Pete Finnigan's Oracle Security Weblog

I often get asked how to use DBMS_CRYPTO to encrypt data in the Oracle database. Or I used to be asked how to use DBMS_OBFUSCATION_TOOLKIT when it was the go-to encryption in an Oracle database.

Before we go far; this is the first part of a 5 part blog around the subject of managing keys for use with DBMS_CRYPTO. Of course as I write this blog the links to the next 4 parts do not exist; I hope to come back and add these very soon. The five proposed blog parts are:

1. Part 1: (This blog) - Discuss the problem in general and the need to encrypt data in the database


2. Part 2 - We will present a simple solution design to store an encryption key for use with DBMS_CRYPTO and discuss some of its flaws


3. Part 3 - Lets build a key vault


4. Part 4 - Protecting the key vault


5. Part 5 - Using the key vault with DBMS_CRYPTO and SQL

This method of using Oracle built in packages to encrypt data differs from TDE (Transparent Database Encryption) in that TDE is automatic as it either decrypts blocks of data returned to the SGA from data files on disk for tablespace encryption or it returns encrypted blocks and decrypts columns of data from rows of data as it needs to on demand for column based encryption.

Both TDE mechanisms are automatic and from the users perspective (The SQL executor) the data is still manipulated in clear text as normal but is in fact stored on disk encrypted. With TDE the keys are managed automatically and are generally in a wallet. There are also three layers of keys 1: Passphrase/password to open the wallet or autologin, 2: Master key stored in the wallet, 3: column keys or tablespace keys stored locally encrypted. These final keys are used to encrypt and decrypt the actual data and these keys are encrypted/decrypted by the master key. TDE uses synchronous two way encryption and whilst its ease of use is fantastic the problem - if you can call it a problem - is that the data is still available transparently via a SQL interface where the user of that SQL has rights to access encrypted data. So, if a user can select from a table in an encrypted tablespace or from a column of data that is encrypted he/she still can and can see clear text data.

The purpose of TDE is to protect the data in the datafiles at rest.

The one open gateway if you will is that the data files are encrypted - good - but the software owner (can be "oracle") is usually the only user able to access these files at the file system level - BUT that user can also simply connect to the database "/ as sysdba" and access any protected data. To prevent this in a database using TDE you must also limit the access "as sysdba" to the encrypted data. You must also use other mechanisms from normal object rights to tools such as Database Vault or VPD to limit access to the tables and therefore the encrypted data.

Of course we mentioned a wallet above used as an encryption key store but Oracle also supports the use of a Hardware Security Module (HSM) to store and protect the master key. In this case the customer can use a HSM from a third party where the master key never leaves the HSM and a C library is provided that allows TDE to talk to the HSM using standard wallets and wallet access software silently via the database. In fact in TDE the commands to open the wallet/HSM and pass the keys to be used is done silently in the background.

So, TDE is a great product and makes encrypting data easy without much effort and it also provides a way to protect data files at rest BUT what if you want to make sure that the data held in the database is normally presented encrypted to any non-authorised random access?

This is also a solution to the problem presented earlier and it means that even if someone has SQL access like with TDE they do not see clear text data unless also authorised to decrypt the data

The solutions provided by Oracle are the DBMS_CRYPTO package and in older databases the DBMS_OBFUSCATION_TOOLKIT package. The thing that stands out immediately with DBMS_CRYPTO and earlier with DBMS_OBFUSCATION_TOOLKIT is there there is no built in key management and no simple way to use or access a standard wallet. There are no mechanisms to store the encryption keys securely or provide management of keys so that a password / passphrase that unlocks the master key could be changed / cycled when needed but leaving the master key and the data encrypted with the original keys; or there is no way to cycle the master key so that again the column or row keys are left encrypted but the master key can be changed and the column keys decrypted/encrypted to allow the change but no change to the data. Finally there is no easy built in way to cycle the column keys.

Further there is no thoughts to backup of data and keys or data and old data that is encrypted say on tape with old keys.

