Here is the table of posts (now 6 parts):
- Part 1: Encryption Key Management with DBMS_CRYPTO - Discuss the problem in general and the need to encrypt data in the database
- Part 2: The search for wallets- The search for wallet interfaces in the database
- Part 3: - We will present a simple solution design to store an encryption key for use with DBMS_CRYPTO and discuss some of its flaws
- Part 4: - Lets build a key vault
- Part 5: - Protecting the key vault
- Part 6: - Using the key vault with DBMS_CRYPTO and SQL
If we look in the database for any objects that include the name WALLET we get:
SQL> col owner for a30
SQL> col object_name for a30
SQL> col object_type for a30
SQL> set lines 220
SQL> l
1* select owner,object_name,object_type from dba_objects where object_name like '%WALLET%'
SQL> select owner,object_name,object_type from dba_objects where object_name like '%WALLET%' and object_type not in ('INDEX','SYNONYM');
OWNER OBJECT_NAME OBJECT_TYPE
------------------------------ ------------------------------ ------------------------------
SYS GV_$WALLET VIEW
SYS V_$WALLET VIEW
SYS V_$ENCRYPTION_WALLET VIEW
SYS GV_$ENCRYPTION_WALLET VIEW
SYS NACL$_WALLET TABLE
SYS DBA_WALLET_ACLS VIEW
SYS CDB_WALLET_ACLS VIEW
SYS DBA_WALLET_ACES VIEW
SYS CDB_WALLET_ACES VIEW
SYS USER_WALLET_ACES VIEW
SYS NACL$_WALLET_EXP VIEW
OWNER OBJECT_NAME OBJECT_TYPE
------------------------------ ------------------------------ ------------------------------
SYS NACL$_WALLET_EXP_TBL TABLE
12 rows selected.
SQL>
Nothing looks useful here in terms of our goal. If we now search for PL/SQL:
SQL> select owner,object_name,procedure_name
2 from dba_procedures where procedure_name like '%WALLET%';
OWNER OBJECT_NAME PROCEDURE_NAME
------------------------------ ------------------------------ --------------------------------------------------------------------------------------------------------------------------------
SYS UTL_HTTP SET_AUTHENTICATION_FROM_WALLET
SYS UTL_HTTP SET_WALLET
SYS DBMS_ISCHED GET_AGENT_WALLET_LOCATION
SYS DBMS_GSM_FIX UPDATEWALLETFORBACKUP
SYS DBMS_NETWORK_ACL_ADMIN GET_WALLET_ACLID
SYS DBMS_NETWORK_ACL_ADMIN SET_WALLET_ACL
SYS DBMS_NETWORK_ACL_ADMIN REMOVE_WALLET_ACE
SYS DBMS_NETWORK_ACL_ADMIN APPEND_WALLET_ACL
SYS DBMS_NETWORK_ACL_ADMIN APPEND_WALLET_ACE
SYS DBMS_NETWORK_ACL_ADMIN UNASSIGN_WALLET_ACL
SYS DBMS_NETWORK_ACL_ADMIN ASSIGN_WALLET_ACL
OWNER OBJECT_NAME PROCEDURE_NAME
------------------------------ ------------------------------ --------------------------------------------------------------------------------------------------------------------------------
SYS KUPU$UTILITIES CHECK_ENCRYPTION_WALLET
SYS KUPU$UTILITIES_INT CHECK_ENCRYPTION_WALLET
XDB DBMS_XDB_ADMIN INSTALLDEFAULTWALLET
14 rows selected.
SQL>
At first glance UTL_HTTP and KUPU$UTILITIES may be useful but UTL_HTTP may not be useful as its a web based use and not encryption. you need to create a wallet with orapki or openssl and whislt UTL_HTTP can be used to open the wallet and set the wallet only it does not seem to have a way to add an encryption key or retrieve that key - its for SSL certificates.
