pgsodium (pending deprecation): Encryption Features
Supabase DOES NOT RECOMMEND any new usage of pgsodium
.
The pgsodium
extension is expected to go through a deprecation cycle in the near future. We will reach out to owners of impacted projects to assist with migrations away from pgsodium
once the deprecation process begins.
The Vault extension won’t be impacted. Its internal implementation will shift away from pgsodium, but the interface and API will remain unchanged.
pgsodium
is a Postgres extension which provides SQL access to libsodium
's high-level cryptographic algorithms.
Supabase previously documented two features derived from pgsodium. Namely Server Key Management and Transparent Column Encryption. At this time, we do not recommend using either on the Supabase platform due to their high level of operational complexity and misconfiguration risk.
Note that Supabase projects are encrypted at rest by default which likely is sufficient for your compliance needs e.g. SOC2 & HIPAA.
Get the root encryption key for your Supabase project
Encryption requires keys. Keeping the keys in the same database as the encrypted data would be unsafe. For more information about managing the pgsodium
root encryption key on your Supabase project see encryption key location. This key is required to decrypt values stored in Supabase Vault and data encrypted with Transparent Column Encryption.
Resources
- Supabase Vault
- Read more about Supabase Vault in the blog post
- Supabase Vault on GitHub
Resources
- Official
pgsodium
documentation