We will not get into semantics of the use of DBMS_CRYPTO; the algorithms and other factors available as well as all of the concerns around the problems of actually encrypting data such as a join from a column that is encrypted to a clear text column or indexes on encrypted columns or the performance of dealing with now encrypted data or any changes to storage requirements such as column data types or lengths of data.

All of these are valid issues but as part of this blog and following blogs we are not even in a position to discuss these items until we can securely use DBMS_CRYPTO and keys. Performance, storage and joins are moot if we simply have to hard code a single key or pass it in. I am going to focus on the problem of keys and managing them for DBMS_CRYPTO.

Oracle does not appear to have any interfaces that would allow us to use a wallet to store and retrieve a master key for use in PL/SQL and with DBMS_CRYPTO. A quick search of the database shows:

SQL> col object_name for a30
SQL> col owner for a30
SQL> col procedure_name for a30
SQL> set lines 220
SQL> select owner,object_name,procedure_name
  2  from dba_procedures
  3  where procedure_name like '%WALLET%'
  4  or object_name like '%WALLET%';

OWNER                          OBJECT_NAME                    PROCEDURE_NAME
------------------------------ ------------------------------ ------------------------------
SYS                            UTL_HTTP                       SET_AUTHENTICATION_FROM_WALLET
SYS                            UTL_HTTP                       SET_WALLET
SYS                            DBMS_ISCHED                    GET_AGENT_WALLET_LOCATION
SYS                            DBMS_GSM_FIX                   UPDATEWALLETFORBACKUP
SYS                            DBMS_NETWORK_ACL_ADMIN         GET_WALLET_ACLID
SYS                            DBMS_NETWORK_ACL_ADMIN         SET_WALLET_ACL
SYS                            DBMS_NETWORK_ACL_ADMIN         REMOVE_WALLET_ACE
SYS                            DBMS_NETWORK_ACL_ADMIN         APPEND_WALLET_ACL
SYS                            DBMS_NETWORK_ACL_ADMIN         APPEND_WALLET_ACE
SYS                            DBMS_NETWORK_ACL_ADMIN         UNASSIGN_WALLET_ACL
SYS                            DBMS_NETWORK_ACL_ADMIN         ASSIGN_WALLET_ACL

OWNER                          OBJECT_NAME                    PROCEDURE_NAME
------------------------------ ------------------------------ ------------------------------
SYS                            KUPU$UTILITIES                 CHECK_ENCRYPTION_WALLET
SYS                            KUPU$UTILITIES_INT             CHECK_ENCRYPTION_WALLET
XDB                            DBMS_XDB_ADMIN                 INSTALLDEFAULTWALLET

14 rows selected.

SQL>

Nothing stands out as a simple interface to create a wallet, store a key and retrieve a key as needed. We could get around this by orapki/openssl and creating a wallet and adding a key to a bucket. We could then use Java and the bouncy castle API to access the wallet and expose this to PL/SQL.

This is not ideal;

We really would like at least 3 layers of keys, one to open the wallet / vault, a master key we never see and then actual data/column keys encrypted/decrypted by the master key. Oracle with TDE does similar so we should aim for a similar goal. We also should have commands (APIs) to allow the password, master key or column keys to be changed.

We also must consider stealing of the keys or data at all stages of storage or in-flight

In other wards we want a vault that manages keys and the use of DBMS_CRYPTO.

I have done this and designed a key/crypto vault; we will go into the design in more details in the next post. It allows a password to be provided to open the vault; this is the first key and is not stored in the database or in the vault. This is similar to a wallet in that a password is used to open the wallet and this password is not stored in the wallet. We then generate and store master keys and column keys and can manage old keys through use of a manifest of sorts

Oracle provides a simple interface to encryption via DBMS_CRYPTO but leaves the hardest part to you.

Similar to audit trails in the Oracle database; all tools are provided but you need to decide what to audit and how to review that audit trail for attack

similar to securing the data; all tools are provided but you need to actually design and implement the data security.

I mention these two similar problems in other areas because we need to solve them also as part of the key vault. We need to protect and secure this critical data (keys) and also audit access.

