EQL API Reference
Complete API reference for the Encrypt Query Language (EQL) PostgreSQL extension.
Latest Version: 2.3.1
Complete API reference for the Encrypt Query Language (EQL) PostgreSQL extension.
Functions
->(eql_v2_encrypted, eql_v2_encrypted)- -> operator with encrypted selector->>()- ->> operator with encrypted selector>(eql_v2_encrypted, jsonb)- > operator for encrypted value and JSONB>(eql_v2_encrypted, jsonb)- > operator for encrypted value and JSONBbloom_filter(eql_v2_encrypted)- Extract Bloom filter index term from encrypted column value.check_encrypted(eql_v2_encrypted)- Validate encrypted composite type structure.compare(eql_v2.ste_vec_entry, eql_v2.ste_vec_entry)- Three-way ordering on eql_v2.ste_vec_entrycompare_ore_block_u64_8_256_term(eql_v2.ore_block_u64_8_256_term, eql_v2.ore_block_u64_8_256_term)- Compare two ORE block terms using cryptographic comparison.compare_ore_block_u64_8_256_terms(eql_v2.ore_block_u64_8_256, eql_v2.ore_block_u64_8_256)- Compare ORE block composite types.compare_ore_block_u64_8_256_terms(eql_v2.ore_block_u64_8_256, eql_v2.ore_block_u64_8_256)- Compare ORE block composite types.compare_ore_block_u64_8_256_terms(eql_v2.ore_block_u64_8_256_term, eql_v2.ore_block_u64_8_256_term)- Compare arrays of ORE block terms recursively.compare_ore_cllw_term(eql_v2.ore_cllw, eql_v2.ore_cllw)- Variable-length CLLW ORE term comparison.compare_ore_cllw_term_bytes(bytea, bytea)- CLLW per-byte comparison helper.config_add_cast(text, text, text, jsonb)- Set cast type for column in configuration.config_add_column(text, text, jsonb)- Add column to table configuration if not present.config_add_index(text, text, text, jsonb, jsonb)- Add search index to column configuration.config_add_table(text, jsonb)- Add table to configuration if not present.config_check_cast(jsonb)- Validate cast types in configuration.config_check_indexes(jsonb)- Validate index types in configuration.config_check_ste_vec_mode(jsonb)- Validate ste_vec index mode option.config_check_tables(jsonb)- Validate tables field presence.config_check_version(jsonb)- Validate version field presence.config_match_default()- Generate default options for match index.count_encrypted_with_active_config(TEXT, TEXT)- Count rows encrypted with active configuration.create_encrypted_columns()- Create encrypted columns for initial encryption.diff_config(JSONB, JSONB)- Compare two configurations and find differences.eql_v2_configuration()- Unique pending configuration constraint.has_bloom_filter()- Check if JSONB payload contains Bloom filter index term.has_hmac_256(ste_vec_entry)- Check if a ste_vec entry contains an HMAC-SHA256 index term.has_hmac_256(jsonb)- Check if JSONB payload contains HMAC-SHA256 index term.has_ore_block_u64_8_256()- Check if JSONB payload contains ORE block index term.has_ore_cllw(ste_vec_entry)- Check if a ste_vec entry contains a CLLW ORE index term.has_ore_cllw(jsonb)- Check if a raw jsonb value contains a CLLW ORE index term.hmac_256(eql_v2_encrypted)- Extract HMAC-SHA256 index term from encrypted column value.ilike(eql_v2_encrypted, eql_v2_encrypted)- Case-insensitive pattern matching helper.is_ste_vec_array(jsonb)- Check if JSONB payload is marked as an STE vector array.is_ste_vec_array(eql_v2_encrypted)- Check if encrypted column value is marked as an STE vector array.is_ste_vec_value(jsonb)- Check if JSONB payload is a single-element STE vector.jsonb_array(jsonb)- Extract deterministic fields as array for GIN indexing.jsonb_array_elements(jsonb)- Extract elements from encrypted JSONB array.jsonb_array_elements_text(jsonb)- Extract encrypted array elements as ciphertext.jsonb_array_from_array_elements(jsonb)- Extract full encrypted JSONB elements as array.jsonb_array_length(jsonb)- Get length of encrypted JSONB array.jsonb_array_to_bytea_array(jsonb)- Convert JSONB hex array to bytea array.jsonb_contained_by(eql_v2_encrypted, eql_v2_encrypted)- GIN-indexable JSONB "is contained by" check.jsonb_contains(eql_v2_encrypted, jsonb)- GIN-indexable JSONB containment check (encrypted, jsonb)jsonb_path_exists(jsonb, text)- Check if selector path exists in encrypted JSONB.jsonb_path_query(eql_v2_encrypted, eql_v2_encrypted)- Query encrypted JSONB with encrypted selector.jsonb_path_query_first(eql_v2_encrypted, eql_v2_encrypted)- Get first element matching selector.log(text, text)- Log message with context.log(text)- Log message for debugging.lt(eql_v2.ste_vec_entry, eql_v2.ste_vec_entry)- Less-than backing function for