CREATE KEY
Create a new encryption key in a database.
CREATE KEY [ IF NOT EXISTS ] key [ WITH ] SECRET 'hex_string';
- IF NOT EXISTS
- Create the key if it does not already exist. If it does exist, do not create it and do not return an error.
- key
- A
key
name with a maximum length of 128 bytes. Names longer than 128 bytes are automatically truncated. See SQL Identifiers. Encryption keys are referenced inENCRYPT_KS
andDECRYPT_KS
functions and inENCRYPTED WITH
column constraints inCREATE TABLE
. See also Encrypting Sensitive Data. - hex_string
- A valid hexadecimal string with a minimum of 1 character and maximum of 32768 characters. Hexadecimal strings can only contain the following characters: [0-9] and [a-f]. 0x prefix is not supported.
A newly created key is only accessible by the user creating the key. To grant other users permission to use a key, see GRANT.
The CREATE KEY
operation is non-transactional and will error out
when run inside a transaction block.
Note that keys are not backed up during backup operations because they are not actually stored in the database. The remote keystore administrator must make sure keys are backed up and stored safely.
You must create encryption keys in the same database as the tables that will
reference them. Do not use cross-database references to encryption keys in your
CREATE TABLE
statements. If you do this, you will lose those
references when the database is backed up and restored (or replicated).
Examples
yb100key
with secret
a1b2c3d4
:
premdb=# create key yb100key secret 'a1b2c3d4';
CREATE KEY
playerkey
if it does not already
exist:premdb=# create key if not exists playerkey secret 'a1b2c3d4e5';
CREATE KEY
premdb=# create key yb100key secret 'g1h2i3j4';
ERROR: invalid secret. HINT: secret must be a valid hexadecimal string (i.e. non-empty and without a '0x' prefix) smaller than 32768 characters