What about certificate based objects:
SQL> select owner,object_name,procedure_name
2 from dba_procedures where procedure_name like '%CERT%';
OWNER OBJECT_NAME PROCEDURE_NAME
------------------------------ ------------------------------ --------------------------------------------------------------------------------------------------------------------------------
SYS DBMS_ISCHED ADD_AGENT_CERT
SYS DBMS_USER_CERTS DROP_CERTIFICATE
SYS DBMS_USER_CERTS ADD_CERTIFICATE
SYS DBMS_ISCHED_REMOTE_ACCESS ADD_AGENT_CERTIFICATE
SQL>
and PL/SQL:
SQL> select owner,object_name,procedure_name
2 from dba_procedures where object_name like '%CERT%';
OWNER OBJECT_NAME PROCEDURE_NAME
------------------------------ ------------------------------ --------------------------------------------------------------------------------------------------------------------------------
SYS DBMS_USER_CERTS ADD_CERTIFICATE
SYS DBMS_USER_CERTS DROP_CERTIFICATE
REMOTE_SCHEDULER_AGENT ADD_AGENT_CERTIFICATE
SYS DBMS_USER_CERTS
SQL>
We could use utl_http to open a wallet; first create the wallet with orapki and then use ACLs to assign the wallet to the encryption and use a certificate as a key - but certificate cannot be accessed via PL/SQL, only used in a HTTPS web transaction from UTL_HTTP
If we go back to KUPU$UTILITIES and KUPU$UTILITIES_INT and have a more detailed look at the first package:
SQL> desc sys.kupu$utilities
PROCEDURE BITCLR
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
MASK1 NUMBER IN/OUT
MASK2 NUMBER IN
PROCEDURE BITSET
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
MASK1 NUMBER IN/OUT
MASK2 NUMBER IN
FUNCTION BITSETRET RETURNS NUMBER
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
MASK1 NUMBER IN
MASK2 NUMBER IN
PROCEDURE BITSOC
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
MASK1 NUMBER IN/OUT
MASK2 NUMBER IN
EXPR BOOLEAN IN
FUNCTION BITTST RETURNS BOOLEAN
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
MASK1 NUMBER IN
MASK2 NUMBER IN
FUNCTION BITTSTANY RETURNS BOOLEAN
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
MASK1 NUMBER IN
MASK2 NUMBER IN
FUNCTION BOOLTOINT RETURNS BINARY_INTEGER
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
BOOLVAL BOOLEAN IN
TRUEVAL NUMBER(38) IN DEFAULT
FUNCTION BOOLTOSTR RETURNS VARCHAR2
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
BOOLVAL BOOLEAN IN
PROCEDURE CHECK_ENCRYPTION_WALLET
FUNCTION CHECK_IF_SHARDED_DB RETURNS NUMBER
FUNCTION CHECK_TBS_FOR_TDECOL_TABS RETURNS NUMBER
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
TBS VARCHAR2 IN
PROCEDURE DEBUG
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
STR VARCHAR2 IN
FUNCTION FORMAT_ERROR_STACK RETURNS VARCHAR2
PROCEDURE GET_DB_VERSION
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
DBLINK VARCHAR2 IN
VERSION VARCHAR2 OUT
COMPAT VARCHAR2 OUT
FUNCTION GET_NLS_ALTER_SESSION RETURNS VARCHAR2
FUNCTION GET_PLATFORM_NAME RETURNS VARCHAR2
FUNCTION GET_REMOTE_DBLINK_USER RETURNS VARCHAR2
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
LINK_NAME VARCHAR2 IN
FUNCTION GET_TSTZ_VERSION RETURNS NUMBER
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
REMOTE_LINK VARCHAR2(128) IN DEFAULT
FUNCTION REPLACE_XML_VALUES RETURNS CLOB
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
ERROR:
ORA-24328: illegal attribute value
XML_REPL_TAB TABLE OF IN
XML_CLOB CLOB IN
PROCEDURE UPDATEFEATURETABLE
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
UTILITY_NAME VARCHAR2 IN
PROCEDURE UPDATEFEATURETABLE
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
UTILITY_NAME VARCHAR2 IN
ERROR:
ORA-24328: illegal attribute value
FEATURE_INFO TABLE OF IN
SQL>
This package and its internal version are wrapped so we cannot see the source code and they are internal and as far as I can find not documented in any way. There are no references to their use on the internet or in the rdbms/admin folder of the database server. They are most likely used within other SYS packages internally and also in wrapped code. A simple grep of the folder does not locate any publicly visible code that we can see that uses them. The only thing of interest is check_encryption_wallet in the non INT package.