eql_v2.ste_vec_entryneq(eql_v2.ste_vec_entry, eql_v2.ste_vec_entry)- Inequality backing function for eql_v2.ste_vec_entryore_block_u64_8_256(jsonb)- Extract ORE block index term from JSONB payload.ore_block_u64_8_256_gt(eql_v2.ore_block_u64_8_256, eql_v2.ore_block_u64_8_256)- Greater than operator for ORE block types.ore_block_u64_8_256_gte(eql_v2.ore_block_u64_8_256, eql_v2.ore_block_u64_8_256)- Greater than or equal operator for ORE block types.ore_block_u64_8_256_lt(eql_v2.ore_block_u64_8_256, eql_v2.ore_block_u64_8_256)- Less than operator for ORE block types.ore_block_u64_8_256_lte(eql_v2.ore_block_u64_8_256, eql_v2.ore_block_u64_8_256)- Less than or equal operator for ORE block types.ore_block_u64_8_256_neq(eql_v2.ore_block_u64_8_256, eql_v2.ore_block_u64_8_256)- Not equal operator for ORE block types.ore_cllw(jsonb)- Extract CLLW ORE index term from raw jsonb (RHS parameter helper)ore_cllw_gt(eql_v2.ore_cllw, eql_v2.ore_cllw)- Greater-than operator backing function for eql_v2.ore_cllwore_cllw_gte(eql_v2.ore_cllw, eql_v2.ore_cllw)- Greater-than-or-equal operator backing function for eql_v2.ore_cllwore_cllw_lt(eql_v2.ore_cllw, eql_v2.ore_cllw)- Less-than operator backing function for eql_v2.ore_cllwore_cllw_lte(eql_v2.ore_cllw, eql_v2.ore_cllw)- Less-than-or-equal operator backing function for eql_v2.ore_cllwore_cllw_neq(eql_v2.ore_cllw, eql_v2.ore_cllw)- Inequality operator backing function for eql_v2.ore_cllwready_for_encryption()- Check if database is ready for encryption.reload_config()- Reload configuration from CipherStash Proxy.rename_encrypted_columns()- Finalize initial encryption by renaming columns.select_pending_columns()- Get columns with pending configuration changes.select_target_columns()- Map pending columns to their encrypted target columns.selector(ste_vec_entry)- Extract selector value from a ste_vec entry.selector(jsonb)- Extract selector value from JSONB payload.ste_vec(eql_v2_encrypted)- Extract STE vector index from encrypted column value.ste_vec_contains(eql_v2_encrypted, eql_v2_encrypted)- Check if encrypted value 'a' contains all elements of encrypted value 'b'.ste_vec_contains(public.eql_v2_encrypted, eql_v2_encrypted)- Check if STE vector array contains a specific encrypted element.ste_vec_contains(eql_v2_encrypted, eql_v2_encrypted)- Check if encrypted value 'a' contains all elements of encrypted value 'b'.to_jsonb(eql_v2_encrypted)- Convert encrypted type to JSONB.to_ste_vec_value(jsonb)- Convert single-element STE vector to regular encrypted value.
Private Functions
_encrypted_check_c(jsonb)- Validate ciphertext field in encrypted payload._encrypted_check_i_ct(jsonb)- Validate table and column fields in ident._encrypted_check_v(jsonb)- Validate version field in encrypted payload._first_grouped_value()- State transition function for grouped_value aggregate._selector(eql_v2_encrypted)- Extract selector value from encrypted column value.
Functions
->(eql_v2_encrypted, eql_v2_encrypted)
-> operator with encrypted selector
Convenience overload: extracts the selector text from an encrypted selector payload and delegates to the (text) form. Inlinable.
Parameters
| Name | Type | Description |
|---|---|---|
e | eql_v2_encrypted | Encrypted JSONB data |
selector | eql_v2_encrypted | Encrypted selector payload |
Returns
Type: eql_v2.ste_vec_entry
text Encrypted value at selector, implicitly cast from eql_v2_encrypted
Variants
->>(eql_v2_encrypted, text)
->>()
->> operator with encrypted selector
-> operator with encrypted selector
Parameters
| Name | Type | Description |
|---|---|---|
e | Encrypted JSONB data | |
selector | Encrypted field selector |
Returns
Type: text
text Encrypted value at selector, implicitly cast from eql_v2_encrypted
Variants
->>(eql_v2_encrypted, text)
>(eql_v2_encrypted, jsonb)
operator for encrypted value and JSONB
operator for JSONB and encrypted value
Parameters
| Name | Type | Description |
|---|---|---|
a | eql_v2_encrypted | Left operand (encrypted value) |
b | jsonb | Right operand |
Returns
Type: boolean
Boolean True if a > b
Variants
>(eql_v2_encrypted, eql_v2_encrypted)
>(eql_v2_encrypted, jsonb)
operator for encrypted value and JSONB
operator for JSONB and encrypted value
Parameters
| Name | Type | Description |
|---|---|---|
a | eql_v2_encrypted | Left operand (encrypted value) |
b | jsonb | Right operand |
Returns
Type: boolean
Boolean True if a > b
Variants
>(eql_v2_encrypted, eql_v2_encrypted)
bloom_filter(eql_v2_encrypted)
Extract Bloom filter index term from encrypted column value.
