EQL API Reference

Latest Version: 2.2.1

Complete API reference for the Encrypt Query Language (EQL) PostgreSQL extension.

Functions

• ->(eql_v2_encrypted, eql_v2_encrypted) - -> operator with encrypted selector
• ->>(eql_v2_encrypted, eql_v2_encrypted) - ->> operator with encrypted selector
• >(eql_v2_encrypted, eql_v2_encrypted) - > operator for encrypted value and JSONB
• blake3(eql_v2_encrypted) - Extract Blake3 hash index term from encrypted column value.
• bloom_filter(eql_v2_encrypted) - Extract Bloom filter index term from encrypted column value.
• check_encrypted(eql_v2_encrypted) - Validate encrypted composite type structure.
• compare_ore_block_u64_8_256_terms(eql_v2.ore_block_u64_8_256, eql_v2.ore_block_u64_8_256) - Compare ORE block composite types.
• compare_ore_block_u64_8_256_terms(eql_v2.ore_block_u64_8_256, eql_v2.ore_block_u64_8_256) - Compare ORE block composite types.
• compare_ore_block_u64_8_256_terms(eql_v2.ore_block_u64_8_256_term, eql_v2.ore_block_u64_8_256_term) - Compare arrays of ORE block terms recursively.
• compare_ore_cllw_term_bytes(bytea, bytea) - Compare CLLW ORE ciphertext bytes.
• compare_ore_cllw_var_8_term(eql_v2.ore_cllw_var_8, eql_v2.ore_cllw_var_8) - Compare variable-width CLLW ORE ciphertext terms.
• config_add_cast(text, text, text, jsonb) - Set cast type for column in configuration.
• config_add_column(text, text, jsonb) - Add column to table configuration if not present.
• config_add_index(text, text, text, jsonb, jsonb) - Add search index to column configuration.
• config_add_table(text, jsonb) - Add table to configuration if not present.
• config_check_cast(jsonb) - Validate cast types in configuration.
• config_check_indexes(jsonb) - Validate index types in configuration.
• config_check_tables(jsonb) - Validate tables field presence.
• config_check_version(jsonb) - Validate version field presence.
• config_match_default() - Generate default options for match index.
• count_encrypted_with_active_config(TEXT, TEXT) - Count rows encrypted with active configuration.
• create_encrypted_columns() - Create encrypted columns for initial encryption.
• diff_config(JSONB, JSONB) - Compare two configurations and find differences.
• eql_v2_configuration() - Unique pending configuration constraint.
• has_blake3(jsonb) - Check if JSONB payload contains Blake3 index term.
• has_bloom_filter(jsonb) - Check if JSONB payload contains Bloom filter index term.
• has_hmac_256(jsonb) - Check if JSONB payload contains HMAC-SHA256 index term.
• has_ore_block_u64_8_256(jsonb) - Check if JSONB payload contains ORE block index term.
• has_ore_cllw_u64_8(jsonb) - Check if JSONB payload contains CLLW ORE index term.
• has_ore_cllw_var_8(jsonb) - Check if JSONB payload contains variable-width CLLW ORE index term.
• hmac_256(eql_v2_encrypted) - Extract HMAC-SHA256 index term from encrypted column value.
• ilike(eql_v2_encrypted, eql_v2_encrypted) - Case-insensitive pattern matching helper.
• is_ste_vec_array(jsonb) - Check if JSONB payload is marked as an STE vector array.
• is_ste_vec_array() - Check if encrypted column value is marked as an STE vector array.
• is_ste_vec_value(jsonb) - Check if JSONB payload is a single-element STE vector.
• jsonb_array(jsonb) - Extract deterministic fields as array for GIN indexing.
• jsonb_array_elements(jsonb) - Extract elements from encrypted JSONB array.
• jsonb_array_elements_text(jsonb) - Extract encrypted array elements as ciphertext.
• jsonb_array_from_array_elements(jsonb) - Extract full encrypted JSONB elements as array.
• jsonb_array_length(jsonb) - Get length of encrypted JSONB array.
• jsonb_array_to_bytea_array(jsonb) - Convert JSONB hex array to bytea array.
• jsonb_contained_by(eql_v2_encrypted, eql_v2_encrypted) - GIN-indexable JSONB "is contained by" check.
• jsonb_contains(eql_v2_encrypted, jsonb) - GIN-indexable JSONB containment check (encrypted, jsonb)
• jsonb_path_exists(jsonb, text) - Check if selector path exists in encrypted JSONB.
• jsonb_path_query(eql_v2_encrypted, eql_v2_encrypted) - Query encrypted JSONB with encrypted selector.
• jsonb_path_query_first(jsonb, text) - Get first element matching selector.
• log(text, text) - Log message with context.
• log(text) - Log message for debugging.
• ore_block_u64_8_256(jsonb) - Extract ORE block index term from JSONB payload.
• ore_block_u64_8_256_gt(eql_v2.ore_block_u64_8_256, eql_v2.ore_block_u64_8_256) - Greater than operator for ORE block types.
• ore_block_u64_8_256_gte(eql_v2.ore_block_u64_8_256, eql_v2.ore_block_u64_8_256) - Greater than or equal operator for ORE block types.
• ore_block_u64_8_256_lt(eql_v2.ore_block_u64_8_256, eql_v2.ore_block_u64_8_256) - Less than operator for ORE block types.
• ore_block_u64_8_256_lte(eql_v2.ore_block_u64_8_256, eql_v2.ore_block_u64_8_256) - Less than or equal operator for ORE block types.
• ore_block_u64_8_256_neq(eql_v2.ore_block_u64_8_256, eql_v2.ore_block_u64_8_256) - Not equal operator for ORE block types.
• ore_cllw_u64_8(eql_v2_encrypted) - Extract CLLW ORE index term from encrypted column value.
• ore_cllw_var_8(eql_v2_encrypted) - Extract variable-width CLLW ORE index term from encrypted column value.
• ready_for_encryption() - Check if database is ready for encryption.
• reload_config() - Reload configuration from CipherStash Proxy.
• rename_encrypted_columns() - Finalize initial encryption by renaming columns.
• select_pending_columns() - Get columns with pending configuration changes.
• select_target_columns() - Map pending columns to their encrypted target columns.
• selector(jsonb) - Extract selector value from JSONB payload.
• ste_vec(eql_v2_encrypted) - Extract STE vector index from encrypted column value.
• ste_vec_contains(eql_v2_encrypted, eql_v2_encrypted) - Check if encrypted value 'a' contains all elements of encrypted value 'b'.
• ste_vec_contains(public.eql_v2_encrypted, eql_v2_encrypted) - Check if STE vector array contains a specific encrypted element.
• to_encrypted(text) - Convert text to encrypted type.
• to_jsonb(eql_v2_encrypted) - Convert encrypted type to JSONB.
• to_ste_vec_value(jsonb) - Convert single-element STE vector to regular encrypted value.

