependency>
         <!-- https://mvnrepository.com/artifact/org.postgresql/postgresql -->
         <dependency>
           <groupId>org.postgresql</groupId>
           <artifactId>postgresql</artifactId>
           <version>42.2.23</version>
         </dependency>
         <dependency>
           <groupId>com.google.guava</groupId>
           <artifactId>guava</artifactId>
           <version>31.1-jre</version>
         </dependency>
         <dependency>
            <groupId>org.slf4j</groupId>
            <artifactId>slf4j-api</artifactId>
            <version>1.7.30</version>
         </dependency>
         <dependency>
            <groupId>org.apache.commons</groupId>
            <artifactId>commons-collections4</artifactId>
            <version>4.4</version>
          </dependency>
         ...
      </dependencies>

Client query example

Warning

The code in this example is for demonstration purposes only. Do not set password or mek in plaintext in your production code. Instead, use external configuration files or environment variables and reference them in your code.

  • SDK configuration

    Before you send or receive ciphertext, you need to use the EncDB SDK to encrypt and decrypt data.

    The EncDB SDK provides interfaces for you to configure data security parameters when you initialize an SDK object. Typically, you only need to configure the master key (setMek) and the desired encryption algorithm (setEncAlgo). We recommend that you use the default configurations for all other parameters.

    // Prepare your connection details: hostname, port, database name (dbname), username, and password.
    // Establish a database connection using any JDBC version.
    String dbUrl = String.format("jdbc:postgresql://%s:%s/%s?binaryTransfer=true", hostname, port, dbname);
    Class.forName("org.postgresql.Driver");
    Connection dbConnection = DriverManager.getConnection(dbUrl, username, password);
    // Initialize the SDK.
    String mek=...;
    Constants.EncAlgo encAlgo=...;
    EncdbSDK sdk = EncdbSDKBuilder.newInstance()
            .setDbConnection(dbConnection)
            .setMek(mek)
            .setEncAlgo(encAlgo)
            .build();
    Cryptor cryptor = sdk.getCryptor();
    // Call the encryption/decryption interface.
    // byte[] cipherBytes = cryptor.encrypt(...);
    // XXX value = cryptor.decryptXXX(...):
    // ... Run queries ...

    SDK initialization parameters

    Parameter

    Sample value

    Description

    Mek

    0x00112233445566778899aabbccddeeff

    The user-defined master key (MEK).

    You can generate an MEK using tools like OpenSSL (openssl rand -hex 16), a random function in your programming language, or by retrieving it from a third-party Key Management Service (KMS).

    The value must be a 32-character hexadecimal string or a 16-byte binary array.

    Warning

    The master key (MEK) is the root credential for accessing your encrypted data. For security, Fully Encrypted Database does not store or manage your MEK, nor does it provide generation or backup services for it. You are responsible for generating and securely backing up your MEK. If you lose the key, you will permanently lose access to your data. We strongly recommend that you back up your MEK in a secure location.

    EncAlgo

    SM4_128_CBC

    The encryption algorithm. Valid values:

    • International algorithms:

      • AES_128_GCM

      • AES_128_CBC

      • AES_128_ECB

    • Chinese cryptographic algorithms:

      • SM4_128_GCM

      • SM4_128_CBC (Default)

      • SM4_128_ECB

    Note
    • CTR encryption algorithms are not supported.

    • The AES_128_ECB and SM4_128_ECB algorithms are less secure. Use them with caution. We strongly recommend using a more secure algorithm.

    EncScheme

    RND

    The encryption scheme. Valid values:

    • RND (Default): randomized encryption.

    • DET: deterministic encryption.

    Note

    When EncAlgo is AES_128_ECB or SM4_128_ECB, this parameter has no effect.

    DekGenMode

    ENCLAVE

    The method for generating the data key (DEK). Valid values:

    • ENCLAVE (Default): The database server generates the data key (DEK) inside a trusted enclave.

    • LOCAL: The client generates the data key (DEK).

    SdkMode

    Default

    SDK mode. Valid values:

    • Default: Supports all ciphertext data types available in both the basic and hardware-accelerated editions of Fully Encrypted Database.

    Stateless

    true

    Stateless mode for the encrypted database. Valid values:

    • true (Default): The MEK does not expire when the connection is closed.

    • false: The MEK expires when the connection is closed.

    Note

    The mek and other parameters are processed locally on the client and securely distributed to the server by using envelope encryption, ensuring that the mek is never leaked.

