Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Encryption Key Management with DBMS_CRYPTO"]

The search for existing encryption and wallets in the database

In the first blog in this series we discussed the main issue with using DBMS_CRYPTO to encrypt data within the database. This is the lack of key management provided by Oracle natively for use with this package. I had intended to make the second part the design of a key vault for use with DBMS_CRYPTO or DBMS_OBFUSCATION_TOOLKIT but I decided to switch up part two as an investigation into whether its likely that there is any access to wallets or encryption that could be used where key management is already present. As we said in the last post if we could use a wallet then some level of key management is done, in that we have a wallet password we can cycle and if we can store a master key in a wallet then we could cycle the master key and we can then store column or other keys elsewhere as they are encrypted.

Here is the table of posts (now 6 parts):

  1. Part 1: Encryption Key Management with DBMS_CRYPTO - Discuss the problem in general and the need to encrypt data in the database

  2. Part 2: The search for wallets- The search for wallet interfaces in the database

  3. Part 3: - We will present a simple solution design to store an encryption key for use with DBMS_CRYPTO and discuss some of its flaws

  4. Part 4: - Lets build a key vault

  5. Part 5: - Protecting the key vault

  6. Part 6: - Using the key vault with DBMS_CRYPTO and SQL


If we look in the database for any objects that include the name WALLET we get:

SQL> col owner for a30
SQL> col object_name for a30
SQL> col object_type for a30
SQL> set lines 220
SQL> l
1* select owner,object_name,object_type from dba_objects where object_name like '%WALLET%'
SQL> select owner,object_name,object_type from dba_objects where object_name like '%WALLET%' and object_type not in ('INDEX','SYNONYM');

OWNER OBJECT_NAME OBJECT_TYPE
------------------------------ ------------------------------ ------------------------------
SYS GV_$WALLET VIEW
SYS V_$WALLET VIEW
SYS V_$ENCRYPTION_WALLET VIEW
SYS GV_$ENCRYPTION_WALLET VIEW
SYS NACL$_WALLET TABLE
SYS DBA_WALLET_ACLS VIEW
SYS CDB_WALLET_ACLS VIEW
SYS DBA_WALLET_ACES VIEW
SYS CDB_WALLET_ACES VIEW
SYS USER_WALLET_ACES VIEW
SYS NACL$_WALLET_EXP VIEW

OWNER OBJECT_NAME OBJECT_TYPE
------------------------------ ------------------------------ ------------------------------
SYS NACL$_WALLET_EXP_TBL TABLE

12 rows selected.

SQL>

Nothing looks useful here in terms of our goal. If we now search for PL/SQL:

SQL> select owner,object_name,procedure_name
2 from dba_procedures where procedure_name like '%WALLET%';

OWNER OBJECT_NAME PROCEDURE_NAME
------------------------------ ------------------------------ --------------------------------------------------------------------------------------------------------------------------------
SYS UTL_HTTP SET_AUTHENTICATION_FROM_WALLET
SYS UTL_HTTP SET_WALLET
SYS DBMS_ISCHED GET_AGENT_WALLET_LOCATION
SYS DBMS_GSM_FIX UPDATEWALLETFORBACKUP
SYS DBMS_NETWORK_ACL_ADMIN GET_WALLET_ACLID
SYS DBMS_NETWORK_ACL_ADMIN SET_WALLET_ACL
SYS DBMS_NETWORK_ACL_ADMIN REMOVE_WALLET_ACE
SYS DBMS_NETWORK_ACL_ADMIN APPEND_WALLET_ACL
SYS DBMS_NETWORK_ACL_ADMIN APPEND_WALLET_ACE
SYS DBMS_NETWORK_ACL_ADMIN UNASSIGN_WALLET_ACL
SYS DBMS_NETWORK_ACL_ADMIN ASSIGN_WALLET_ACL

OWNER OBJECT_NAME PROCEDURE_NAME
------------------------------ ------------------------------ --------------------------------------------------------------------------------------------------------------------------------
SYS KUPU$UTILITIES CHECK_ENCRYPTION_WALLET
SYS KUPU$UTILITIES_INT CHECK_ENCRYPTION_WALLET
XDB DBMS_XDB_ADMIN INSTALLDEFAULTWALLET

14 rows selected.

SQL>

At first glance UTL_HTTP and KUPU$UTILITIES may be useful but UTL_HTTP may not be useful as its a web based use and not encryption. you need to create a wallet with orapki or openssl and whislt UTL_HTTP can be used to open the wallet and set the wallet only it does not seem to have a way to add an encryption key or retrieve that key - its for SSL certificates.