Private Functions

• _encrypted_check_c(jsonb) - Validate ciphertext field in encrypted payload.
• _encrypted_check_i_ct(jsonb) - Validate table and column fields in ident.
• _encrypted_check_v(jsonb) - Validate version field in encrypted payload.
• _first_grouped_value() - State transition function for grouped_value aggregate.

---

Functions

->(eql_v2_encrypted, eql_v2_encrypted)

-> operator with encrypted selector

Parameters

Returns

Type: eql_v2_encrypted

eql_v2_encrypted Encrypted value at selector

Variants

• ->(eql_v2_encrypted, text)

---

->>(eql_v2_encrypted, eql_v2_encrypted)

->> operator with encrypted selector

Parameters

Returns

Type: text

text Encrypted value at selector, implicitly cast from eql_v2_encrypted

Variants

• ->>(eql_v2_encrypted, text)

---

>(eql_v2_encrypted, eql_v2_encrypted)

operator for encrypted value and JSONB

Parameters

Variants

• >(eql_v2_encrypted, eql_v2_encrypted)

---

blake3(eql_v2_encrypted)

Extract Blake3 hash index term from encrypted column value.

Extracts the Blake3 hash from an encrypted column value by accessing its underlying JSONB data field.

Parameters

Returns

Type: eql_v2.blake3

eql_v2.blake3 Blake3 hash value, or NULL if not present

Variants

• blake3(jsonb)

---

bloom_filter(eql_v2_encrypted)

Extract Bloom filter index term from encrypted column value.

