Home Explore Blog CI



postgresql
13th chunk of `doc/src/sgml/pgcrypto.sgml`
0426c259c3e8ab444a6e62fcbf490ffa182290ac00f9abaf0000000100000905

<synopsis>
fips_mode() returns boolean
</synopsis>
  <para>
   Returns <literal>true</literal> if <productname>OpenSSL</productname> is
   running with FIPS mode enabled, otherwise <literal>false</literal>.
  </para>
 </sect2>

 <sect2 id="pgcrypto-configuration-parameters">
  <title>Configuration Parameters</title>

 <para>
  There is one configuration parameter that controls the behavior of
  <filename>pgcrypto</filename>.
 </para>

  <variablelist>
   <varlistentry id="pgcrypto-configuration-parameters-builtin_crypto_enabled">
    <term>
     <varname>pgcrypto.builtin_crypto_enabled</varname> (<type>enum</type>)
     <indexterm>
      <primary><varname>pgcrypto.builtin_crypto_enabled</varname> configuration
      parameter</primary>
     </indexterm>
    </term>
    <listitem>
     <para>
      <varname>pgcrypto.builtin_crypto_enabled</varname> determines if the
      built in crypto functions <function>gen_salt()</function>, and
      <function>crypt()</function> are available for use. Setting this to
      <literal>off</literal> disables these functions. <literal>on</literal>
      (the default) enables these functions to work normally.
      <literal>fips</literal> disables these functions if
      <productname>OpenSSL</productname> is detected to operate in FIPS mode.
     </para>
    </listitem>
   </varlistentry>
  </variablelist>

  <para>
   In ordinary usage, this parameter is set
   in <filename>postgresql.conf</filename>, although superusers can alter it
   on-the-fly within their own sessions.
  </para>
 </sect2>

 <sect2 id="pgcrypto-notes">
  <title>Notes</title>

  <sect3 id="pgcrypto-notes-config">
   <title>Configuration</title>

   <para>
    <filename>pgcrypto</filename> configures itself according to the findings of the
    main PostgreSQL <literal>configure</literal> script.  The options that
    affect it are <literal>--with-zlib</literal> and
    <literal>--with-ssl=openssl</literal>.
   </para>

   <para>
    When compiled with zlib, PGP encryption functions are able to
    compress data before encrypting.
   </para>

   <para>
    <filename>pgcrypto</filename> requires <productname>OpenSSL</productname>.
    Otherwise, it will not be built or installed.
   </para>

   <para>
    When compiled against <productname>OpenSSL</productname> 3.0.0
Title: OpenSSL FIPS Mode and Pgcrypto Configuration
Summary
The document describes the fips_mode function, which checks if OpenSSL is running in FIPS mode, and the pgcrypto.builtin_crypto_enabled configuration parameter, which controls the availability of built-in crypto functions. It also discusses how pgcrypto configures itself based on the PostgreSQL configure script options and requires OpenSSL to be installed, with additional features enabled when compiled with zlib or specific versions of OpenSSL.