I have some encrypted columns in BigQuery that I want to decrypt using BigQuery functions.
The mechanic used in encrypting them is AES 256. The vector used is encoded in UTF8. The resulting data is encrypted in Base64.
What I want to do is decrypt the fields passed to me in BigQuery using functions without going through the trouble of doing extra steps of decrypting them elsewhere and then integrating them back in BigQuery. Note that the encrypted columns which I have access in BigQuery to are of type string.
I read about some functions that can decrypt in BigQuery like AEAD.DECRYPT_BYTES and AEAD.DECRYPT_STRING, and I wonder if they could be of help in my case.
Are there any way to do that ? If so, can you walk me through the process ?
P.S: Those are not the actual key and vector values, just a similar-looking example.
I have some encrypted columns in BigQuery that I want to decrypt using BigQuery functions.
The mechanic used in encrypting them is AES 256. The vector used is encoded in UTF8. The resulting data is encrypted in Base64.
What I want to do is decrypt the fields passed to me in BigQuery using functions without going through the trouble of doing extra steps of decrypting them elsewhere and then integrating them back in BigQuery. Note that the encrypted columns which I have access in BigQuery to are of type string.
I read about some functions that can decrypt in BigQuery like AEAD.DECRYPT_BYTES and AEAD.DECRYPT_STRING, and I wonder if they could be of help in my case.
Are there any way to do that ? If so, can you walk me through the process ?
P.S: Those are not the actual key and vector values, just a similar-looking example.
Share Improve this question edited Sep 3, 2019 at 8:07 S.Jackson asked Aug 30, 2019 at 9:09 S.JacksonS.Jackson 1595 silver badges18 bronze badges2 Answers
Reset to default 5Here is an example of how to decrypt using AES-CBC with PKCS padding. I'm not clear on whether you have a valid key/ciphertext in your example, since I'm not able to decrypt vector using that key:
SELECT
AEAD.DECRYPT_STRING(
KEYS.ADD_KEY_FROM_RAW_BYTES(
b'', 'AES_CBC_PKCS', FROM_BASE64('dfrBArd8b6YZFDGTYrZtQa==')),
FROM_BASE64('/FCM1XMvr+rHwZx'), '');
Here is a self-contained example that does work:
WITH EncryptedInput AS (
SELECT FROM_HEX('deed2a88e73dccaa30a9e6e296f62be27db30db16f76d3f42c85d31db3f46376') AS ciphertext,
b'1234567890123456' AS key UNION ALL
SELECT FROM_HEX('deed2a88e73dccaa30a9e6e296f62be2ea3f4c2ac2c8863306fd9ff87e10497b61d86111fafd0d0fe0046d7e199044ec'),
b'1234567890123456' UNION ALL
SELECT FROM_HEX('0102030405060708090a0b0c0d0e0f1073d8712936ea9899952e97284288c1cd7b7cbfff0a53ae87a19454f7d84082a07a25fc01031b5e08c6b7ce6520989b82'),
b'98765432101234567890123456789012' UNION ALL
SELECT NULL, b'1234567890123456' UNION ALL
SELECT FROM_HEX('deed2a88e73dccaa30a9e6e296f62be27db30db16f76d3f42c85d31db3f46376'),
NULL
)
SELECT AEAD.DECRYPT_STRING(KEYS.ADD_KEY_FROM_RAW_BYTES(b'', 'AES_CBC_PKCS', key), ciphertext, '') AS plaintext
FROM EncryptedInput;
I am not sure that you can do it that way.
I think that the functions you are referring to are designed for a different use case. Bigquery AEAD Encryption is meant for encrypting data of different entities using different keys for each entity but you could use it by thinking that the only entity is you.
In your case, you could rework the solution by making the person encrypting the data does it using those functions and a keyset created using KEYS.NEW_KEYSET(key_type). You will need an extra table to store the keysets to encrypt/decrypt data.