Extracts the Bloom filter from an encrypted column value by accessing its underlying JSONB data field.

Parameters

Returns

Type: eql_v2.bloom_filter

eql_v2.bloom_filter Bloom filter as smallint array

Variants

• bloom_filter(jsonb)

---

check_encrypted(eql_v2_encrypted)

Validate encrypted composite type structure.

Validates an eql_v2_encrypted composite type by checking its underlying JSONB payload. Delegates to eql_v2.check_encrypted(jsonb).

Parameters

Returns

Type: BOOLEAN

Boolean True if structure is valid

Exceptions

• if any required field is missing or invalid

Variants

• check_encrypted(jsonb)

---

compare_ore_block_u64_8_256_terms(eql_v2.ore_block_u64_8_256, eql_v2.ore_block_u64_8_256)

Compare ORE block composite types.

Parameters

---

compare_ore_block_u64_8_256_terms(eql_v2.ore_block_u64_8_256, eql_v2.ore_block_u64_8_256)

Compare ORE block composite types.

Parameters

---

compare_ore_block_u64_8_256_terms(eql_v2.ore_block_u64_8_256_term, eql_v2.ore_block_u64_8_256_term)

Compare arrays of ORE block terms recursively.

Parameters

---

compare_ore_cllw_term_bytes(bytea, bytea)

Compare CLLW ORE ciphertext bytes.

Parameters

---

compare_ore_cllw_var_8_term(eql_v2.ore_cllw_var_8, eql_v2.ore_cllw_var_8)

Compare variable-width CLLW ORE ciphertext terms.

Parameters

---

config_add_cast(text, text, text, jsonb)

Set cast type for column in configuration.

Parameters

---

config_add_column(text, text, jsonb)

Add column to table configuration if not present.

Parameters

---

config_add_index(text, text, text, jsonb, jsonb)

Add search index to column configuration.

Parameters

---

config_add_table(text, jsonb)

Add table to configuration if not present.

Parameters

---

config_check_cast(jsonb)

Validate cast types in configuration.

Parameters

---

config_check_indexes(jsonb)

Validate index types in configuration.

Parameters

---

config_check_tables(jsonb)

Validate tables field presence.

Parameters

---

config_check_version(jsonb)

Validate version field presence.

Parameters

---

config_match_default()

Generate default options for match index.

---

count_encrypted_with_active_config(TEXT, TEXT)

Count rows encrypted with active configuration.

Parameters

---

create_encrypted_columns()

Create encrypted columns for initial encryption.

For each plaintext column with pending configuration that lacks an encrypted target column, creates a new column '{column_name}_encrypted' of type eql_v2_encrypted. This prepares the database schema for initial encryption.

Returns

Type: TABLE(table_name

TABLE(table_name text, column_name text) Created encrypted columns

Note

Only creates columns that don't already exist

⚠️ Warning

Executes dynamic DDL (ALTER TABLE ADD COLUMN) - modifies database schema

Variants

• eql_v2.rename_encrypted_columns

---

diff_config(JSONB, JSONB)

Compare two configurations and find differences.

Parameters

---

eql_v2_configuration()

Unique pending configuration constraint.

Unique encrypting configuration constraint.

Parameters

Note

Only one configuration can be 'encrypting' at once

---

has_blake3(jsonb)

Check if JSONB payload contains Blake3 index term.

Check if encrypted column value contains Blake3 index term.

Tests whether the encrypted data payload includes a 'b3' field, indicating a Blake3 hash is available for exact-match queries.

Parameters

Returns

Type: boolean

Boolean True if Blake3 hash is present

Variants

• has_blake3(jsonb)

---

has_bloom_filter(jsonb)

Check if JSONB payload contains Bloom filter index term.

Check if encrypted column value contains Bloom filter index term.

Tests whether the encrypted data payload includes a 'bf' field, indicating a Bloom filter is available for pattern-match queries.

Parameters

Returns

Type: boolean

Boolean True if Bloom filter is present

Variants

• has_bloom_filter(jsonb)

---

has_hmac_256(jsonb)

Check if JSONB payload contains HMAC-SHA256 index term.

