Light
Dark
System
v4latest
v5dev
v4latest
v3
v2
v1

ext::pgcryptoNew

This extension provides tools for your hashing and encrypting needs.

The Postgres that comes packaged with the EdgeDB 4.0+ server includes pgcrypto, as does EdgeDB Cloud. It you are using a separate Postgres backend, you will need to arrange for it to be installed.

To activate this functionality you can use the extension mechanism:

Copy
using extension pgcrypto;

That will give you access to the ext::pgcrypto module where you may find the following functions:

ext::pgcrypto::digest()

Computes a hash of the data using the specified algorithm.

ext::pgcrypto::hmac()

Computes a hashed MAC for data using key and the specified algorithm.

ext::pgcrypto::gen_salt()

Generates a new random salt string.

ext::pgcrypto::crypt()

Calculates a crypt(3)-style hash of password.

function

ext::pgcrypto::digest()
ext::pgcrypto::digest(data: str, type: str) -> bytesext::pgcrypto::digest(data: bytes, type: str) -> bytes

Computes a hash of the data using the specified algorithm.

The data may come as a str or bytes. The value of type argument determines the hashing algorithm that will be used. Valid algorithms are: md5, sha1, sha224, sha256, sha384 and sha512. Also, any digest algorithm OpenSSL supports is automatically picked up as well.

The result is always a binary hash.

Copy
db> 
select ext::pgcrypto::digest('encrypt this', 'sha1');
{b'\x05\x82\xd8YLF\xe7\xd4\x12\x91\n\xdb$\xf1!v\xf9\xd4\x89\xc4'}
Copy
db> 
select ext::pgcrypto::digest(b'encrypt this', 'md5');
{b'\x15\xd6\x14y\xcb\xf2"\xa1+Z]8\xf8\xcf\x0c['}

function

ext::pgcrypto::hmac()
ext::pgcrypto::hmac(data: str, key: str, type: str) -> bytesext::pgcrypto::hmac(data: bytes, key: bytes, type: str) -> bytes

Computes a hashed MAC for data using key and the specified algorithm.

The data may come as a str or bytes. The key type must match the data type. The value of type argument determines the hashing algorithm that will be used. Valid algorithms are: md5, sha1, sha224, sha256, sha384 and sha512. Also, any digest algorithm OpenSSL supports is automatically picked up as well.

The result is always a binary hash.

The main difference between ext::pgcrypto::digest() and this function is that it’s impossible to recalculate the hash without the key.

Copy
db> 
select ext::pgcrypto::hmac('encrypt this', 'my key', 'sha1');
{b'\x01G\x12\xb7\xe76H\x8b\xa4T1\x0fj\x87\xdf\x86n\x8f\xed\x15'}
Copy
db> 
select ext::pgcrypto::hmac(b'encrypt this', b'my key', 'md5');
{b'\xa9{\xc7\x9e\xc9"7e\xab\x83\xeb\x0c\xde\x02Nn'}

function

ext::pgcrypto::gen_salt()
ext::pgcrypto::gen_salt() -> strext::pgcrypto::gen_salt(type: str) -> strext::pgcrypto::gen_salt(type: str, iter_count: int64) -> str

Generates a new random salt string.

When generating the salt string type may be specified. Valid salt types are: des, xdes, md5, and bf (default).

Copy
db> 
select ext::pgcrypto::gen_salt();
{'$2a$06$5D2rBj3UY5/UYvPIUNILvu'}
Copy
db> 
select ext::pgcrypto::gen_salt('des');
{'o9'}
Copy
db> 
select ext::pgcrypto::gen_salt('xdes');
{'_J9..efC8'}

The iter_count specifies the number of iterations for algorithms that allow iterations (xdes and bf). The xdes algorithm has an additional requirement that iter_count must be odd. The higher the iteration count the longer it takes to compute the hash and therefore it also takes longer to break the encryption. However, if the count is too high, it can take impractically long.

Copy
db> 
select ext::pgcrypto::gen_salt('bf', 10);
{'$2a$10$fAQS9/UKS42OI.ftjHkj2O'}
Copy
db> 
select ext::pgcrypto::gen_salt('xdes', 5);
{'_3...oN2c'}

function

ext::pgcrypto::crypt()
ext::pgcrypto::crypt(password: str, salt: str) -> str

Calculates a crypt(3)-style hash of password.

Typically you would use ext::pgcrypto::gen_salt() to generate a salt value for a new password:

Copy
db> 
... 
with module ext::pgcrypto
select crypt('new password', gen_salt('des'));
{'0ddkJUiOnUFq6'}

To check the password against a stored encrypted value use the hash value itself as salt and see if the result matches:

Copy
db> 
... 
... 
... 
... 
with hash := '0ddkJUiOnUFq6'
select hash = ext::pgcrypto::crypt(
  'new password',
  hash,
);
{true}
Light
Dark
System

We use ChatGPT with additional context from our documentation to answer your questions. Not all answers will be accurate. Please join our Discord if you need more help.