Extracts the Bloom filter from an encrypted column value by accessing its underlying JSONB data field.
Parameters
| Name | Type | Description |
|---|---|---|
val | eql_v2_encrypted | column value |
Returns
Type: eql_v2.bloom_filter
eql_v2.bloom_filter Bloom filter as smallint array
Variants
bloom_filter(jsonb)
check_encrypted(eql_v2_encrypted)
Validate encrypted composite type structure.
Validates an eql_v2_encrypted composite type by checking its underlying JSONB payload. Delegates to eql_v2.check_encrypted(jsonb).
Parameters
| Name | Type | Description |
|---|---|---|
val | eql_v2_encrypted | value to validate |
Returns
Type: BOOLEAN
Boolean True if structure is valid
Exceptions
- if any required field is missing or invalid
Variants
check_encrypted(jsonb)
compare(eql_v2.ste_vec_entry, eql_v2.ste_vec_entry)
Three-way ordering on eql_v2.ste_vec_entry
CLLW ORE three-way comparator on ste-vec entries. Returns -1 / 0 / 1 by extracting the oc term from each entry and delegating to eql_v2.compare_ore_cllw_term. Use this when you need an int ordering out of two extracted ste-vec entries — for the boolean-form operators (< / <= / > / >=) on the same pair, see .
Note: the caller is responsible for extracting an eql_v2.ste_vec_entry first; the (eql_v2_encrypted, text) form would be a natural extension but is deliberately not added here so that callers stay aware of the two-step shape (extract via ->, then compare).
Parameters
| Name | Type | Description |
|---|---|---|
a | eql_v2.ste_vec_entry | First entry |
b | eql_v2.ste_vec_entry | Second entry |
Returns
Type: integer
integer -1, 0, or 1
Exceptions
- when either entry lacks an oc term
Variants
- src/operators/ste_vec_entry.sql
compare_ore_block_u64_8_256_term(eql_v2.ore_block_u64_8_256_term, eql_v2.ore_block_u64_8_256_term)
Compare two ORE block terms using cryptographic comparison.
Parameters
| Name | Type | Description |
|---|---|---|
a | eql_v2.ore_block_u64_8_256_term | |
b | eql_v2.ore_block_u64_8_256_term |
compare_ore_block_u64_8_256_terms(eql_v2.ore_block_u64_8_256, eql_v2.ore_block_u64_8_256)
Compare ORE block composite types.
Parameters
| Name | Type | Description |
|---|---|---|
a | eql_v2.ore_block_u64_8_256 | |
b | eql_v2.ore_block_u64_8_256 |
compare_ore_block_u64_8_256_terms(eql_v2.ore_block_u64_8_256, eql_v2.ore_block_u64_8_256)
Compare ORE block composite types.
Parameters
| Name | Type | Description |
|---|---|---|
a | eql_v2.ore_block_u64_8_256 | |
b | eql_v2.ore_block_u64_8_256 |
compare_ore_block_u64_8_256_terms(eql_v2.ore_block_u64_8_256_term, eql_v2.ore_block_u64_8_256_term)
Compare arrays of ORE block terms recursively.
Parameters
| Name | Type | Description |
|---|---|---|
a | eql_v2.ore_block_u64_8_256_term | |
b | eql_v2.ore_block_u64_8_256_term |
compare_ore_cllw_term(eql_v2.ore_cllw, eql_v2.ore_cllw)
Variable-length CLLW ORE term comparison.
Parameters
| Name | Type | Description |
|---|---|---|
a | eql_v2.ore_cllw | First term |
b | eql_v2.ore_cllw | Second term |
Returns
Type: int
Integer -1, 0, or 1; NULL if either composite is NULL
Exceptions
- if either composite has a NULL bytes field
Variants
- eql_v2.compare_ore_cllw
compare_ore_cllw_term_bytes(bytea, bytea)
CLLW per-byte comparison helper.
Parameters
| Name | Type | Description |
|---|---|---|
a | bytea | |
b | bytea |
config_add_cast(text, text, text, jsonb)
Set cast type for column in configuration.
Parameters
| Name | Type | Description |
|---|---|---|
table_name | text | |
column_name | text | |
cast_as | text | |
config | jsonb |
config_add_column(text, text, jsonb)
Add column to table configuration if not present.
Parameters
| Name | Type | Description |
|---|---|---|
table_name | text | |
column_name | text | |
config | jsonb |
config_add_index(text, text, text, jsonb, jsonb)
Add search index to column configuration.
Parameters
| Name | Type | Description |
|---|---|---|
table_name | text | |
column_name | text | |
index_name | text | |
opts | jsonb | |
config | jsonb |
config_add_table(text, jsonb)
Add table to configuration if not present.
Parameters
| Name | Type | Description |
|---|---|---|
table_name | text | |
config | jsonb |
config_check_cast(jsonb)
Validate cast types in configuration.
Parameters
| Name | Type | Description |
|---|---|---|
val | jsonb |
config_check_indexes(jsonb)
Validate index types in configuration.
Parameters
| Name | Type | Description |
|---|---|---|
val | jsonb |
config_check_ste_vec_mode(jsonb)
Validate ste_vec index mode option.
