Additional Supplied Modules - pgcrypto - 《Greenplum Database v6.23 Documentation》

Additional Module Documentation

The pgcrypto module is installed when you install Greenplum Database. Before you can use any of the functions defined in the module, you must register the pgcrypto extension in each database in which you want to use the functions. Refer to Installing Additional Supplied Modules for more information.

Starting with Greenplum 6.22, the pgcrypto extension provides a module-specific configuration parameter, pgcrypto.fips. This parameter configures Greenplum Database support for a limited set of FIPS encryption functionality (Federal Information Processing Standard (FIPS) 140-2). For information about FIPS, see https://www.nist.gov/itl/popular-links/federal-information-processing-standards-fips. The default setting is off, FIPS encryption is not enabled.

Before enabling this parameter, ensure that FIPS is enabled on all Greenplum Database system hosts.

When this parameter is enabled, these changes occur:

FIPS mode is initialized in the OpenSSL library
The functions digest() and hmac() allow only the SHA encryption algorithm (MD5 is not allowed)
The functions for the crypt and gen_salt algorithms are deactivated
PGP encryption and decryption functions support only AES and 3DES encryption algorithms (other algorithms such as blowfish are not allowed)

Enable the pgcrypto functions as an extension if it is not enabled. See . This example psql command creates the pgcrypto extension in the database testdb.
Configure the Greenplum Database server configuration parameter shared_preload_libraries to load the library. This example uses the gpconfig utility to update the parameter in the Greenplum Database postgresql.conf files.
```
gpconfig -c shared_preload_libraries -v '\$libdir/pgcrypto'
```
This command displays the value of shared_preload_libraries.
```
gpconfig -s shared_preload_libraries
```
Restart the Greenplum Database system.
Set the pgcrypto.fips server configuration parameter to on for each database that uses FIPS encryption. For example, these commands set the parameter to on for the database testdb.
```
ALTER DATABASE testdb SET pgcrypto.fips TO on;
```
Important
After setting the parameter, reconnect to the database to enable encryption support for a session. This example uses the psql meta command to connect to the testdb database.

To deactivate pgcrypto.fips

If the database does not use pgcrypto functions, deactivate the pgcrypto extension. This example psql command drops the pgcrypto extension in the database testdb.
```
psql -d testdb -c 'DROP EXTENSION pgcrypto'
```
Remove \$libdir/pgcrypto from the shared_preload_libraries parameter, and restart Greenplum Database. This gpconfig command displays the value of the parameter from the Greenplum Database postgresql.conf files.
```
gpconfig -s shared_preload_libraries
```
Use the gpconfig utility with the -c and -v options to change the value of the parameter. Use the option to remove the parameter.