The EDB*Wrap utility protects proprietary source code and programs (functions, stored procedures, triggers, and packages) from unauthorized scrutiny. The EDB*Wrap program translates a file that contains SPL or PL/pgSQL source code (the plaintext) into a file that contains the same code in a form that is nearly impossible to read. Once you have the obfuscated form of the code, you can send that code to the PostgreSQL server and the server stores those programs in obfuscated form. While EDB*Wrap does obscure code, table definitions are still exposed.
Everything you wrap is stored in obfuscated form. If you wrap an entire package, the package body source, as well as the prototypes contained in the package header and the functions and procedures contained in the package body are stored in obfuscated form.
If you wrap a
CREATE PACKAGE statement, you hide the package API from other developers. You may want to wrap the package body, but not the package header so users can see the package prototypes and other public variables that are defined in the package body. To allow users to see what prototypes the package contains, use EDBWrap to obfuscate only the
CREATE PACKAGE BODY statement in the edbwrap input file, omitting the
CREATE PACKAGE statement. The package header source is stored as plaintext, while the package body source and package functions and procedures are stored obfuscated.
Once wrapped, source code and programs cannot be unwrapped or debugged. Reverse engineering is possible, but would be very difficult.
The entire source file is wrapped into one unit. Any
psql meta-commands included in the wrapped file aren't recognized when the file is executed; executing an obfuscated file that contains a psql meta-command causes a syntax error.
edbwrap does not validate SQL source code -if the plaintext form contains a syntax error,
edbwrap doesn't complain. Instead, the server reports an error and abort the entire file when you try to execute the obfuscated form.
EDB*Wrap is a command line utility; it accepts a single input source file, obfuscates the contents and returns a single output file. When you invoke the
edbwrap utility, you must provide the name of the file that contains the source code to obfuscate. You may also specify the name of the file where
edbwrap writes the obfuscated form of the code.
edbwrap offers three different command-line styles. The first style is compatible with Oracle's
iname=input_file argument specifies the name of the input file; if
input_file does not contain an extension,
edbwrap searches for a file named
oname=output_file argument (which is optional) specifies the name of the output file; if
output_file does not contain an extension,
.plb to the name.
If you don't specify an output file name,
edbwrap writes to a file whose name is derived from the input file name:
edbwrap strips the suffix (typically
.sql) from the input file name and adds
edbwrap offers two other command-line styles that may feel more familiar:
You may mix command-line styles; the rules for deriving input and output file names are identical regardless of which style you use.
edbwrap has produced a file that contains obfuscated code, you typically feed that file into the PostgreSQL server using a client application such as
edb-psql. The server executes the obfuscated code line by line and stores the source code for SPL and PL/pgSQL programs in wrapped form.
In summary, to obfuscate code with EDB*Wrap, you:
- Create the source code file.
- Invoke EDB*Wrap to obfuscate the code.
- Import the file as if it were in plaintext form.
The following sequence demonstrates
First, create the source code for the
list_emp procedure (in plaintext form):
You can import the
list_emp procedure with a client application such as
You can view the plaintext source code (stored in the server) by examining the
pg_proc system table:
Next, obfuscate the plaintext file with EDB*Wrap:
You may notice that the second line of the wrapped file contains an encoding name (in this case, the encoding is UTF8). When you obfuscate a file, edbwrap infers the encoding of the input file by examining the locale. For example, if you are running edbwrap while your locale is set to en_US.utf8, edbwrap assumes that the input file is encoded in UTF8. Be sure to examine the output file after running edbwrap; if the locale contained in the wrapped file does not match the encoding of the input file, you should change your locale and rewrap the input file.
You can import the obfuscated code into the PostgreSQL server using the same tools that work with plaintext code:
Invoke the obfuscated code in the same way that you would invoke the plaintext form:
When you use
pg_dump to back up a database, wrapped programs remain obfuscated in the archive file.
Be aware that audit logs produced by the Postgres server show wrapped programs in plaintext form. Source code is also displayed in plaintext in SQL error messages generated during the execution of a program.
At this time, the bodies of the objects created by the following statements aren't stored in obfuscated form:
- On this page
- Using EDB*Wrap to obfuscate source code