The following arguments are supplied:
Argument value | Notes | |
|---|---|---|
First argument | decrypt | Fixed |
second argument | --keyid | Fixed |
third argument | keyid | Variable; the key ID specified in the pgx_declare_external_master_key function is passed |
After the fourth argument | extraarg | The values specified in extra-args in the key management system connection information file, if any, are passed in the specified order. |
The following environment variables are supplied:
Name of the environment variable | Value of the environment variable | Notes |
|---|---|---|
TDE_KMS_SECRET | KMS Secret | String entered in the FEP to open the keystore |
The command ends with the following return values:
Return value | Condition |
|---|---|
0 | If the processing is successful |
Other than 0 | When processing does not complete normally |
Data is delivered to the plug-in in the following way.The plug-in also returns results in the following ways:
Classification | Data Content | Delivery method | Notes |
|---|---|---|---|
Input | Data to be decrypted | Standard input for the plug-in | As Is (not Base 64 encoding, etc.) |
Input | Key ID | Arguments | |
Input | Encryption parameter | - | Not passed by the FEP |
Output | Decoding result | Standard output of the plug-in | As Is (not Base 64 encoding, etc.) |
Output | Status of the action | plug-in return code | |
Output | Message | Standard error output of the plug-in | It is expected to be printable |
Called when decryption with the master encryption key is required.
Decrypts the given encrypted data with the encryption key identified by the given key ID and returns the result.
Implement so that the decrypted data is not leaked. For example, there is a risk of leakage if the decryption result data, which is clear text, is temporarily stored in a file.
If decryption requires the same encryption parameters as encryption, it is the plug-in's responsibility to ensure this. During decryption, the FEP only ensures that the plug-in receives the same key ID and encrypted data as was encrypted.
The data to be decrypted is passed as is the data returned by the plug-in in response to the encryption request.
