Architecture/Security/Cryptography/Database/vault.postgres.txt


                                  ┏━━━━━━━━━━━┓
                                  ┃   VAULT   ┃
                                  ┗━━━━━━━━━━━┛

VERSION ==>                       #0.2.9

supabase_vault                    #Postgres EXTENSION
                                  #Uses pgsodium

vault                             #SCHEMA

vault.create_secret('VAL'[, 'VAR'
 [, 'DESCRIPTION'
 [, KEY_ID_UUID]]])->UUID         #Insert into vault.secrets.*
vault.update_secret(UUID, 'VAL'
 [, 'VAR' [, 'DESCRIPTION'
 [, KEY_ID_UUID]]])               #update vault.secrets.*

vault                             #TFUNC
 .secrets_encrypt_secret_secret   #On `before insert or update` and `for each row`
 (...)                            #Encrypts a COL on insert|update

vault.secrets                     #TABLE to insert secret values
vault.secrets.id                  #UUID (def: random)
vault.secrets.name                #'VAR'
vault.secrets.secret              #Encrypted 'VAL', base64'd
                                  #Encrypted with key_id, but uses id + description + created_at + updated_at + nonce too
                                  #  - i.e. those COLs integrity is checked
                                  #  - list of COLs is stored as a SECURITY_LABEL on the TABLE
vault.secrets.description         #STR (def: '')
vault.secrets.key_id              #Secret pgsodium.key.id, used to encrypt|decrypt
                                  #The actual key is only available in SQL FUNC, not as data
                                  #  - vault.secrets.* can be public
                                  #  - vault.decrypted_secrets.* is private
                                  #  - anyone who can call pgsodium SQL FUNC can decrypt
vault.secrets.nonce               #BYTEA (def: random). Public nonce
vault.secrets.created_at
 |updated_at                      #TIMESTAMPTZ (def: auto)

vault.decrypted_secrets           #VIEW on vault.secrets.*
vault.decrypted_secrets.*         #Like vault.secrets.*
vault.decrypted_secrets
 .decrypted_secret                #'VAL', using pgsodium on vault.secrets.*

LOGGING ==>                       #Requires setting ZSCONF.log_statement 'none' to prevent leaks