The following arguments are supplied:
Argument value | Notes | |
|---|---|---|
First argument | encrypt | Fixed |
second argument | --keyid | Fixed |
third argument | keyid | Variable; the key ID specified in the pgx_declare_external_master_key function is passed |
After the fourth argument | extraarg | The values specified in extra-args in the key management system connection information file, if any, are passed in the specified order |
The following environment variables are supplied:
Name of the environment variable | Value of the environment variable | Notes |
|---|---|---|
TDE_KMS_SECRET | KMS Secret | String entered in the FEP to open the keystore |
The command ends with the following return values:
Return value | Condition |
|---|---|
0 | If the processing is successful |
Other than 0 | When processing does not complete normally |
Data is delivered to the plug-in in the following way.The plug-in also returns results in the following ways:
Classification | Data Content | Delivery method | Notes |
|---|---|---|---|
Input | Data to be encrypted | Standard input for the plug-in | As Is (not Base 64 encoding, etc) |
Input | Key ID | Arguments | |
Input | Encryption parameter | - | Not passed by the FEP |
Output | Encryption result | Standard output of the plug-in | As Is (not Base 64 encoding, etc) |
Output | Status of the action | plug-in return code | |
Output | Message | Standard error output of the plug-in | It is expected to be printable |
Called when encryption with the master encryption key is required.
Encrypts the given data to be encrypted with the encryption key identified by the specified key ID, and returns the result. The returned encryption result must be decryptable with the same key ID.
Implement so that data to be encrypted is not leaked. For example, temporarily storing encrypted data that is plaintext in a file poses a risk of disclosure.
Fujitsu Enterprise Postgres only guarantees the following during decryption:
The same key ID is handed over during decryption as during encryption.
The data received as a result of the "encryption" operation is passed as-is when decrypting.
The maximum amount of data to be encrypted passed from the Fujitsu Enterprise Postgres is 2048 bytes.