#oracleace #sym_42 #oracle #data #encryption #security #datasecurity #keys #vault #audit #audittrails

Just an update as I have not posted too many blogs recently. I have a bag log of blog ideas to write on technical subjects directly relating to Oracle security so please watch out for those by subscribing / following / connecting on all out social channels to see the latest posts and also

• LinkedIn: Please note I have reached the maximum of 30,000 connections BUT you can still follow me or our company page


• FaceBook Personal Profile: Please send me a friend request and also have a look for our Facebook pages and follow them


• Twitter / X: Please follow me


• Youtube: This is out youtube channel, please subscribe


• Instagram: This is our instagram channel, please follow


• Threads: Please follow me on threads


• BlueSky: Please follow us on BlueSky and like and share posts

We also have some pages on Facebook and Linkedin and you can find those from my profiles; we post on most channels so please give us a like and subscribe.

I have just completed the second teaching of our 3 day in person securing data in the Oracle database. We held the most recent class last week here in York, UK. The class is cradle to grave on how and why to secure data in an Oracle database. Each student got hundreds of free SQL and PL/SQL tools and scripts as well as over 840 content slides and also free 30 days licenses for PFCLScan and PFCLForensics.

We are running the class again soon again in York, must likely in May. If you are interested please let me know and book your place. The details of the class are here - NOTE: the dates are for the last teaching last week but the class and details are the same.

I am also planning a 2 day class on secure coding in PL/SQL to be held also here in York. Watch for the details of this class; each student will also get a free 30 day license for PFCLCode and PFCLObfuscate both of which will be covered in the class as they relate to secure PL/SQL. No details written down yet as a web page but coming soon but the class is written. This class will most likely be around the end of May or early June. Please let me know if you would like to book a place.

We completed version 2024 of our database scanner PFCLScan at the end of last year and all of our other products are "apps" based on the PFCLScan framework and each also had numerous updates. We did over 4000 changes to the whole package for version 2024 including more than 700 new security checks in PFCLScan and more than 300 new checks in PFCLCode.

As you can see above with the picture at the start of this post we have started on version 2025 of our product stack. There are lots of new features and updates planned and this new version will be released later this year. Watch out for more details here and our socials as we add them. We plan much more blogs to highlight the new features, checks, reports that will be added to all our products.

We have been delivering for some time PFCLATK our audit trail toolkit as a package of consulting / design work and a pre-configured audit trail toolkit. This has helped customers set up and get decent audit trails of the Oracle database engine quickly. We have done major updates of this toolkit over the last few months and it supports unified audit and we are also planning a simple "app" to add it to our PFCLScan framework. More on this soon....

We are also developing another "app" called currently PFCLUTK that allows a detailed view of all users and their rights in the database with the emphasis of what should / could be kept and what should / could be removed to allow designs of the database and applications to tend towards Least Privilege. I will show a demo of this tool here very soon and show some of its features

I am going to be at Oracle Open World London tomorrow, so if you are there are you see me, please say hello!!

I also received an from Anuj Agarwal who said my site/blog is in the top 100 Oracle blogs. Of course Tim is number 2, Jeff number 3 and I am number 10. Please give me more likes, shares, connections, follows and I can improve my position

#oracleace #sym_42 #ukoug #ocw #cloudworld #oracle #security #training #products #databreach #securedata #gdpr

Can we use AI in Oracle security? - yes as an answer? we can but how effective it would be means the answer is maybe? It depends on what we want to use AI for and how much data is available and whether the existing models for generative AI and augmented data via RAG (Retrieval Augmented Generation) can work.

What could we use AI for in an Oracle security sense? the obvious choices that stand out are using AI to detect wrong doing in firewalls or audit trails or using AI to detect setup anomalies in configuration. Assuming the standard generative AI model does not have enough knowledge of these topics we could create our own model and in addition teach it these things or we could use RAG to input the right knowledge (usually specialist papers, manual etc) for these things BUT these things don't using exist in any quantity. We would need a manual that describes every type of attack and then also feed the audit trails or firewall logs to this augmented AI model.