We can check dependencies for kupu$utilities as follows:
SQL> @dep
Enter value for object_to_test: KUPU$UTILITIES
old 3: where referenced_name='&&object_to_test'
new 3: where referenced_name='KUPU$UTILITIES'
Enter value for owner_to_test: SYS
old 4: and referenced_owner='&&owner_to_test'
new 4: and referenced_owner='SYS'
NAME OWNER TYPE
------------------------------ -------------------- ------------------------------
KUPU$UTILITIES SYS PACKAGE BODY
DBMS_METADATA_INT SYS PACKAGE BODY
DBMS_PLUGTS SYS PACKAGE BODY
KUPM$MCP SYS PACKAGE BODY
KUPUTIL PUBLIC SYNONYM
SQL>
Lets describe the internal package:
SQL> desc kupu$utilities_int
PROCEDURE CHECK_ENCRYPTION_WALLET
FUNCTION CHECK_IF_SHARDED_DB RETURNS NUMBER
FUNCTION CHECK_IGNORE_DESC_IN_INDEX RETURNS BOOLEAN
FUNCTION CHECK_TBS_FOR_TDECOL_TABS RETURNS NUMBER
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
TBS VARCHAR2 IN
PROCEDURE CREATE_DIRECTORY
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
DIR_PATH VARCHAR2 IN
PROCEDURE DEBUG
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
STR VARCHAR2 IN
FUNCTION DECODE RETURNS VARCHAR2
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
SRC VARCHAR2 IN
PROCEDURE DH_CHECK_DIGESTS
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
HANDLE NUMBER IN
SRCDIGEST VARCHAR2(512) IN
TARDIGEST VARCHAR2(512) IN
FUNCTION DH_DECRYPT RETURNS VARCHAR2
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
HANDLE NUMBER IN
SRCBUF VARCHAR2 IN
OUTFMT BINARY_INTEGER IN DEFAULT
FUNCTION DH_ENCRYPT RETURNS VARCHAR2
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
HANDLE NUMBER IN
SRCBUF VARCHAR2 IN
INPFMT BINARY_INTEGER IN DEFAULT
PROCEDURE DH_FREE_HANDLE
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
HANDLE NUMBER IN
FUNCTION DH_GEN_SHARED_KEY RETURNS VARCHAR2(512)
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
HANDLE NUMBER IN
PUBKEY VARCHAR2(1024) IN
FUNCTION DH_GET_PUBLIC_KEY RETURNS VARCHAR2(1024)
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
HANDLE NUMBER IN
FUNCTION DH_NEW_HANDLE RETURNS NUMBER
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
KEY_SIZE NUMBER IN
FUNCTION DIRECTORY_SCAN RETURNS BINARY_INTEGER
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
INFILESPEC VARCHAR2 IN
INDEFDIRSPEC VARCHAR2 IN
INSKIPFILEVERIFY BOOLEAN IN DEFAULT
INSUBDIRSEARCH BOOLEAN IN DEFAULT
OUTHASWILDCARD BOOLEAN OUT
INPLSQLARRAY T_DATAFILE_NAMES IN/OUT
INARRAYINDEX BINARY_INTEGER IN
FUNCTION ENCODE RETURNS VARCHAR2
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
SRC VARCHAR2 IN