  • Complete code example

    // Replace the hostname, port, database name (dbname), username, and password with your instance's details.
    String hostname = "hostname";
    String port = "port";
    String dbname = "db";
    String username = "user";
    String password = "password";
    // Establish a database connection.
    String dbUrl = String.format("jdbc:postgresql://%s:%s/%s?binaryTransfer=true", hostname, port, dbname);
    Class.forName("org.postgresql.Driver");
    Connection dbConnection = DriverManager.getConnection(dbUrl, username, password);
    // Initialize the SDK.
    String mek="00112233445566778899aabbccddeeff";  // This is an example. Use a more complex key in production.
    Constants.EncAlgo encAlgo=Constants.EncAlgo.SM4_128_CBC;
    EncdbSDK sdk = EncdbSDKBuilder.newInstance()
            .setDbConnection(dbConnection)
            .setMek(mek)
            .setEncAlgo(encAlgo)
            .build();
    Cryptor cryptor = sdk.getCryptor();
    // create table
    dbConnection.createStatement().executeUpdate("DROP TABLE IF EXISTS example");
    dbConnection.createStatement().executeUpdate("CREATE TABLE example (id INTEGER, name VARCHAR, price enc_int4, miles enc_float4, secret enc_text, PRIMARY KEY (id))");
    // insert data
    PreparedStatement stmt = dbConnection.prepareStatement("INSERT INTO example (id, name, price, miles, secret) VALUES(?,?,?,?,?)");
    int price = 1234;
    float miles = 12.34f;
    String secret = "aliyun";
    stmt.setInt(1, 1);
    stmt.setString(2, "name");
    stmt.setBytes(3, cryptor.encrypt("example", "price", price));
    stmt.setBytes(4, cryptor.encrypt("example", "miles", miles));
    stmt.setBytes(5, cryptor.encrypt("example", "secret", secret));
    stmt.execute();
    // check plaintext data
    String sqlCmd = "SELECT * FROM example WHERE  price > ?";
    stmt = dbConnection.prepareStatement(sqlCmd);
    stmt.setBytes(1, cryptor.encrypt("example", "price", 100));
    ResultSet rs = stmt.executeQuery();
    while (rs.next()) {
        int id = rs.getInt(1);
        String name = rs.getString(2);
        price = cryptor.decryptInt(rs.getBytes(3));
        miles = cryptor.decryptFloat(rs.getBytes(4));
        String text = cryptor.decryptString(rs.getBytes(5));
        System.out.println(id +", " + name + ", " + price + ", " + miles + ", " + text);
    }

    Sample output:

    1, name, 1234, 12.34, aliyun

SDK reference

Java SDK module overview

EncDB SDK primarily consists of the following Java functional modules:

com.alibaba.encdb.crypto.EncdbSDKBuilder

This module is the builder class for the EncDB SDK. It provides the following APIs:

// Creates a new EncdbSDKBuilder instance.
EncdbSDKBuilder newInstance();
// (Required) Sets a database connection for libencdb key management operations. This connection can be independent of the one used for business logic.
EncdbSDKBuilder setDbConnection(java.sql.Connection dbConnection);
// (Required) Sets the master key. This can be a 16-byte byte[] object or a 32-character hexadecimal string.
EncdbSDKBuilder setMek(byte[] mek);
EncdbSDKBuilder setMek(String mekStr);
// (Optional) Sets the encryption algorithm. Options include AES_128_GCM, AES_128_CBC, AES_128_ECB, SM4_128_CBC, SM4_128_ECB, and SM4_128_GCM. The default is SM4_128_CBC.
EncdbSDKBuilder setEncAlgo(EncAlgo encAlgo);
// After you configure the preceding settings, this method constructs an EncdbSDK object.
EncdbSDK build();

com.alibaba.encdb.EncdbSDK

This module provides trusted key management and end-to-end secure communication. It provides the following API:

// Gets a Cryptor object for cryptographic operations.
Cryptor getCryptor();

com.alibaba.encdb.Cryptor

This module provides cryptographic functions. It provides the following APIs:

