pgsodium is a modern cryptography library for Postgres that uses libsodium for all cryptographic operations.
the 1.1.1 release is available on PGXN:
A key new feature in pgsodium 1.1.1 are Server Managed Keys. This is a completely optional mode of operation where you can load a secret key on server boot, inspired by the cool extension pgcryptokey from Bruce Momjian. Once the secret key is loaded, new keys can be derived by "key id" using libsodium Key Derivation Functions and used to seed deterministic keypair generation functions like crpypto_box_seed_new_keypair().
By proactively never storing derived keys and only key ids, databases can contain encrypted data with no secrets stored in them, revealed in SQL or logged in any way.
Other new features in 1.1.1 include:
- detached public key signing and multipart signing aggregates contributed by Marc Munro.
- first cut and api documentation contributed by Marc Munro.
- pgxn META.json contributed by David E. Wheeler.
- Key Derivation Function API (used by Server Managed Keys)
- crpypto_box/sign_seed_new_keypair() for deterministic key pair generation.
- Key Exchange API.
- hmac 512
Check it out!