FUNCTION GET_DP_UPDATE_LOCK RETURNS VARCHAR2
FUNCTION GET_PARAMETER_VALUE RETURNS VARCHAR2
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
NAME VARCHAR2 IN
FUNCTION GET_REMOTE_DBLINK_USER RETURNS VARCHAR2
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
USERID NUMBER IN
LINK_NAME VARCHAR2 IN
FUNCTION GET_SESSION_STAT RETURNS NUMBER
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
STATISTIC VARCHAR2 IN
SID NUMBER IN DEFAULT
FUNCTION GET_SHARDED_TABLE_FAMILY_ID RETURNS NUMBER
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
SCHEMANAME VARCHAR2 IN
TABLENAME VARCHAR2 IN
PROCEDURE INTALGCONV
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
ALG BINARY_INTEGER IN
IN_VAL VARCHAR2 IN
OUT_VAL VARCHAR2 OUT
FUNCTION INT_CHECK_IF_SHARDED_DB RETURNS NUMBER
FUNCTION IS_SUPERSET RETURNS BOOLEAN
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
FRCSID BINARY_INTEGER IN
TOCSID BINARY_INTEGER IN
FUNCTION MAX_DATAPUMP_JOBS_PER_PDB RETURNS BINARY_INTEGER
PROCEDURE RELEASE_DP_UPDATE_LOCK
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
SWLOCK_HANDLE VARCHAR2 IN
PROCEDURE SET_DEBUG
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
DEBUG_FLAGS BINARY_INTEGER IN
PROCEDURE SET_KGL_TIME_TO_WAIT_FOR_LOCKS
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
LWAIT_TIME NUMBER IN
FUNCTION TEN_G_LOGON_ALLOWED RETURNS NUMBER
PROCEDURE UPDATEFEATURETABLE
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
UTILITY_NAME VARCHAR2 IN
FEATURE_INFO FEATURE_INFO_T IN
PROCEDURE WRITEAUDITRECORD
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
ACTION BINARY_INTEGER IN
MASTER_ONLY BOOLEAN IN DEFAULT
DATA_ONLY BOOLEAN IN DEFAULT
METADATA_ONLY BOOLEAN IN DEFAULT
DUMPFILE_PRESENT BOOLEAN IN DEFAULT
JOB_RESTARTED BOOLEAN IN DEFAULT
MASTER_TABNAME VARCHAR2 IN
META_JOB_MODE VARCHAR2 IN
JOB_VERSION VARCHAR2 IN
ACCESS_METHOD VARCHAR2 IN
DATA_OPTIONS VARCHAR2 IN
DUMPER_DIRECTORY VARCHAR2 IN
REMOTE_LINK VARCHAR2 IN
TABLE_EXISTS_ACTION VARCHAR2 IN
PARTITION_OPTIONS VARCHAR2 IN
WARNINGS1 VARCHAR2 IN
SQL>
There are quite a few functions and procedures of interest listed here:
FUNCTION ENCODE RETURNS VARCHAR2
FUNCTION DH_GET_PUBLIC_KEY RETURNS VARCHAR2(1024)
FUNCTION DH_NEW_HANDLE RETURNS NUMBER
FUNCTION DH_GET_PUBLIC_KEY RETURNS VARCHAR2(1024)
FUNCTION DH_GEN_SHARED_KEY RETURNS VARCHAR2(512)
PROCEDURE DH_FREE_HANDLE
FUNCTION DH_ENCRYPT RETURNS VARCHAR2
FUNCTION DH_DECRYPT RETURNS VARCHAR2
PROCEDURE DH_CHECK_DIGESTS
PROCEDURE CHECK_ENCRYPTION_WALLET
Of particular interest is the wallet procedure CHECK_ENCRYPTION_WALLET and the encrypt/decrypt functions. We can also check the dependencies of this package:
