Key Derivation
Multiple secret subkeys can be derived from a single master key.
Given the master key and a key identifier, a subkey can be deterministically computed. However, given a subkey, an attacker cannot compute the master key nor any other subkeys.
The crypto_kdf API can derive up to 2^64 keys from a single master key and context, and individual subkeys can have an arbitrary length between 128 (16 bytes) and 512 bits (64 bytes).
%load_ext sql
%config SqlMagic.feedback=False
%config SqlMagic.displaycon=False
%sql postgresql://postgres@/
%%sql
CREATE EXTENSION IF NOT EXISTS pgsodium;
[]
derive_key(id integer, key_size integer = NULL, context bytea = 'pgsodium')
key = %sql select pgsodium.derive_key(42)
print(key[0][0].tobytes())
b'\xfd\x95 Q%\x16\x9f\xca5\xac\x18\xf3\x8az\x98\x9f\x11fD\x14\x04|\x02Q\xe5M\xbe\xf7\x82\xf3|<'
key = %sql select pgsodium.derive_key(42, 64, 'foozbarz')
print(key[0][0].tobytes())
b'\xad\xeeu\x1d\x1d\xc3H\xad\x01\x19\xff\x1alO\x1e\xf9e-\xe2\xf9\x8b\x9a\x97>P\x85\x83C\x9b$\x04U!2+&\xc4\xdb\x7f\x07\xb4\x17\xdf,\x95\xdce\xa5x\xb7A\xaeG\xc1=\xff~N\xdf\xa1\xfdc\xf4J'