Parameters
| Name | Type | Description |
|---|---|---|
val | jsonb |
config_check_tables(jsonb)
Validate tables field presence.
Parameters
| Name | Type | Description |
|---|---|---|
val | jsonb |
config_check_version(jsonb)
Validate version field presence.
Parameters
| Name | Type | Description |
|---|---|---|
val | jsonb |
config_match_default()
Generate default options for match index.
count_encrypted_with_active_config(TEXT, TEXT)
Count rows encrypted with active configuration.
Parameters
| Name | Type | Description |
|---|---|---|
table_name | TEXT | |
column_name | TEXT |
create_encrypted_columns()
Create encrypted columns for initial encryption.
For each plaintext column with pending configuration that lacks an encrypted target column, creates a new column '{column_name}_encrypted' of type eql_v2_encrypted. This prepares the database schema for initial encryption.
Returns
Type: TABLE(table_name
TABLE(table_name text, column_name text) Created encrypted columns
Note
Only creates columns that don't already exist
⚠️ Warning
Executes dynamic DDL (ALTER TABLE ADD COLUMN) - modifies database schema
Variants
- eql_v2.rename_encrypted_columns
diff_config(JSONB, JSONB)
Compare two configurations and find differences.
Parameters
| Name | Type | Description |
|---|---|---|
a | JSONB | |
b | JSONB |
eql_v2_configuration()
Unique pending configuration constraint.
Unique encrypting configuration constraint.
Parameters
| Name | Type | Description |
|---|---|---|
state |
Note
Only one configuration can be 'encrypting' at once
has_bloom_filter()
Check if JSONB payload contains Bloom filter index term.
Check if encrypted column value contains Bloom filter index term.
Tests whether the encrypted data payload includes a 'bf' field, indicating a Bloom filter is available for pattern-match queries.
Parameters
| Name | Type | Description |
|---|---|---|
val |
Returns
Type: boolean
Boolean True if Bloom filter is present
Variants
has_bloom_filter(jsonb)
has_hmac_256(ste_vec_entry)
Check if a ste_vec entry contains an HMAC-SHA256 index term.
Parameters
| Name | Type | Description |
|---|---|---|
entry eql_v2. | ste_vec_entry |
Returns
Type: boolean
Boolean True if hm field is present and non-null
has_hmac_256(jsonb)
Check if JSONB payload contains HMAC-SHA256 index term.
Check if encrypted column value contains HMAC-SHA256 index term.
Tests whether the encrypted data payload includes an 'hm' field, indicating an HMAC-SHA256 hash is available for exact-match queries.
Parameters
| Name | Type | Description |
|---|---|---|
val | jsonb | encrypted EQL payload |
Returns
Type: boolean
Boolean True if HMAC-SHA256 hash is present
Variants
has_ore_block_u64_8_256()
Check if JSONB payload contains ORE block index term.
Check if encrypted column value contains ORE block index term.
Tests whether the encrypted data payload includes an 'ob' field, indicating an ORE block is available for range queries.
Parameters
| Name | Type | Description |
|---|---|---|
val |
Returns
Type: boolean
Boolean True if ORE block is present
Variants
has_ore_block_u64_8_256(jsonb)
has_ore_cllw(ste_vec_entry)
Check if a ste_vec entry contains a CLLW ORE index term.
Tests whether the entry includes an oc field. Inlinable.
Parameters
| Name | Type | Description |
|---|---|---|
entry eql_v2. | ste_vec_entry |
Returns
Type: boolean
Boolean True if oc field is present and non-null
Variants
- eql_v2.ore_cllw
has_ore_cllw(jsonb)
Check if a raw jsonb value contains a CLLW ORE index term.
Companion to eql_v2.has_ore_cllw(ste_vec_entry) for raw jsonb inputs.
Parameters
| Name | Type | Description |
|---|---|---|
val | jsonb | An object that may carry an oc field |
Returns
Type: boolean
Boolean True if oc field is present and non-null
hmac_256(eql_v2_encrypted)
Extract HMAC-SHA256 index term from encrypted column value.
Extracts the HMAC-SHA256 hash from an encrypted column value. Inlinable single-statement SQL — see the jsonb overload for the rationale.
Parameters
| Name | Type | Description |
|---|---|---|
val | eql_v2_encrypted | column value |
Returns
Type: eql_v2.hmac_256
eql_v2.hmac_256 HMAC-SHA256 hash value, or NULL when hm is absent
Variants
hmac_256(jsonb)
ilike(eql_v2_encrypted, eql_v2_encrypted)
Case-insensitive pattern matching helper.
Parameters
| Name | Type | Description |
|---|---|---|
a | eql_v2_encrypted | |
b | eql_v2_encrypted |
is_ste_vec_array(jsonb)
Check if JSONB payload is marked as an STE vector array.
Check if encrypted column value is marked as an STE vector array.
Tests whether the encrypted data payload has the 'a' (array) flag set to true, indicating it represents an array for STE vector operations.
Parameters
| Name | Type | Description |
|---|---|---|
val | jsonb | encrypted EQL payload |
Returns
Type: boolean
Boolean True if value is marked as an STE vector array
Variants
is_ste_vec_array(eql_v2_encrypted)
Check if encrypted column value is marked as an STE vector array.