Check if encrypted column value contains HMAC-SHA256 index term.

Tests whether the encrypted data payload includes an 'hm' field, indicating an HMAC-SHA256 hash is available for exact-match queries.

Parameters

Returns

Type: boolean

Boolean True if HMAC-SHA256 hash is present

Variants

• has_hmac_256(jsonb)

---

has_ore_block_u64_8_256(jsonb)

Check if JSONB payload contains ORE block index term.

Check if encrypted column value contains ORE block index term.

Tests whether the encrypted data payload includes an 'ob' field, indicating an ORE block is available for range queries.

Parameters

Returns

Type: boolean

Boolean True if ORE block is present

Variants

• has_ore_block_u64_8_256(jsonb)

---

has_ore_cllw_u64_8(jsonb)

Check if JSONB payload contains CLLW ORE index term.

Check if encrypted column value contains CLLW ORE index term.

Tests whether the encrypted data payload includes an 'ocf' field, indicating a CLLW ORE ciphertext is available for range queries.

Parameters

Returns

Type: boolean

Boolean True if CLLW ORE ciphertext is present

Variants

• has_ore_cllw_u64_8(jsonb)

---

has_ore_cllw_var_8(jsonb)

Check if JSONB payload contains variable-width CLLW ORE index term.

Check if encrypted column value contains variable-width CLLW ORE index term.

Tests whether the encrypted data payload includes an 'ocv' field, indicating a variable-width CLLW ORE ciphertext is available for range queries.

Parameters

Returns

Type: boolean

Boolean True if variable-width CLLW ORE ciphertext is present

Variants

• has_ore_cllw_var_8(jsonb)

---

hmac_256(eql_v2_encrypted)

Extract HMAC-SHA256 index term from encrypted column value.

Extracts the HMAC-SHA256 hash from an encrypted column value by accessing its underlying JSONB data field.

Parameters

Returns

Type: eql_v2.hmac_256

eql_v2.hmac_256 HMAC-SHA256 hash value

Variants

• hmac_256(jsonb)

---

ilike(eql_v2_encrypted, eql_v2_encrypted)

Case-insensitive pattern matching helper.

Parameters

---

is_ste_vec_array(jsonb)

Check if JSONB payload is marked as an STE vector array.

Check if encrypted column value is marked as an STE vector array.

Tests whether the encrypted data payload has the 'a' (array) flag set to true, indicating it represents an array for STE vector operations.

Parameters

Returns

Type: boolean

Boolean True if value is marked as an STE vector array

Variants

• is_ste_vec_array(jsonb)

---

is_ste_vec_array()

Check if encrypted column value is marked as an STE vector array.

Tests whether an encrypted column value has the array flag set by checking its underlying JSONB data field.

Parameters

Returns

Type: BEGIN IF NOT eql_v2

Boolean True if value is marked as an STE vector array

Variants

• is_ste_vec_array(jsonb)

---

is_ste_vec_value(jsonb)

Check if JSONB payload is a single-element STE vector.

Check if encrypted column value is a single-element STE vector.

Tests whether the encrypted data payload contains an 'sv' field with exactly one element. Single-element STE vectors can be treated as regular encrypted values.

Parameters

Returns

Type: boolean

Boolean True if value is a single-element STE vector

Variants

• is_ste_vec_value(jsonb)

---

jsonb_array(jsonb)

Extract deterministic fields as array for GIN indexing.

Extract deterministic fields as array from encrypted column.

Extracts only deterministic search term fields (s, b3, hm, ocv, ocf) from each STE vector element. Excludes non-deterministic ciphertext for correct containment comparison using PostgreSQL's native > operator.

Parameters

Returns

Type: jsonb[]

jsonb[] Array of JSONB elements with only deterministic fields

Note

Use this for GIN indexes and containment queries

Variants

• jsonb_array(jsonb)

---

jsonb_array_elements(jsonb)

Extract elements from encrypted JSONB array.

Returns each element of an encrypted JSONB array as a separate row. Each element is returned as an eql_v2_encrypted value with metadata preserved from the parent array.

