Devil's Lake
pgsodium is an encryption library for postgres that provides modern cryptographic functions based on the libsodium library. This release brings many changes, cleanups and tests, and includes a lot of new functionality.
There are a few breaking changes with 1.1.1, most noticeably, API access is revoked by default, and there are now three layered security roles with access to the API.
The least privileged role can only use secret key API functions by key id, it can never see or use raw bytea keys. The next layer role can see and use keys and keypairs, but not make them, and the highest privilege role can do everything including make and derive keys and keypairs.
Many encryption patterns require only the minimal key id privilege and a column encryption example is provided in the documentation.
1.2.0 also wraps the IETF ChaCha20-Poly1305 construction for Authenticated Encryption with Additional Data (AEAD) in libsodium as the crypto_aead_ietf
API.
pgsodium_derive()
is deprecated and is not called derive_key()
.
Several related fixes were made to the multipart public key signing, and many more tests and error checks have been added.