Tests whether an encrypted column value has the array flag set by checking its underlying JSONB data field.
Tests whether the encrypted data payload has the 'a' (array) flag set to true, indicating it represents an array for STE vector operations.
Parameters
| Name | Type | Description |
|---|---|---|
val | eql_v2_encrypted | column value |
Returns
Type: BEGIN IF NOT eql_v2
Boolean True if value is marked as an STE vector array
Variants
is_ste_vec_value(jsonb)
Check if JSONB payload is a single-element STE vector.
Check if encrypted column value is a single-element STE vector.
Tests whether the encrypted data payload contains an 'sv' field with exactly one element. Single-element STE vectors can be treated as regular encrypted values.
Parameters
| Name | Type | Description |
|---|---|---|
val | jsonb | encrypted EQL payload |
Returns
Type: boolean
Boolean True if value is a single-element STE vector
Variants
jsonb_array(jsonb)
Extract deterministic fields as array for GIN indexing.
Extract deterministic fields as array from encrypted column.
Extracts only deterministic search term fields (s, hm, oc, op) from each STE vector element. Excludes non-deterministic ciphertext for correct containment comparison using PostgreSQL's native @> operator.
Field set: selector (s), HMAC equality (hm), ORE CLLW (oc, Standard-mode), OPE CLLW (op, Compat-mode). The pre-2.3 fields (b3 / ocf / ocv / opf / opv) are no longer emitted — see U-004 and U-006 in docs/upgrading/v2.3.md.
Parameters
| Name | Type | Description |
|---|---|---|
val | jsonb | containing encrypted EQL payload |
Returns
Type: jsonb[]
jsonb[] Array of JSONB elements with only deterministic fields
Note
Use this for GIN indexes and containment queries
Variants
jsonb_array_elements(jsonb)
Extract elements from encrypted JSONB array.
Returns each element of an encrypted JSONB array as a separate row. Each element is returned as an eql_v2_encrypted value with metadata preserved from the parent array.
Parameters
| Name | Type | Description |
|---|---|---|
val | jsonb | JSONB payload representing an array |
Returns
Type: SETOF
SETOF eql_v2_encrypted One row per array element
Note
Each element inherits metadata (version, ident) from parent
Exceptions
- if value is not an array (missing 'a' flag)
Variants
- eql_v2.jsonb_array_elements_text
jsonb_array_elements_text(jsonb)
Extract encrypted array elements as ciphertext.
Returns each element of an encrypted JSONB array as its raw ciphertext value (text representation). Unlike jsonb_array_elements, this returns only the ciphertext 'c' field without metadata.
Parameters
| Name | Type | Description |
|---|---|---|
val | jsonb | JSONB payload representing an array |
Returns
Type: SETOF
SETOF text One ciphertext string per array element
Note
Returns ciphertext only, not full encrypted structure
Exceptions
- if value is not an array (missing 'a' flag)
Variants
- eql_v2.jsonb_array_elements
jsonb_array_from_array_elements(jsonb)
Extract full encrypted JSONB elements as array.
Extract full encrypted JSONB elements as array from encrypted column.
Extracts all JSONB elements from the STE vector including non-deterministic fields. Use jsonb_array() instead for GIN indexing and containment queries.
Parameters
| Name | Type | Description |
|---|---|---|
val | jsonb | containing encrypted EQL payload |
Returns
Type: jsonb[]
jsonb[] Array of full JSONB elements
Variants
jsonb_array_length(jsonb)
Get length of encrypted JSONB array.
Returns the number of elements in an encrypted JSONB array by counting elements in the STE vector ('sv'). The encrypted value must have the array flag ('a') set to true.
Parameters
| Name | Type | Description |
|---|---|---|
val | jsonb | JSONB payload representing an array |
Returns
Type: integer
integer Number of elements in the array
Note
Array flag 'a' must be present and set to true value
Exceptions
- 'cannot get array length of a non-array' if 'a' flag is missing or not true
Variants
- eql_v2.jsonb_array_elements
jsonb_array_to_bytea_array(jsonb)
Convert JSONB hex array to bytea array.
Parameters
| Name | Type | Description |
|---|---|---|
val | jsonb |
jsonb_contained_by(eql_v2_encrypted, eql_v2_encrypted)
GIN-indexable JSONB "is contained by" check.
GIN-indexable JSONB "is contained by" check (jsonb, encrypted)
GIN-indexable JSONB "is contained by" check (encrypted, jsonb)
Checks if all JSONB elements from 'a' are contained in 'b'. Uses jsonb[] arrays internally for native PostgreSQL GIN index support.
Parameters
| Name | Type | Description |
|---|---|---|
a | eql_v2_encrypted | Value to check (typically a table column) |
b | eql_v2_encrypted | Container value |
Returns
Type: boolean
Boolean True if all elements of a are contained in b
Variants
jsonb_contains(eql_v2_encrypted, jsonb)
GIN-indexable JSONB containment check (encrypted, jsonb)
GIN-indexable JSONB containment check (jsonb, encrypted)
Checks if encrypted value 'a' contains all JSONB elements from jsonb value 'b'. Uses jsonb[] arrays internally for native PostgreSQL GIN index support.