/**
 * @brief Encrypt interface
 *
 * @param schemaName schema name, used together with table name and column name to look up the data encryption key from the given database connection.
 *
 * @param tblName    table name, used together with column name to look up the data encryption key from the given database connection.
 *
 * @param colName    column name, used together with table name. To use the default data encryption key, set tblName = "default", colName="default"
 *
 * @param type       a valid encdb Type
 * @param val        value
 * @return           encrypted bytes
 */
byte[] encrypt(String schemaName, String tblName, String colName, EncType type, byte[] val);
byte[] encrypt(String schemaName, String tblName, String colName, byte[] val);
byte[] encrypt(String tblName, String colName, EncType type, byte[] val);
byte[] encrypt(String tblName, String colName, byte[] val);
// for int
byte[] encrypt(String schemaName, String tblName, String colName, EncType type, int val);
byte[] encrypt(String schemaName, String tblName, String colName, int val);
byte[] encrypt(String tblName, String colName, EncType type, int val);
byte[] encrypt(String tblName, String colName, int val);
// for long
byte[] encrypt(String schemaName, String tblName, String colName, EncType type, long val);
byte[] encrypt(String schemaName, String tblName, String colName, long val);
byte[] encrypt(String tblName, String colName, EncType type, long val);
byte[] encrypt(String tblName, String colName, long val);
// for float
byte[] encrypt(String schemaName, String tblName, String colName, EncType type, float val);
byte[] encrypt(String schemaName, String tblName, String colName, float val);
byte[] encrypt(String tblName, String colName, EncType type, float val);
byte[] encrypt(String tblName, String colName, float val);
// for double
byte[] encrypt(String schemaName, String tblName, String colName, EncType type, double val);
byte[] encrypt(String schemaName, String tblName, String colName, double val);
byte[] encrypt(String tblName, String colName, EncType type, double val);
byte[] encrypt(String tblName, String colName, double val);
// for String
byte[] encrypt(String schemaName, String tblName, String colName, EncType type, String val);
byte[] encrypt(String schemaName, String tblName, String colName, String val);
byte[] encrypt(String tblName, String colName, EncType type, String val);
byte[] encrypt(String tblName, String colName, String val);
// for BigDecimal
byte[] encrypt(String schemaName, String tblName, String colName, EncType type, BigDecimal val);
byte[] encrypt(String schemaName, String tblName, String colName, BigDecimal val);
byte[] encrypt(String tblName, String colName, EncType type, BigDecimal val);
byte[] encrypt(String tblName, String colName, BigDecimal val);
// for Timestamp
byte[] encrypt(String schemaName, String tblName, String colName, EncType type, Timestamp val);
byte[] encrypt(String schemaName, String tblName, String colName, Timestamp val);
byte[] encrypt(String tblName, String colName, EncType type, Timestamp val);
byte[] encrypt(String tblName, String colName, Timestamp val);
/**
 * @brief Decrypt interface
 *
 * @param schemaName schema name, used together with table name and column name to look up the data encryption key from the given database connection.
 *
 * @param tblName    table name, used together with column name to look up the data encryption key.
 *
 * @param colName    column name, used together with table name. To use the default data encryption key,
 *                set tblName = "default", colName="default"
 *
 * @param val        val can be in either hex binary format or pg bytea bytes, e.g., \\x00621c14
 * @return           The decrypted value in hex binary format or the given type format.
 */
byte[] decrypt(String schemaName, String tblName, String colName, byte[] val);
byte[] decrypt(String tblName, String colName, byte[] val);
byte[] decrypt(byte[] val);
// Decrypt interface for `int`
int decryptInt(byte[] val);
// Decrypt interface for `long`
long decryptLong(byte[] val);
// Decrypt interface for `float`
float decryptFloat(byte[] val);
// Decrypt interface for `double`
double decryptDouble(byte[] val);
// Decrypt interface for `String`
String decryptString(byte[] val);
// Decrypt interface for `BigDecimal`
BigDecimal decryptDecimal(byte[] val);
// Decrypt interface for `TimeStamp`
Timestamp decryptTimestamp(byte[] val);

psql CLI

Fully Encrypted Database supports direct queries from the command line, such as using the psql command line to run SELECT * FROM example;.

postgres=# \x
Expanded display is on.
postgres=# SELECT * FROM example;
-[ RECORD 1 ]-----------------------------------------------------------
id     | 1
name   | name
price  | \xac0900ecbd4efc9f36eaf1c17f1ef928a50c26c73d4ac35788f543a7dd0b2fc752459e
miles  | \x931900f561358e7a92086b69d3b423fe453466a7ec556387639699153bef078857f99c
secret | \x1d3900a4ffe264f4dc6d0138106869bc09387a500ce150501d60744f404e22a5d9aa62
postgres=#

As you can see, the id and name columns are in plaintext, while the price, miles, and secret columns are in ciphertext. The encrypted data cannot be viewed on the server, which provides effective protection against both external and internal security threats and keeps your data secure at all times.

DMS console

You can query the database directly from visual interaction tools, such as the DMS console.

Execute the SELECT * FROM example; query. The result is as follows:

id | name | price                                                                    | miles                                                                    | secret
---+------+--------------------------------------------------------------------------+--------------------------------------------------------------------------+--------------------------------------------------------------------------
 1 | name | \xac0900ecbd4efc9f36eaf1c17f1ef928a50c26c73d4ac35788f543a7dd0b2fc752459e | \x931900f561358e7a92086b69d3b423fe453466a7ec556387639699153bef078857f99c | \x1d3900a4ffe264f4dc6d0138106869bc09387a500ce150501d60744f404e22a5d9aa62

As you can see, the id and name columns are plaintext, and the price, miles, and secret columns are ciphertext.

FAQ

  • Q: A connection to the database fails with the following error: org.postgresql.util.PSQLException: ERROR: db_process_msg_api: process message failure - returned 0xf7070000.

    A: The error code 0xf7070000 indicates an MEK import failure. This can happen if the same account tries to connect to the same encrypted database with a different MEK. Changing the master key makes data encrypted with the original key inaccessible. Ensure that you are using the original key to connect to the database.

  • Q: When I run my program, I get the error Exception in thread "main" java.lang.IllegalAccessError: class com.alibaba.encdb.common.SymCrypto (in unnamed module @0x5c0369c4) cannot access class com.sun.crypto.provider.SunJCE (in module java.base) because module java.base does not export com.sun.crypto.provider to unnamed module @0x5c0369c4. How can I fix this?

    A: This error may be caused by inter-module permission issues due to a high JDK version. To resolve the access permission issue, add the VM option parameter --add-exports=java.base/com.sun.crypto.provider=ALL-UNNAMED at runtime, which exports com.sun.crypto.provider to the unnamed module.