-
Authentication errors:
-
Mapping errors:
-
Encrypt errors:
-
Configuration errors:
Authentication failed when connecting to the database.
Database authentication failed: check username and password
Check the configured username and password are correct and can connect to the database.
Check the database is using a supported authentication method.
CipherStash Proxy supports several PostgreSQL password authentication methods:
- password
- md5
- scram-sha-256
See PostgreSQL password authentication
Authentication failed when connecting a client to the proxy.
Client authentication failed: check username and password
Check the configured username and password are correct.
The column parameter value is not of the correct cast type for the target encrypted column.
Invalid parameter for column 'column_name' of type 'cast' in table 'table_name'. (OID 'oid')
An encrypted column definition includes the target cast type of the data to be stored.
To encrypt a statement parameter or literal, CipherStash Proxy decodes and casts the data into the target type.
The error indicates that the passed data cannot be decoded and cast into the expected type.
In some cases, parameter types can be converted.
For example PostgreSQL INT2, INT4 and INT8 will all be converted into encrypted SmallInt, Int, or BigInt types.
Check the parameter or literal is of the appropriate type for the configured encrypted column.
The SQL statement could not be parsed.
Error messages will vary depending on the specific syntax error in the sql statement provided.
sql parser error: Expected: SELECT, VALUES, or a subquery in the query body
As SQL is a vast, sprawling language, the proxy may fail to parse some valid SQL statements. Please contact CipherStash if you think your SQL is correct and the parser is wrong.
Check the SQL is a valid PostgreSQL SQL statement.
The parameter type is not supported.
Encryption of PostgreSQL {name} (OID {oid}) types is not currently supported.
Check the supported types for encrypted columns.
An error occurred when attempting to type check the SQL statement.
Statement could not be type checked: '{type-check-error-message}'
CipherStash Proxy checks SQL statements against the database schema to transparently encrypt and decrypt data.
The behaviour of Proxy depends on the mapping_errors_enabled configuration.
When mapping_errors_enabled is false (the default), then type check errors are logged, and the statement is passed through to the database.
When mapping_errors_enabled is true, then type check errors are raised, and statement execution halts.
In our experience, most production systems have a relatively small number of columns that require protection. As SQL is large and complex, instead of blocking statements with type check errors that are false negatives, the default behaviour of Proxy is to allow the statement.
However, this does mean it is possible that a statement that references encrypted columns cannot be type-checked, and it will be passed through to the database. When a statement is passed through to the database, the database's column constraints (provided by EQL) will catch the statement, and return a PostgreSQL error.
Example constraint error:
ERROR: Encrypted column missing version (v) field: 34234
CONTEXT: PL/pgSQL function _cs_encrypted_check_v(jsonb) line 6 at RAISE
SQL function "cs_check_encrypted_v1" statement 1In most cases, this error will occur if the statement contains invalid or unsupported syntax.
Check if you are running the latest version of CipherStash Proxy, and update to the latest version if not.
If the error persists, please contact CipherStash support.
An internal error occurred when attempting to type check or transform a SQL statement. This could be due to an internal invariant failure, or because of a specific fragment of unsupported SQL syntax.
Statement encountered an internal error. This may be a bug in the statement mapping module of CipherStash Proxy.
Check if you are running the latest version of CipherStash Proxy, and update to the latest version if not.
If the error persists, please contact CipherStash support.
The column could not be encrypted.
Column 'column_name' in table 'table_name' could not be encrypted.
CipherStash Proxy uses CipherStash ZeroKMS for low-latency encryption and decryption operations.
The error indicates an issue has occurred in the encryption pipeline processing. The most likely cause is network access to the ZeroKMS service.
- Check that CipherStash ZeroKMS is available at the status page.
- Check that CipherStash Proxy has network access to ZeroKMS in the appropriate region.
- Check that the encrypted configuration
castmatches the expected type.
The encrypted data in a column returned by a SQL statement cannot be encoded into the correct type.
Decrypted column could not be encoded as the expected type.
An encrypted column definition includes the target cast type of the data to be stored.
Encrypted data is stored as the raw (encrypted) bytes in the database.
When a statement returns encrypted data, CipherStash Proxy decrypts the data, casts, and encodes as the PostgreSQL representation of the target type.
The error indicates that the stored data cannot be encoded and returned as the expected type.
Changing the encrypted column definition of a column with existing data can cause this error.
For example:
- column is defined with a cast of
text - data is encrypted and stored as
text - column is redefined with a cast of
int - error as existing records stored as
textdata cannot be decrypted, cast and encoded asint
- Check the encrypted configuration has the correct type.
- Check that the configuration has not changed.
- Check EQL.
The column has an encrypted type (PostgreSQL eql_v1_encrypted type ) with no encryption configuration.
Without the configuration, Cipherstash Proxy does not know how to encrypt the column. Any data is unprotected and unencrypted.
Column 'column_name' in table 'table_name' has no Encrypt configuration
- Define the encrypted configuration using EQL.
- Add
users.emailas an encrypted column:SELECT cs_add_column_v1('users', 'email');
The table has one or more encrypted columns (PostgreSQL eql_v1_encrypted type ) with no encryption configuration.
Without the configuration, Cipherstash Proxy does not know how to encrypt the column. Any data is unprotected and unencrypted.
Table 'table_name' has no Encrypt configuration
- Define the encrypted configuration using EQL.
- Add
users.emailas an encrypted column:SELECT cs_add_column_v1('users', 'email');
The encrypted column has an unknown index configuration.
EQL validates indexes when they are added to ensure that the configuration is correctly defined. However, if the configuration is changed directly in the database, it is possible to misconfigure the setup.
Unknown Index Term for column '{column_name}' in table '{table_name}'.
- Check the Encrypt configuration for the column.
- Define the encrypted configuration using EQL.
There was a problem with the Tls configuration.
# PEM-based configuration
Invalid Transport Layer Security (TLS) certificate.
Invalid Transport Layer Security (TLS) private key.
# Path-based configuration
Missing Transport Layer Security (TLS) certificate at path: {path}.
Missing Transport Layer Security (TLS) private key at path: {path}.
If using path-based configuration: Check that the certificate and private key exists at the specified path. Check that the certificate and private key are valid.
If using PEM-based configuration: Check that the certificate and private key are valid.