Parameters
| Name | Type | Description |
|---|---|---|
a | eql_v2_encrypted | Container value (typically a table column) |
b | jsonb | JSONB value to search for |
Returns
Type: boolean
Boolean True if a contains all elements of b
Variants
jsonb_contains(eql_v2_encrypted, eql_v2_encrypted)
jsonb_path_exists(jsonb, text)
Check if selector path exists in encrypted JSONB.
Check existence with encrypted selector.
Tests whether any encrypted elements match the given selector path. More efficient than jsonb_path_query when only existence check is needed.
Parameters
| Name | Type | Description |
|---|---|---|
val | jsonb | Encrypted JSONB value to check |
selector | text | Encrypted selector to test |
Returns
Type: boolean
boolean True if path exists
Variants
jsonb_path_query(eql_v2_encrypted, eql_v2_encrypted)
Query encrypted JSONB with encrypted selector.
Overload that accepts encrypted selector and extracts its plaintext value before delegating to main jsonb_path_query implementation.
Parameters
| Name | Type | Description |
|---|---|---|
val | eql_v2_encrypted | Encrypted JSONB value to query |
selector | eql_v2_encrypted | Encrypted selector to match against |
Returns
Type: SETOF
SETOF eql_v2_encrypted Matching encrypted elements
Variants
jsonb_path_query(jsonb, text)
jsonb_path_query_first(eql_v2_encrypted, eql_v2_encrypted)
Get first element matching selector.
Returns only the first encrypted element matching the selector path, or NULL if no match found. More efficient than jsonb_path_query when only one result is needed.
Overload that accepts encrypted selector and extracts its value before querying for first match.
Parameters
| Name | Type | Description |
|---|---|---|
val | eql_v2_encrypted | Encrypted JSONB value to query |
selector | eql_v2_encrypted | Encrypted selector to match |
Returns
Type: eql_v2_encrypted
eql_v2_encrypted First matching element or NULL
Note
Uses LIMIT 1 internally for efficiency
Variants
jsonb_path_query_first(jsonb, text)
log(text, text)
Log message with context.
Overload of log function that includes context label for better log organization during testing.
Parameters
| Name | Type | Description |
|---|---|---|
ctx | text | Context label (e.g., test name, module name) |
s | text | Message to log |
Note
Format: "[LOG] {ctx} {message}"
Variants
log(text)
Log message for debugging.
Convenience function to emit log messages during testing and debugging. Uses RAISE NOTICE to output messages to PostgreSQL logs.
Parameters
| Name | Type | Description |
|---|---|---|
s | text | to log |
Note
Primarily used in tests and development
Variants
lt(eql_v2.ste_vec_entry, eql_v2.ste_vec_entry)
Less-than backing function for eql_v2.ste_vec_entry
Parameters
| Name | Type | Description |
|---|---|---|
a | eql_v2.ste_vec_entry | |
b | eql_v2.ste_vec_entry |
neq(eql_v2.ste_vec_entry, eql_v2.ste_vec_entry)
Inequality backing function for eql_v2.ste_vec_entry
Parameters
| Name | Type | Description |
|---|---|---|
a | eql_v2.ste_vec_entry | |
b | eql_v2.ste_vec_entry |
ore_block_u64_8_256(jsonb)
Extract ORE block index term from JSONB payload.
Extract ORE block index term from encrypted column value.
Extracts the ORE block array from the 'ob' field of an encrypted data payload. Used internally for range query comparisons.
Parameters
| Name | Type | Description |
|---|---|---|
val | jsonb | encrypted EQL payload |
Returns
Type: eql_v2.ore_block_u64_8_256
eql_v2.ore_block_u64_8_256 ORE block index term
Exceptions
- if 'ob' field is missing when ore index is expected
Variants
ore_block_u64_8_256_gt(eql_v2.ore_block_u64_8_256, eql_v2.ore_block_u64_8_256)
Greater than operator for ORE block types.
Parameters
| Name | Type | Description |
|---|---|---|
a | eql_v2.ore_block_u64_8_256 | |
b | eql_v2.ore_block_u64_8_256 |
ore_block_u64_8_256_gte(eql_v2.ore_block_u64_8_256, eql_v2.ore_block_u64_8_256)
Greater than or equal operator for ORE block types.
Parameters
| Name | Type | Description |
|---|---|---|
a | eql_v2.ore_block_u64_8_256 | |
b | eql_v2.ore_block_u64_8_256 |
ore_block_u64_8_256_lt(eql_v2.ore_block_u64_8_256, eql_v2.ore_block_u64_8_256)
Less than operator for ORE block types.
Parameters
| Name | Type | Description |
|---|---|---|
a | eql_v2.ore_block_u64_8_256 | |
b | eql_v2.ore_block_u64_8_256 |
ore_block_u64_8_256_lte(eql_v2.ore_block_u64_8_256, eql_v2.ore_block_u64_8_256)
Less than or equal operator for ORE block types.