So, yes its possible

The current AI that has burst onto the scene in the last few years from OpenAI or DeepSeek has happened because of two major factors

• The rise in availability of hardware to implement the models - graphics cards and large amounts of RAM


• The rise in the large amounts of data freely available



The hardware was helped along with games using graphics cards to do matrix calculations and vector calculations and from use on things like bitcoin mining and password cracking. The rise in data is because of the colossal growth of the internet; books being digital and many more sources of knowledge that ois now digital and freely available.





Many years ago back in 1991, I bought the above book about neural networks and also another C/C++ book that also implemented neural networks and TurboVision ( text based UI for DOS back in the Borland 3.1 development days ). The book above includes a chapter on WIZARD that was an early attempt to implement neural nets in RAM. Around the same time from 1992-1994 I also go into Fuzzy Logic and Genetic Algorithms.

For one assignment in one class of my degree i designed a system to control car wipers based on rain fall. Not the simple setting 1, 2, 3 and 4 of early mixed speed wipers. I designed it to have a water / rain detector use used fuzzy logic to decide how fast to tell the wipers to go, or not at all. It was implemented in MatLab only and not physically but worked in the testing of the software.

How did we get to the sudden growth of AI now with the generative models and reasoning models available today. The golden circle of the right hardware and data being available. If you look at the net then it states that chatgpt was trained on very large data sets including online, conversations and more and it was also paired with supervised learning - re-enforced - where the examples are provided the right answers.

The fact that these models most likely use very large data sets implies that the internet was spidered and web pages parsed and knowledge extracted. Makes sense.

Generative AI in the sense of directions, recipes, general knowledge as viewed by the general person is fine but if you play with these interfaces and ask very specific questions not supplemented by RAG data then the answers are less accurate or wrong.

There is also a second problem that we have all seen. The rise of AI generated things. Just as examples 1) today I saw a picture that looked like ancient South American carvings except the person imaged looked like a spaceman - I have seen genuine cases that could be interpreted loosely in this way BUT this example today was sitting there firing a machine gun, fake! 2) a picture today showed ancient architecture and more modern buildings BUT the people were the wrong scale for the doors, 3) yesterday I saw a picture of a prototype diesel locomotive in Doncaster works BUT the text stated that the name plate was missing and careful viewing showed a ghost steam engine partly drawn behind.

All these are fakes generated by AI.

Then we have the get rich quick market, web content and social media generation and more. I have seen lots of people touting how to create images, text, posts and more using chatgpt.

We do not know the accuracy of this fake data. The internet and the corpus of data is growing and being filled with AI and generated AI data. If the models learn or train from the internet and the internet gets corrupted with generated and fake data from AI then the training and learning is also compromised.

This is a big problem going forwards. Yes, generative AI is great but if its polluted can we trust it.

I think that AI will only get bigger and I can see it used in cases in Oracle security with the right data and inputs to learn. How will it perform against audit trails or firewall logs being generated in large quantities and very fast. Can AI read the data fast enough and act on it?

#oracleace #sym_42 #oracle #database #security #ai #generative #rag

We are holding a 3 day live, in person training event here in York, UK on March 11th to March 13th 2025 (Tuesday to Thursday). The class is taught by Pete Finnigan. The class is a unique event and will cover what you need to know to secure data in your Oracle databases.

We cover every aspect from how databases are breached, how you may have made configuration and design mistakes that could leak or lose your valuable data. We show the problems and then cover how to review your database for issues and how to secure. We focus on the things that come free with the database BUT we also cover the cost options and context based security. The class covers planning and solutions and how to secure all of your databases and make sure that they remain secure over time.

There are full class details including the agenda here.

There is a lot of material in this complete coverage of cradle to grave of securing your data.

The class is over three days and is suitable for anyone who wants to secure data or is involved in securing data. We include the course notes/slides and also hundreds of free scripts and tools. We allow plenty of time for discussions and your questions.

Also included with the class are two free engagement software licenses for our products PFCLScan and PFCLForensics that you can use to help secure your own databases.

The price is just £1095 GBP + VAT so please hurry to register your place as we have only 4 seats left. First come first served.

#oracle #security #training #hacking #datasecurity #databreach

Our recent 3 day Oracle Security training class in York scheduled in January was popular and a lot of people who enquired for the January class asked if we could do the class again in March. I decided to do this even though I had intended to do the class as a one off in January.

