Skip to main content

DECRYPT

Decrypts an encrypted column using the key(s) specified in the column encryption specification.

Syntax​

DECRYPT ( column_expression )

Arguments​

column-expression
Specifies a column belonging to a blockchain. The column must appear in the FROM clause of the SELECT statement, but is not required to appear in the SELECT list.

Return Value​

Data of the column_expressions underlying data type.

Remarks​

  • Non-encrypted arguments will cause the query to error.
  • If the login doesn't have access to the encryption key, the query will error.
  • The DECRYPT function can be used in the SELECT, HAVING, and WHERE clauses.
  • On creation the DECRYPT keyword can be used in the CHECK and COMPUTED column specifications.
  • Columns with indexes can't be encrypted.
  • Encrypted columns can't be compared without decrypting them first.

Examples​

This section creates a blockchain and illustrates the functionality of the DECRYPT keyword.

The build​

Lets assume that we have access to the following symmetric keys named: "k9_ssn key", "dog_name key", "verified key"

The CREATE BLOCKCHAIN statement below creates a TRADITIONAL blockchain with five columns:

  • id: basic incrementing primary key.
  • k9_ssn: an INT64 encrypted by the "ssn key" with LEVEL ONE validity tracking using the "k9_ssn key"
  • last_name: a STRING encrypted by the "last_name key" with LEVEL TWO validity tracking. There is also a check constraint that checks, once decrypted, if the k9_ssn value is null.
  • verified: a BOOL encrypted by the "verified key" with no validity tracking.
  • loves_treats: a BOOL that is computed from the decrypted verified value.
CREATE BLOCKCHAIN members TRADITIONAL (
    id UINT64 PRIMARY AUTO INCREMENT, 
    k9_ssn INT64 ENCRYPT = "k9_ssn key" TRACK VALIDITY [ "k9_ssn key", LEVEL ONE],
    last_name STRING PACKED ENCRYPT = "last_name key" TRACK VALIDITY [ "last_name key", LEVEL TWO] CHECK [NOT(ISNULL(DECRYPT(ssn)))],
    verified BOOL ENCRYPT = "verified key",
    loves_treats BOOL COMPUTED [DECRYPT(verified))];

Let's assume the following mutation has been executed.

INSERT members (k9_ssn, last_name, verified) VALUES
        (1, "rolly", true),
        (2, "hank", false),
        (3, "clover", true);

A. Querying from encrypted columns.​

Reading from encrypted columns without decrypting returns columns of type BYTE ARRAY. The following query will execute but the k9_ssn, last_name, and verified columns will show the encrypted bytes.

SELECT * FROM members;

On the other hand, the below query fails when performing an operation on an encrypted column.

SELECT * FROM members WHERE verified = true

B. Decrypting in the select clause.​

The following example decrypts the encrypted columns on output.

SELECT DECRYPT(k9_ssn), DECRYPT(last_name), DECRYPT(verified), loves_treats FROM members;

Response:

DECRYPT(k9_ssn) [INT64] DECRYPT(LAST_NAME) [STRING] DECRYPT(VERIFIED) [BOOL]    LOVES_TREATS [BOOL] 
1                       rolly                       true                        true    
2                       hank                        false                       false   
3                       clover                      true                        true

C. Joining encrypted columns.​

This example illustrates that the DECRYPT operation can be applied in the WHERE clause. Once the operation is applied, columns and data behave normally.

SELECT DECRYPT(m_one.last_name), DECRYPT(m_two.last_name)
        FROM members AS m_one JOIN members AS m_two
        ON DECRYPT(m_one.last_name) = DECRYPT(m_two.last_name);

Response:

DECRYPT(M_ONE.LAST_NAME) [STRING]   DECRYPT(M_TWO.LAST_NAME) [STRING]   
rolly                               rolly   
hank                                hank    
clover                              clover