Parameters

Returns

Type: SETOF

SETOF eql_v2_encrypted One row per array element

Note

Each element inherits metadata (version, ident) from parent

Exceptions

• if value is not an array (missing 'a' flag)

Variants

• eql_v2.jsonb_array_elements_text

---

jsonb_array_elements_text(jsonb)

Extract encrypted array elements as ciphertext.

Returns each element of an encrypted JSONB array as its raw ciphertext value (text representation). Unlike jsonb_array_elements, this returns only the ciphertext 'c' field without metadata.

Parameters

Returns

Type: SETOF

SETOF text One ciphertext string per array element

Note

Returns ciphertext only, not full encrypted structure

Exceptions

• if value is not an array (missing 'a' flag)

Variants

• eql_v2.jsonb_array_elements

---

jsonb_array_from_array_elements(jsonb)

Extract full encrypted JSONB elements as array.

Extract full encrypted JSONB elements as array from encrypted column.

Extracts all JSONB elements from the STE vector including non-deterministic fields. Use jsonb_array() instead for GIN indexing and containment queries.

Parameters

Returns

Type: jsonb[]

jsonb[] Array of full JSONB elements

Variants

• jsonb_array_from_array_elements(jsonb)

---

jsonb_array_length(jsonb)

Get length of encrypted JSONB array.

Returns the number of elements in an encrypted JSONB array by counting elements in the STE vector ('sv'). The encrypted value must have the array flag ('a') set to true.

Parameters

Returns

Type: integer

integer Number of elements in the array

Note

Array flag 'a' must be present and set to true value

Exceptions

• 'cannot get array length of a non-array' if 'a' flag is missing or not true

Variants

• eql_v2.jsonb_array_elements

---

jsonb_array_to_bytea_array(jsonb)

Convert JSONB hex array to bytea array.

Parameters

---

jsonb_contained_by(eql_v2_encrypted, eql_v2_encrypted)

GIN-indexable JSONB "is contained by" check.

GIN-indexable JSONB "is contained by" check (jsonb, encrypted)

GIN-indexable JSONB "is contained by" check (encrypted, jsonb)

Checks if all JSONB elements from 'a' are contained in 'b'. Uses jsonb[] arrays internally for native PostgreSQL GIN index support.

Parameters

Returns

Type: boolean

Boolean True if all elements of a are contained in b

Variants

• jsonb_contained_by(eql_v2_encrypted, eql_v2_encrypted)

---

jsonb_contains(eql_v2_encrypted, jsonb)

GIN-indexable JSONB containment check (encrypted, jsonb)

GIN-indexable JSONB containment check (jsonb, encrypted)

Checks if encrypted value 'a' contains all JSONB elements from jsonb value 'b'. Uses jsonb[] arrays internally for native PostgreSQL GIN index support.

Parameters

Returns

Type: boolean

Boolean True if a contains all elements of b

Variants

• jsonb_contains(eql_v2_encrypted, eql_v2_encrypted)

---

jsonb_path_exists(jsonb, text)

Check if selector path exists in encrypted JSONB.

Check existence with encrypted selector.

Tests whether any encrypted elements match the given selector path. More efficient than jsonb_path_query when only existence check is needed.

Parameters

Returns

Type: boolean

boolean True if path exists

Variants

• jsonb_path_exists(jsonb, text)

---

jsonb_path_query(eql_v2_encrypted, eql_v2_encrypted)

Query encrypted JSONB with encrypted selector.

Overload that accepts encrypted selector and extracts its plaintext value before delegating to main jsonb_path_query implementation.

Parameters

Returns

Type: SETOF

SETOF eql_v2_encrypted Matching encrypted elements

Variants

• jsonb_path_query(jsonb, text)

---

jsonb_path_query_first(jsonb, text)

Get first element matching selector.

Get first element with encrypted selector.

Returns only the first encrypted element matching the selector path, or NULL if no match found. More efficient than jsonb_path_query when only one result is needed.

Parameters

Returns

Type: eql_v2_encrypted

eql_v2_encrypted First matching element or NULL

Note

Uses LIMIT 1 internally for efficiency

Variants

• jsonb_path_query_first(jsonb, text)

---

log(text, text)

Log message with context.

Overload of log function that includes context label for better log organization during testing.