Parameters
| Name | Type | Description |
|---|---|---|
a | eql_v2.ore_block_u64_8_256 | |
b | eql_v2.ore_block_u64_8_256 |
ore_block_u64_8_256_neq(eql_v2.ore_block_u64_8_256, eql_v2.ore_block_u64_8_256)
Not equal operator for ORE block types.
Parameters
| Name | Type | Description |
|---|---|---|
a | eql_v2.ore_block_u64_8_256 | |
b | eql_v2.ore_block_u64_8_256 |
ore_cllw(jsonb)
Extract CLLW ORE index term from raw jsonb (RHS parameter helper)
Companion overload for eql_v2.ore_cllw(eql_v2.ste_vec_entry) that accepts a raw jsonb value. Intended for the right-hand side of comparisons where the caller binds a literal/parameter jsonb representing a single ste_vec entry: ... < eql_v2.ore_cllw($1. The (jsonb) form skips the domain CHECK constraint so it works for ad-hoc test inputs and for the GenericComparison case in eql_v2.compare_ore_cllw_term.
Returns SQL-level NULL when the input lacks oc, matching the (ste_vec_entry) overload's missing-oc semantics so a WHERE ore_cllw(col) < ore_cllw($1 with a malformed query needle evaluates to no rows rather than indexing a NULL-bytes composite.
Parameters
| Name | Type | Description |
|---|---|---|
val | jsonb | An object carrying an oc field |
Returns
Type: eql_v2.ore_cllw
eql_v2.ore_cllw Composite carrying the CLLW ciphertext, or NULL when the oc field is absent.
ore_cllw_gt(eql_v2.ore_cllw, eql_v2.ore_cllw)
Greater-than operator backing function for eql_v2.ore_cllw
Parameters
| Name | Type | Description |
|---|---|---|
a | eql_v2.ore_cllw | |
b | eql_v2.ore_cllw |
ore_cllw_gte(eql_v2.ore_cllw, eql_v2.ore_cllw)
Greater-than-or-equal operator backing function for eql_v2.ore_cllw
Parameters
| Name | Type | Description |
|---|---|---|
a | eql_v2.ore_cllw | |
b | eql_v2.ore_cllw |
ore_cllw_lt(eql_v2.ore_cllw, eql_v2.ore_cllw)
Less-than operator backing function for eql_v2.ore_cllw
Parameters
| Name | Type | Description |
|---|---|---|
a | eql_v2.ore_cllw | |
b | eql_v2.ore_cllw |
ore_cllw_lte(eql_v2.ore_cllw, eql_v2.ore_cllw)
Less-than-or-equal operator backing function for eql_v2.ore_cllw
Parameters
| Name | Type | Description |
|---|---|---|
a | eql_v2.ore_cllw | |
b | eql_v2.ore_cllw |
ore_cllw_neq(eql_v2.ore_cllw, eql_v2.ore_cllw)
Inequality operator backing function for eql_v2.ore_cllw
Parameters
| Name | Type | Description |
|---|---|---|
a | eql_v2.ore_cllw | |
b | eql_v2.ore_cllw |
ready_for_encryption()
Check if database is ready for encryption.
Verifies that all columns with pending configuration have corresponding encrypted target columns created. Returns true if encryption can proceed.
Returns
Type: BOOLEAN
boolean True if all pending columns have target encrypted columns
Note
Returns false if any pending column lacks encrypted column
Variants
- eql_v2.create_encrypted_columns
reload_config()
Reload configuration from CipherStash Proxy.
Placeholder function for reloading configuration from the CipherStash Proxy. Currently returns NULL without side effects.
Returns
Type: void
Void
Note
This function may be used for configuration synchronization in future versions
rename_encrypted_columns()
Finalize initial encryption by renaming columns.
After initial encryption completes, renames columns to complete the transition:Plaintext column '{column_name}' → '{column_name}_plaintext'Encrypted column '{column_name}_encrypted' → '{column_name}'
This makes the encrypted column the primary column with the original name.
Returns
Type: TABLE(table_name
TABLE(table_name text, column_name text, target_column text) Renamed columns
Note
Only renames columns where target is '{column_name}_encrypted'
⚠️ Warning
Executes dynamic DDL (ALTER TABLE RENAME COLUMN) - modifies database schema
Variants
- eql_v2.create_encrypted_columns
select_pending_columns()
Get columns with pending configuration changes.
Compares 'pending' and 'active' configurations to identify columns that need encryption or re-encryption. Returns columns where configuration differs.
Returns
Type: TABLE(table_name
TABLE(table_name text, column_name text) Columns needing encryption
Note
Treats missing active config as empty config
Exceptions
- if no pending configuration exists
Variants
- eql_v2.select_target_columns
select_target_columns()
Map pending columns to their encrypted target columns.
For each column with pending configuration, identifies the corresponding encrypted column. During initial encryption, target is '{column_name}_encrypted'. Returns NULL for target_column if encrypted column doesn't exist yet.
Returns
Type: TABLE(table_name
TABLE(table_name text, column_name text, target_column text) Column mappings
Note
The LEFT JOIN checks both original and '_encrypted' suffix variations with type verification
Variants
- eql_v2.create_encrypted_columns
selector(ste_vec_entry)
Extract selector value from a ste_vec entry.