SQL> @dep
Enter value for object_to_test: KUPU$UTILITIES_INT
old 3: where referenced_name='&&object_to_test'
new 3: where referenced_name='KUPU$UTILITIES_INT'
Enter value for owner_to_test: SYS
old 4: and referenced_owner='&&owner_to_test'
new 4: and referenced_owner='SYS'
NAME OWNER TYPE
------------------------------ -------------------- ------------------------------
DBMS_DATAPUMP SYS PACKAGE BODY
KUPV$FT_INT SYS PACKAGE BODY
KUPP$PROC SYS PACKAGE BODY
DBMS_DATAPUMP_UTL SYS PACKAGE BODY
KUPV$FT SYS PACKAGE BODY
KUPU$UTILITIES SYS PACKAGE BODY
KUPU$UTILITIES_INT SYS PACKAGE BODY
DBMS_METADATA_UTIL SYS PACKAGE BODY
KUPW$WORKER SYS PACKAGE BODY
KUPM$MCP SYS PACKAGE BODY
KUPF$FILE_INT SYS PACKAGE BODY
NAME OWNER TYPE
------------------------------ -------------------- ------------------------------
DBMS_PLUGTS SYS PACKAGE BODY
DBMS_TTS SYS PACKAGE BODY
DBMS_METADATA SYS PACKAGE BODY
DBMS_METADATA_DIFF SYS PACKAGE BODY
15 rows selected.
SQL>
And also look to see what packages use this internal package:
SQL> col referenced_owner for a30
SQL> col referenced_name for a30
SQL> col referenced_type for a30
SQL> select referenced_owner,referenced_name,referenced_type
2 from dba_dependencies
3 where name='KUPU$UTILITIES_INT' and owner='SYS';
REFERENCED_OWNER REFERENCED_NAME REFERENCED_TYPE
------------------------------ ------------------------------ ------------------------------
SYS STANDARD PACKAGE
SYS STANDARD PACKAGE
SYS PLITBLM PACKAGE
SYS DBMS_LOCK PACKAGE
SYS DBMS_UTILITY PACKAGE
SYS DBMS_ASSERT PACKAGE
SYS DBMS_METADATA_UTIL PACKAGE
SYS KUPP$PROC PACKAGE
SYS KUPCC PACKAGE
SYS KUPF$FILE PACKAGE
PUBLIC KUPUTIL SYNONYM
REFERENCED_OWNER REFERENCED_NAME REFERENCED_TYPE
------------------------------ ------------------------------ ------------------------------
PUBLIC KUPUTIL SYNONYM
SYS KUPU$UTILITIES_INT PACKAGE
SYS KUPULIB LIBRARY
SYS X$KSPPI TABLE
SYS X$KSPPCV TABLE
16 rows selected.
SQL>
So, this package KUPU$UTILITIES_INT does not use DBMS_CRYPTO or DBMS_OBFUSCATION_TOOLKIT so its unlikely that there is any package shipped by Oracle that provides key management using wallets in the database. Because we do not see evidence of DBMS_CRYPTO used with wallets to manage symetric keys then the assumtion is that the undocumented package KUPU$UTILITIES_INT is aimed at the TDE wallet and encryption using a TDE key. But it is not documented so we dont know for sure.
Lets try some of the kupu$utility_int functions, the wallet function and the encrypt functions for fun!