Parameters

Note

Format: "[LOG] {ctx} {message}"

Variants

• log(text)

---

log(text)

Log message for debugging.

Convenience function to emit log messages during testing and debugging. Uses RAISE NOTICE to output messages to PostgreSQL logs.

Parameters

Note

Primarily used in tests and development

Variants

• log(text, text)

---

ore_block_u64_8_256(jsonb)

Extract ORE block index term from JSONB payload.

Extract ORE block index term from encrypted column value.

Extracts the ORE block array from the 'ob' field of an encrypted data payload. Used internally for range query comparisons.

Parameters

Returns

Type: eql_v2.ore_block_u64_8_256

eql_v2.ore_block_u64_8_256 ORE block index term

Exceptions

• if 'ob' field is missing when ore index is expected

Variants

• ore_block_u64_8_256(jsonb)

---

ore_block_u64_8_256_gt(eql_v2.ore_block_u64_8_256, eql_v2.ore_block_u64_8_256)

Greater than operator for ORE block types.

Parameters

---

ore_block_u64_8_256_gte(eql_v2.ore_block_u64_8_256, eql_v2.ore_block_u64_8_256)

Greater than or equal operator for ORE block types.

Parameters

---

ore_block_u64_8_256_lt(eql_v2.ore_block_u64_8_256, eql_v2.ore_block_u64_8_256)

Less than operator for ORE block types.

Parameters

---

ore_block_u64_8_256_lte(eql_v2.ore_block_u64_8_256, eql_v2.ore_block_u64_8_256)

Less than or equal operator for ORE block types.

Parameters

---

ore_block_u64_8_256_neq(eql_v2.ore_block_u64_8_256, eql_v2.ore_block_u64_8_256)

Not equal operator for ORE block types.

Parameters

---

ore_cllw_u64_8(eql_v2_encrypted)

Extract CLLW ORE index term from encrypted column value.

Extracts the CLLW ORE ciphertext from an encrypted column value by accessing its underlying JSONB data field.

Parameters

Returns

Type: eql_v2.ore_cllw_u64_8

eql_v2.ore_cllw_u64_8 CLLW ORE ciphertext

Variants

• ore_cllw_u64_8(jsonb)

---

ore_cllw_var_8(eql_v2_encrypted)

Extract variable-width CLLW ORE index term from encrypted column value.

Extracts the variable-width CLLW ORE ciphertext from an encrypted column value by accessing its underlying JSONB data field.

Parameters

Returns

Type: eql_v2.ore_cllw_var_8

eql_v2.ore_cllw_var_8 Variable-width CLLW ORE ciphertext

Variants

• ore_cllw_var_8(jsonb)

---

ready_for_encryption()

Check if database is ready for encryption.

Verifies that all columns with pending configuration have corresponding encrypted target columns created. Returns true if encryption can proceed.

Returns

Type: BOOLEAN

boolean True if all pending columns have target encrypted columns

Note

Returns false if any pending column lacks encrypted column

Variants

• eql_v2.create_encrypted_columns

---

reload_config()

Reload configuration from CipherStash Proxy.

Placeholder function for reloading configuration from the CipherStash Proxy. Currently returns NULL without side effects.

Returns

Type: void

Void

Note

This function may be used for configuration synchronization in future versions

---

rename_encrypted_columns()

Finalize initial encryption by renaming columns.

After initial encryption completes, renames columns to complete the transition:Plaintext column '{column_name}' → '{column_name}_plaintext'Encrypted column '{column_name}_encrypted' → '{column_name}'

This makes the encrypted column the primary column with the original name.

Returns

Type: TABLE(table_name

TABLE(table_name text, column_name text, target_column text) Renamed columns

Note

Only renames columns where target is '{column_name}_encrypted'

⚠️ Warning

Executes dynamic DDL (ALTER TABLE RENAME COLUMN) - modifies database schema

Variants

• eql_v2.create_encrypted_columns

---

select_pending_columns()

Get columns with pending configuration changes.

Compares 'pending' and 'active' configurations to identify columns that need encryption or re-encryption. Returns columns where configuration differs.