Direct overload on the domain type. The DOMAIN's CHECK constraint already guarantees s is present, so this is a simple field access.
Parameters
| Name | Type | Description |
|---|---|---|
entry eql_v2. | ste_vec_entry |
Returns
Type: text
Text The selector value
Variants
selector(jsonb)
Extract selector value from JSONB payload.
Extracts the selector ('s') field from an encrypted data payload. Selectors are used to match STE vector elements during containment queries.
Parameters
| Name | Type | Description |
|---|---|---|
val | jsonb | encrypted EQL payload |
Returns
Type: text
Text The selector value
Exceptions
- if 's' field is missing
Variants
- eql_v2.ste_vec_contains
ste_vec(eql_v2_encrypted)
Extract STE vector index from encrypted column value.
Extracts the STE vector from an encrypted column value by accessing its underlying JSONB data field. Used for containment query operations.
Parameters
| Name | Type | Description |
|---|---|---|
val | eql_v2_encrypted | column value |
Returns
Type: public.eql_v2_encrypted[]
eql_v2_encrypted[] Array of encrypted STE vector elements
Variants
ste_vec(jsonb)
ste_vec_contains(eql_v2_encrypted, eql_v2_encrypted)
Check if encrypted value 'a' contains all elements of encrypted value 'b'.
Performs STE vector containment comparison between two encrypted values. Returns true if all elements in b's STE vector are found in a's STE vector. Used internally by the > containment operator for searchable encryption.
Parameters
| Name | Type | Description |
|---|---|---|
a | eql_v2_encrypted | First encrypted value (container) |
b | eql_v2_encrypted | Second encrypted value (elements to find) |
Returns
Type: boolean
Boolean True if all elements of b are contained in a
Note
Each element of b must match both selector and value in a
Variants
- eql_v2."@>"
ste_vec_contains(public.eql_v2_encrypted, eql_v2_encrypted)
Check if STE vector array contains a specific encrypted element.
Tests whether any element in the STE vector array 'a' contains the encrypted value 'b'. Matching requires both the selector and encrypted value to be equal. Used internally by ste_vec_contains(encrypted, encrypted) for array containment checks.
Parameters
| Name | Type | Description |
|---|---|---|
a | public.eql_v2_encrypted | |
b | eql_v2_encrypted | element to search for |
Returns
Type: boolean
Boolean True if b is found in any element of a
Note
Compares both selector and encrypted value for match
Variants
ste_vec_contains(eql_v2_encrypted, eql_v2_encrypted)
Check if encrypted value 'a' contains all elements of encrypted value 'b'.
Performs STE vector containment comparison between two encrypted values. Returns true if all elements in b's STE vector are found in a's STE vector. Used internally by the > containment operator for searchable encryption.
Parameters
| Name | Type | Description |
|---|---|---|
a | eql_v2_encrypted | First encrypted value (container) |
b | eql_v2_encrypted | Second encrypted value (elements to find) |
Returns
Type: REQUIRE b eql_v2_encrypted RETURNS boolean LANGUAGE SQL IMMUTABLE STRICT PARALLEL SAFE AS $$ SELECT eql_v2
Boolean True if all elements of b are contained in a
Note
Each element of b must match both selector and value in a
Variants
- eql_v2."@>"
to_jsonb(eql_v2_encrypted)
Convert encrypted type to JSONB.
Extracts the underlying JSONB payload from an eql_v2_encrypted composite type. Useful for debugging or when raw encrypted payload access is needed.
Parameters
| Name | Type | Description |
|---|---|---|
e public. | eql_v2_encrypted |
Returns
Type: jsonb
jsonb Raw JSONB encrypted payload
Note
Returns the raw encrypted structure including ciphertext and index terms
Variants
to_encrypted(jsonb)
to_ste_vec_value(jsonb)
Convert single-element STE vector to regular encrypted value.
Convert single-element STE vector to regular encrypted value (encrypted type)
Extracts the single element from a single-element STE vector and returns it as a regular encrypted value, preserving metadata. If the input is not a single-element STE vector, returns it unchanged.
Parameters
| Name | Type | Description |
|---|---|---|
val | jsonb | encrypted EQL payload |
Returns
Type: eql_v2_encrypted
eql_v2_encrypted Regular encrypted value (unwrapped if single-element STE vector)
Variants
Private Functions
_encrypted_check_c(jsonb)
Validate ciphertext field in encrypted payload.
Parameters
| Name | Type | Description |
|---|---|---|
val | jsonb |
_encrypted_check_i_ct(jsonb)
Validate table and column fields in ident.
Parameters
| Name | Type | Description |
|---|---|---|
val | jsonb |
_encrypted_check_v(jsonb)
Validate version field in encrypted payload.
Parameters
| Name | Type | Description |
|---|---|---|
val | jsonb |
_first_grouped_value()
State transition function for grouped_value aggregate.
Parameters
| Name | Type | Description |
|---|---|---|
jsonb | ||
jsonb |
_selector(eql_v2_encrypted)
Extract selector value from encrypted column value.
Parameters
| Name | Type | Description |
|---|---|---|
val | eql_v2_encrypted |