In particular these are the interesting ones from earlier:
FUNCTION ENCODE RETURNS VARCHAR2
FUNCTION DH_GET_PUBLIC_KEY RETURNS VARCHAR2(1024)
FUNCTION DH_NEW_HANDLE RETURNS NUMBER
FUNCTION DH_GET_PUBLIC_KEY RETURNS VARCHAR2(1024)
FUNCTION DH_GEN_SHARED_KEY RETURNS VARCHAR2(512)
PROCEDURE DH_FREE_HANDLE
FUNCTION DH_ENCRYPT RETURNS VARCHAR2
FUNCTION DH_DECRYPT RETURNS VARCHAR2
PROCEDURE DH_CHECK_DIGESTS
PROCEDURE CHECK_ENCRYPTION_WALLET
We can try the wallet procedure:
SQL> exec sys.kupu$utilities_int.check_encryption_wallet;
BEGIN sys.kupu$utilities_int.check_encryption_wallet; END;
*
ERROR at line 1:
ORA-28365: wallet is not open
ORA-06512: at "SYS.KUPU$UTILITIES_INT", line 96
ORA-06512: at line 1
SQL>
Which wallet is not open?
SQL> set serveroutput on
SQL> @sc_print 'select * from v$encryption_wallet'
old 32: lv_str:=translate('&&1','''','''''');
new 32: lv_str:=translate('select * from v$encryption_wallet','''','''''');
Executing Query [select * from v$encryption_wallet]
WRL_TYPE : FILE
WRL_PARAMETER :
STATUS : NOT_AVAILABLE
WALLET_TYPE : UNKNOWN
WALLET_ORDER : SINGLE
KEYSTORE_MODE : UNITED
FULLY_BACKED_UP : UNDEFINED
CON_ID : 3
-------------------------------------------
PL/SQL procedure successfully completed.
SQL>
This seems to align
SQL> @sc_print 'select * from v$wallet'
old 32: lv_str:=translate('&&1','''','''''');
new 32: lv_str:=translate('select * from v$wallet','''','''''');
Executing Query [select * from v$wallet]
PL/SQL procedure successfully completed.
SQL>
SQL> @sc_print 'select * from v$encryption_keys'
old 32: lv_str:=translate('&&1','''','''''');
new 32: lv_str:=translate('select * from v$encryption_keys','''','''''');
Executing Query [select * from v$encryption_keys]
PL/SQL procedure successfully completed.
SQL>
If this function tries to use a TDE wallet then we likely would need a TDE license to create a wallet and open it. This would make use of these functions not possible even if we could find how to use them properly. Lets try the encryption:
FUNCTION DH_DECRYPT RETURNS VARCHAR2
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
HANDLE NUMBER IN
SRCBUF VARCHAR2 IN
OUTFMT BINARY_INTEGER IN DEFAULT
FUNCTION DH_ENCRYPT RETURNS VARCHAR2
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
HANDLE NUMBER IN
SRCBUF VARCHAR2 IN
INPFMT BINARY_INTEGER IN DEFAULT
My guess is these functions could encrypt and decrypt TDE data?
SQL> set serveroutput on
SQL> declare
2 lv_in varchar2(32767):='this is text';
3 lv_out varchar2(32767);
4 begin
5 lv_out:=kupu$utilities_int.dh_encrypt(1,lv_in,1);
6 dbms_output.put_line(lv_out);
7 end;
8 /
PL/SQL procedure successfully completed.
SQL>
The call did not fail but didnt return anything; maybe it needs the wallet?
There is one way to use a wallet to manage keys for DBMS_CRYPTO and this is to use Oracle Key Vault introduced in 21c and use the integration accelerator for DBMS_CRYPTO. There is a PL/SQL API that allows simple features such as FetchKey() and CreateKey() from a wallet held in the Oracle Key Vault. There is a sample script dbms_crypto_using_okv_keymgmt.sql available with the product demonstrating use of a wallet and DBMS_CRYPTO. A Java SDK Program KeyManager.java is supplied called okv_key_mgtm that can be modified.
Oracle Key Vault (OKV) is out of the scope for most people wanting to use a wallet as OKV is an additonally licensed appliance and is overkill if you wanted to use DBMS_CRYPTO to encrypt small amounts of data columns / rows
So in conclusion there is no simple free way to use a wallet to manage keys for use with DBMS_CRYPTO
#oracleace #sym_42 #oracle #key #vault #wallet #encryption #tde #key