Encryption functions

These functions provide capabilities for encrypting and decrypting data using the Advanced Encryption Standard (AES) algorithm.

The required key length varies by encryption mode: 16 bytes for -128- modes, 24 bytes for -196- modes, and 32 bytes for -256- modes. The initialization vector (IV) length is always 16 bytes; any bytes beyond this length are ignored.

encrypt

This function encrypts a given plaintext string using the Advanced Encryption Standard (AES) algorithm with a specified mode, key, and optional initialization vector (IV) or additional authenticated data (AAD). It returns the encrypted data as a binary string.

Syntax

encrypt('mode', 'plaintext', 'key' [, iv, aad])

Arguments

  • mode: String. The encryption algorithm and mode to use (e.g., aes-256-cbc, aes-128-gcm).
  • plaintext: String. The data to be encrypted.
  • key: String. The secret key used for encryption. Its length must match the chosen mode.
  • iv: String. An optional initialization vector. It is required for GCM modes and can be used with others.
  • aad: String. Optional additional authenticated data, used only with GCM modes. This data is not encrypted but is authenticated during decryption.

Returns

The encrypted data as a binary String.

Example

Encrypt a secret string using different AES modes.

SELECT
    comment,
    hex(secret)
FROM
(
    SELECT
        c1 AS comment,
        c2 AS secret
    FROM VALUES
    (
        ('aes-256-ofb no IV', encrypt('aes-256-ofb', 'Secret', '12345678910121314151617181920212')),
        ('aes-256-ofb with IV', encrypt('aes-256-ofb', 'Secret', '12345678910121314151617181920212', 'iviviviviviviviv')),
        ('aes-256-gcm with AAD', encrypt('aes-256-gcm', 'Secret', '12345678910121314151617181920212', 'iviviviviviviviv', 'aad'))
    )
)

Result:

┌─comment──────────────┬─hex(secret)──────────────────────────────────┐
│ aes-256-ofb no IV    │ B4972BDC4459                                 │
│ aes-256-ofb with IV  │ 5E6CB398F653                                 │
│ aes-256-gcm with AAD │ A8A3CCBC6426D9A1017A0A932322F1852260A4AD6837 │
└──────────────────────┴──────────────────────────────────────────────┘

aes_encrypt_mysql

This function encrypts data using AES, providing compatibility with MySQL's AES_ENCRYPT function. It handles key and IV lengths in a MySQL-specific way, folding longer keys and ignoring excess IV bytes.

Syntax

aes_encrypt_mysql('mode', 'plaintext', 'key' [, iv])

Arguments

  • mode: String. The encryption algorithm and mode to use.
  • plaintext: String. The data to be encrypted.
  • key: String. The encryption key. If the key is longer than required by the mode, it will be folded to match MySQL's behavior.
  • iv: String. An optional initialization vector. Only the first 16 bytes are considered, similar to MySQL.

Returns

The encrypted data as a binary String.

Example

Encrypt a string using aes_encrypt_mysql with a key and IV that are longer than typically expected, demonstrating MySQL-compatible handling.

SELECT
    hex(aes_encrypt_mysql('aes-256-ofb', 'Secret', '123456789101213141516171819202122', 'iviviviviviviviv123')) AS ciphertext

Result:

┌─ciphertext───┐
│ 24E9E4966469 │
└──────────────┘

Supplying an even longer IV produces the same result, confirming MySQL's behavior of ignoring excess IV bytes:

SELECT
    hex(aes_encrypt_mysql('aes-256-ofb', 'Secret', '123456789101213141516171819202122', 'iviviviviviviviv123456')) AS ciphertext

Result:

┌─ciphertext───┐
│ 24E9E4966469 │
└──────────────┘

decrypt

This function decrypts a ciphertext string back into its original plaintext using the specified AES mode, key, and optional initialization vector (IV) or additional authenticated data (AAD).

Syntax

decrypt('mode', 'ciphertext', 'key' [, iv, aad])

Arguments

  • mode: String. The decryption algorithm and mode to use. This must match the mode used during encryption.
  • ciphertext: String. The encrypted data to be decrypted.
  • key: String. The secret key used for decryption. This must match the key used during encryption.
  • iv: String. An optional initialization vector. Required for GCM modes and must match the IV used during encryption.
  • aad: String. Optional additional authenticated data, used only with GCM modes. This must match the AAD used during encryption for successful decryption.

Returns

The decrypted data as a String.