The class is fast paced and detailed but is suitable for anyone who wants to secure data in their Oracle databases whether this is in the cloud or on premise. We cover the process cradle to grave of identifying, planning and securing the data and database. The class has a lot of materials, demos and free tools and scripts (around 150 scripts and tools, a lot of which we use in our own work and are not on our website).

Details of the class are on the Oracle security training in 2025 training page. There are details on that page of the agenda, materials, location and more.

This is a live class with myself teaching here in York, UK

The class is held on 3 days from the 11th March to the 13th March 2025 here at our offices in York. The price is £1,095 per person plus VAT

Please contact training@petefinnigan.com to reserve your place.

I talked last week about an issue where I wanted to pre-create a unified audit policy with no rules so that I could create a number of policies for a customer in advance and then we could add the actions/rules later.

I got an error ORA-46373 that if there were no rules on the unified policy then this is not allowed. Fine, we have a simple solution to create a dummy role and make sure its not granted to anyone and then create the policy with a ROLES rule for that dummy role. We can do this again now before we discuss the new point.

Create a dummy role and create the policy and also revoke the role from SYS so its not granted to anyone.

SQL> sho user
USER is "SYS"
SQL> create role pfclatk;

Role created.

SQL> revoke pfclatk from sys;

Revoke succeeded.

SQL> create audit policy pete1 roles pfclatk;

Audit policy created.

SQL>

Now, this solved my issue BUT the customer wanted to name his policies POL1.1.1 or similar. So he created a policy and said my fix was wrong:

SQL> create audit policy pete1.1 roles pfclatk;
create audit policy pete1.1 roles pfclatk
*
ERROR at line 1:
ORA-46373: Audit policy 'PETE1' must have at least one audit option.


SQL>

Hmmm, that does not add up. We have a valid ROLES clause so the error should not be ORA-46373. The issue is obvious as the name of the unified policy cannot contain a "." (DOT) unless the whole thing is encased in quotes. We can try that now:

SQL> create audit policy "pete1.1" roles pfclatk;

Audit policy created.

SQL>

That obviously works BUT I don't like to create objects encased in quotes. What if we try and create a unified audit policy in another schema? the syntax diagram for 19c does not state that this is allowed. Lets try anyway:

SQL> create audit policy atk.pete1 roles pfclatk;
create audit policy atk.pete1 roles pfclatk
*
ERROR at line 1:
ORA-46373: Audit policy 'ATK' must have at least one audit option.


SQL>

No, the same error BUT i expected that as the syntax does not state its possible and the dictionary does not include OWNER:

SQL> desc audit_unified_policies
 Name                                      Null?    Type
 ----------------------------------------- -------- ----------------------------
 POLICY_NAME                                        VARCHAR2(128)
 AUDIT_CONDITION                                    VARCHAR2(4000)
 CONDITION_EVAL_OPT                                 VARCHAR2(9)
 AUDIT_OPTION                                       VARCHAR2(128)
 AUDIT_OPTION_TYPE                                  VARCHAR2(18)
 OBJECT_SCHEMA                                      VARCHAR2(128)
 OBJECT_NAME                                        VARCHAR2(128)
 OBJECT_TYPE                                        VARCHAR2(23)
 COMMON                                             VARCHAR2(3)
 INHERITED                                          VARCHAR2(3)
 AUDIT_ONLY_TOPLEVEL                                VARCHAR2(3)

SQL>

If we do the same with a procedure for instance; call the procedure pete1.1 then we get:

SQL> create or replace procedure pete1.1
  2  is
  3  begin
  4  null;
  5  end;
  6  /

Warning: Procedure created with compilation errors.

SQL> sho err
No errors.
SQL>
SQL> desc pete1.1
ERROR:
ORA-24372: invalid object for describe


SQL> select procedure_name from dba_procedures where procedure_name like 'PETE%';

no rows selected

SQL>

So, a similar issue; the database said we created the procedure pete1.1 with errors BUT there were no errors and the procedure does not exist. We can create the procedure encased in double quotes:

SQL> create or replace procedure "pete1.1"
  2  is
  3  begin
  4  null;
  5  end;
  6  /

Procedure created.

