Skip to content
Database

pgsodium (pending deprecation): Encryption Features

Supabase does not recommend the usage of pgsodium as it will be deprecated. Use Supabase Vault instead.

We will reach out to owners of impacted projects to assist with migrations away from pgsodium once the deprecation process begins.

Vault and pgsodium are separate extensions. Vault doesn't depend on pgsodium and is not affected by this deprecation.

pgsodium is a Postgres extension which provides SQL access to libsodium's high-level cryptographic algorithms.

Supabase previously documented two features derived from pgsodium. Namely Server Key Management and Transparent Column Encryption. At this time, we do not recommend using either on the Supabase platform due to their high level of operational complexity and misconfiguration risk.

Note that Supabase projects are encrypted at rest by default which likely is sufficient for your compliance needs e.g. SOC2 & HIPAA.

Get the root encryption key for your Supabase project#

Encryption requires keys. Keeping the keys in the same database as the encrypted data would be unsafe. Supabase Vault and pgsodium share the same per-project root encryption key; for more information about managing it see encryption key location. This key is required to decrypt values stored in Supabase Vault and data encrypted with Transparent Column Encryption.

Resources#