Example

Decrypt data that was previously encrypted using encrypt.

SELECT
    comment,
    decrypt(mode, secret, key, iv, aad) AS plaintext
FROM
(
    SELECT
        c1 AS comment,
        c2 AS secret,
        c3 AS mode,
        c4 AS key,
        c5 AS iv,
        c6 AS aad
    FROM VALUES
    (
        ('aes-256-ofb no IV', encrypt('aes-256-ofb', 'Secret', '12345678910121314151617181920212'), 'aes-256-ofb', '12345678910121314151617181920212', NULL, NULL),
        ('aes-256-ofb with IV', encrypt('aes-256-ofb', 'Secret', '12345678910121314151617181920212', 'iviviviviviviviv'), 'aes-256-ofb', '12345678910121314151617181920212', 'iviviviviviviviv', NULL),
        ('aes-256-gcm with AAD', encrypt('aes-256-gcm', 'Secret', '12345678910121314151617181920212', 'iviviviviviviviv', 'aad'), 'aes-256-gcm', '12345678910121314151617181920212', 'iviviviviviviviv', 'aad')
    )
)

Result:

┌─comment──────────────┬─plaintext─┐
│ aes-256-ofb no IV    │ Secret    │
│ aes-256-ofb with IV  │ Secret    │
│ aes-256-gcm with AAD │ Secret    │
└──────────────────────┴───────────┘

tryDecrypt

This function attempts to decrypt a ciphertext string using the specified AES mode, key, and optional IV/AAD. If the decryption fails (e.g., due to an incorrect key or IV), it returns NULL instead of throwing an error.

Syntax

tryDecrypt('mode', 'ciphertext', 'key' [, iv, aad])

Arguments

  • mode: String. The decryption algorithm and mode.
  • ciphertext: String. The encrypted data to be decrypted.
  • key: String. The decryption key.
  • iv: String. An optional initialization vector.
  • aad: String. Optional additional authenticated data.

Returns

The decrypted data as a String, or NULL if decryption fails.

Example

Demonstrate tryDecrypt returning NULL when an incorrect key is provided, while successfully decrypting with the correct key.

SELECT
    dt,
    user_id,
    tryDecrypt('aes-256-gcm', encrypted, 'keykeykeykeykeykeykeykeykeykey02', iv) AS value
FROM (
    SELECT
        c1::DateTime AS dt,
        c2::UInt32 AS user_id,
        c3::String AS encrypted,
        c4::String AS iv
    FROM VALUES
    (
        ('2022-08-02 00:00:00', 1, encrypt('aes-256-gcm', 'value1', 'keykeykeykeykeykeykeykeykeykey01', 'iv1'), 'iv1'),
        ('2022-09-02 00:00:00', 2, encrypt('aes-256-gcm', 'value2', 'keykeykeykeykeykeykeykeykeykey02', 'iv2'), 'iv2'),
        ('2022-09-02 00:00:01', 3, encrypt('aes-256-gcm', 'value3', 'keykeykeykeykeykeykeykeykeykey03', 'iv3'), 'iv3')
    )
)
ORDER BY user_id ASC

Result:

┌──────────────────dt─┬─user_id─┬─value──┐
│ 2022-08-02 00:00:00 │       1 │ ᴺᵁᴸᴸ   │
│ 2022-09-02 00:00:00 │       2 │ value2 │
│ 2022-09-02 00:00:01 │       3 │ ᴺᵁᴸᴸ   │
└─────────────────────┴─────────┴────────┘

aes_decrypt_mysql

This function decrypts data that was encrypted using MySQL's AES_ENCRYPT function or aes_encrypt_mysql. It handles key and IV lengths in a MySQL-compatible manner, folding longer keys and ignoring excess IV bytes.

Syntax

aes_decrypt_mysql('mode', 'ciphertext', 'key' [, iv])

Arguments

  • mode: String. The decryption algorithm and mode.
  • ciphertext: String. The encrypted data to be decrypted.
  • key: String. The decryption key.
  • iv: String. An optional initialization vector.

Returns

The decrypted data as a String.

Example

Decrypt data that was previously encrypted with MySQL-compatible settings.

SELECT
    aes_decrypt_mysql('aes-256-ofb', unhex('24E9E4966469'), '123456789101213141516171819202122', 'iviviviviviviviv123456') AS plaintext

Result:

┌─plaintext─┐
│ Secret    │
└───────────┘
Updated