SQL>

What if we create a table:

SQL> create table pete1.1 (col1 number);
create table pete1.1 (col1 number)
                  *
ERROR at line 1:
ORA-00922: missing or invalid option


SQL>

This is slightly more descriptive as the ORA-0922 points at the "." (DOT) and we can create the table with double quotes:

SQL> create table "pete1.1" (col1 number);

Table created.

SQL>

The issue we see in the unified audit policy shows the wrong error in my opinion as the error ORA-46373 shows that we don't have an ACTION, ROLES or PRIVILEGES and generated ORA-46373 but in fact the issue is we used an invalid character in the policy name. Similar occurs with the wrong character in a procedure name but no error number directly shown to the user/dba/developer and no warnings. Similarly with a table, we get closer to the actual place of error with ORA-0922 but still it doesn't state the real error, i.e. it doesn't say "you cant use '.' (DOT) in the name".

Be careful with Oracle errors, sometimes they don't tell you the real problem

#oracleace #sym_42 #oracle #security #audit #trail #unified #unifiedaudit

I have a requirement to pre-create unified audit policies and then add the ACTIONS, PRIVILEGES, ROLES etc after they have been created based on some stored audit rules for a customer. We tried to create a policy with no actions, roles, privileges and we get:

SQL> create audit policy pete1;
create audit policy pete1
*
ERROR at line 1:
ORA-46373: Audit policy 'PETE1' must have at least one audit option.


SQL>

Hmm, it would be nice to be able to be able to pre-create each policy before we start adding the rules but Oracle does not allow this. What if we create a policy with a rule and then remove that rule?

SQL> create audit policy pete1 privileges create session;

Audit policy created.

SQL> alter audit policy pete1 drop privileges create session;
alter audit policy pete1 drop privileges create session
*
ERROR at line 1:
ORA-46373: Audit policy 'PETE1' must have at least one audit option.


SQL>

Nope, we cannot just add a dummy rule and then remove it. We could add a dummy rule and before enabling the policy after we add all the real rules remove the dummy. What I mean by dummy here is a rule that I do not actually need. Lets drop our policy:

SQL> drop audit policy pete1;

Audit Policy dropped.

SQL>

Can we add a rule for an object that does not exist?

SQL> create audit policy pete1 actions select on orablog.dummy;
create audit policy pete1 actions select on orablog.dummy
                                                    *
ERROR at line 1:
ORA-00942: table or view does not exist


SQL>

Nope, cannot do that either. The database obviously checks that the object that we wish to audit exists or is visible to the policy.

So, it seems that we have two options:

• Add an audit action, privilege or role to out unified audit policy that we do not actually need and then add the real audit options later and remove the dummy before the policy is finally enabled


• Pre-Add some dummy object and make sure it is not used and then add that as an audit option so that if there were no other audit options added the enabling of the policy would not fail.

We will use the second option BUT a third option would ne to delay the creation of the policy until we need to add the first rule to it so creating the policy with a real rule. Whilst I would probably prefer that option that management is more complex so we will go with option 2 by creating a role and then revoke it from everyone and then add that to the policy so that the policy would work with no real rules and should not generate audit as the role is not granted to anyone.

SQL> sho user
USER is "SYS"
SQL> create role pfclatk;

Role created.

SQL> revoke pfclatk from sys;

Revoke succeeded.

SQL> create audit policy pete1 roles pfclatk;

Audit policy created.

SQL> audit policy pete1;

Audit succeeded.

SQL>

So, we can remove the dummy audit before we issue the "audit policy" command or leave it there and make sure our dummy role PFCLATK is not granted to anyone. We can clean up:

SQL> noaudit policy pete1;

Noaudit succeeded.

SQL> drop audit policy pete1;

Audit Policy dropped.

SQL>

So, this is an option to allow me to pre-create unified audit policies and to allow me to create those policies without any "real" audit options and to not generate or cause ORA-46373.

#oracle_ace #sym_42 #oracle #unified #audit #auditing #forensics #audittrail