Returns

Type: TABLE(table_name

TABLE(table_name text, column_name text) Columns needing encryption

Note

Treats missing active config as empty config

Exceptions

• if no pending configuration exists

Variants

• eql_v2.select_target_columns

---

select_target_columns()

Map pending columns to their encrypted target columns.

For each column with pending configuration, identifies the corresponding encrypted column. During initial encryption, target is '{column_name}_encrypted'. Returns NULL for target_column if encrypted column doesn't exist yet.

Returns

Type: TABLE(table_name

TABLE(table_name text, column_name text, target_column text) Column mappings

Note

The LEFT JOIN checks both original and '_encrypted' suffix variations with type verification

Variants

• eql_v2.create_encrypted_columns

---

selector(jsonb)

Extract selector value from JSONB payload.

Extract selector value from encrypted column value.

Extracts the selector ('s') field from an encrypted data payload. Selectors are used to match STE vector elements during containment queries.

Parameters

Returns

Type: text

Text The selector value

Exceptions

• if 's' field is missing

Variants

• selector(jsonb)

---

ste_vec(eql_v2_encrypted)

Extract STE vector index from encrypted column value.

Extracts the STE vector from an encrypted column value by accessing its underlying JSONB data field. Used for containment query operations.

Parameters

Returns

Type: public.eql_v2_encrypted[]

eql_v2_encrypted[] Array of encrypted STE vector elements

Variants

• ste_vec(jsonb)

---

ste_vec_contains(eql_v2_encrypted, eql_v2_encrypted)

Check if encrypted value 'a' contains all elements of encrypted value 'b'.

Performs STE vector containment comparison between two encrypted values. Returns true if all elements in b's STE vector are found in a's STE vector. Used internally by the > containment operator for searchable encryption.

Parameters

Returns

Type: boolean

Boolean True if all elements of b are contained in a

Note

Each element of b must match both selector and value in a

Variants

• eql_v2."@>"

---

ste_vec_contains(public.eql_v2_encrypted, eql_v2_encrypted)

Check if STE vector array contains a specific encrypted element.

Tests whether any element in the STE vector array 'a' contains the encrypted value 'b'. Matching requires both the selector and encrypted value to be equal. Used internally by ste_vec_contains(encrypted, encrypted) for array containment checks.

Parameters

Returns

Type: boolean

Boolean True if b is found in any element of a

Note

Compares both selector and encrypted value for match

Variants

• ste_vec_contains(eql_v2_encrypted, eql_v2_encrypted)

---

to_encrypted(text)

Convert text to encrypted type.

Parses a text representation of encrypted JSONB payload and wraps it in the eql_v2_encrypted composite type.

Parameters

Returns

Type: public.eql_v2_encrypted

eql_v2_encrypted Encrypted value wrapped in composite type

Note

Delegates to eql_v2.to_encrypted(jsonb) after parsing text as JSON

Variants

• to_encrypted(jsonb)

---

to_jsonb(eql_v2_encrypted)

Convert encrypted type to JSONB.

Extracts the underlying JSONB payload from an eql_v2_encrypted composite type. Useful for debugging or when raw encrypted payload access is needed.

Parameters

Returns

Type: jsonb

jsonb Raw JSONB encrypted payload

Note

Returns the raw encrypted structure including ciphertext and index terms

Variants

• to_encrypted(jsonb)

---

to_ste_vec_value(jsonb)

Convert single-element STE vector to regular encrypted value.

Convert single-element STE vector to regular encrypted value (encrypted type)

Extracts the single element from a single-element STE vector and returns it as a regular encrypted value, preserving metadata. If the input is not a single-element STE vector, returns it unchanged.

Parameters

Returns

Type: eql_v2_encrypted

eql_v2_encrypted Regular encrypted value (unwrapped if single-element STE vector)

Variants

• to_ste_vec_value(jsonb)

---

Private Functions

_encrypted_check_c(jsonb)

Validate ciphertext field in encrypted payload.

Parameters

---

_encrypted_check_i_ct(jsonb)

Validate table and column fields in ident.

Parameters

---

_encrypted_check_v(jsonb)

Validate version field in encrypted payload.

Parameters

---

_first_grouped_value()

State transition function for grouped_value aggregate.

Parameters

---