What about certificate based objects:

SQL> select owner,object_name,procedure_name
2 from dba_procedures where procedure_name like '%CERT%';

OWNER OBJECT_NAME PROCEDURE_NAME
------------------------------ ------------------------------ --------------------------------------------------------------------------------------------------------------------------------
SYS DBMS_ISCHED ADD_AGENT_CERT
SYS DBMS_USER_CERTS DROP_CERTIFICATE
SYS DBMS_USER_CERTS ADD_CERTIFICATE
SYS DBMS_ISCHED_REMOTE_ACCESS ADD_AGENT_CERTIFICATE

SQL>

and PL/SQL:

SQL> select owner,object_name,procedure_name
2 from dba_procedures where object_name like '%CERT%';

OWNER OBJECT_NAME PROCEDURE_NAME
------------------------------ ------------------------------ --------------------------------------------------------------------------------------------------------------------------------
SYS DBMS_USER_CERTS ADD_CERTIFICATE
SYS DBMS_USER_CERTS DROP_CERTIFICATE
REMOTE_SCHEDULER_AGENT ADD_AGENT_CERTIFICATE
SYS DBMS_USER_CERTS

SQL>

We could use utl_http to open a wallet; first create the wallet with orapki and then use ACLs to assign the wallet to the encryption and use a certificate as a key - but certificate cannot be accessed via PL/SQL, only used in a HTTPS web transaction from UTL_HTTP

If we go back to KUPU$UTILITIES and KUPU$UTILITIES_INT and have a more detailed look at the first package:

SQL> desc sys.kupu$utilities
PROCEDURE BITCLR
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
MASK1 NUMBER IN/OUT
MASK2 NUMBER IN
PROCEDURE BITSET
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
MASK1 NUMBER IN/OUT
MASK2 NUMBER IN
FUNCTION BITSETRET RETURNS NUMBER
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
MASK1 NUMBER IN
MASK2 NUMBER IN
PROCEDURE BITSOC
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
MASK1 NUMBER IN/OUT
MASK2 NUMBER IN
EXPR BOOLEAN IN
FUNCTION BITTST RETURNS BOOLEAN
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
MASK1 NUMBER IN
MASK2 NUMBER IN
FUNCTION BITTSTANY RETURNS BOOLEAN
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
MASK1 NUMBER IN
MASK2 NUMBER IN
FUNCTION BOOLTOINT RETURNS BINARY_INTEGER
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
BOOLVAL BOOLEAN IN
TRUEVAL NUMBER(38) IN DEFAULT
FUNCTION BOOLTOSTR RETURNS VARCHAR2
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
BOOLVAL BOOLEAN IN
PROCEDURE CHECK_ENCRYPTION_WALLET
FUNCTION CHECK_IF_SHARDED_DB RETURNS NUMBER
FUNCTION CHECK_TBS_FOR_TDECOL_TABS RETURNS NUMBER
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
TBS VARCHAR2 IN
PROCEDURE DEBUG
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
STR VARCHAR2 IN
FUNCTION FORMAT_ERROR_STACK RETURNS VARCHAR2
PROCEDURE GET_DB_VERSION
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
DBLINK VARCHAR2 IN
VERSION VARCHAR2 OUT
COMPAT VARCHAR2 OUT
FUNCTION GET_NLS_ALTER_SESSION RETURNS VARCHAR2
FUNCTION GET_PLATFORM_NAME RETURNS VARCHAR2
FUNCTION GET_REMOTE_DBLINK_USER RETURNS VARCHAR2
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
LINK_NAME VARCHAR2 IN
FUNCTION GET_TSTZ_VERSION RETURNS NUMBER
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
REMOTE_LINK VARCHAR2(128) IN DEFAULT
FUNCTION REPLACE_XML_VALUES RETURNS CLOB
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
ERROR:
ORA-24328: illegal attribute value


XML_REPL_TAB TABLE OF IN
XML_CLOB CLOB IN
PROCEDURE UPDATEFEATURETABLE
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
UTILITY_NAME VARCHAR2 IN
PROCEDURE UPDATEFEATURETABLE
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
UTILITY_NAME VARCHAR2 IN
ERROR:
ORA-24328: illegal attribute value


FEATURE_INFO TABLE OF IN

SQL>

This package and its internal version are wrapped so we cannot see the source code and they are internal and as far as I can find not documented in any way. There are no references to their use on the internet or in the rdbms/admin folder of the database server. They are most likely used within other SYS packages internally and also in wrapped code. A simple grep of the folder does not locate any publicly visible code that we can see that uses them. The only thing of interest is check_encryption_wallet in the non INT package.

We can check dependencies for kupu$utilities as follows:

SQL> @dep
Enter value for object_to_test: KUPU$UTILITIES
old 3: where referenced_name='&&object_to_test'
new 3: where referenced_name='KUPU$UTILITIES'
Enter value for owner_to_test: SYS
old 4: and referenced_owner='&&owner_to_test'
new 4: and referenced_owner='SYS'

NAME OWNER TYPE
------------------------------ -------------------- ------------------------------
KUPU$UTILITIES SYS PACKAGE BODY
DBMS_METADATA_INT SYS PACKAGE BODY
DBMS_PLUGTS SYS PACKAGE BODY
KUPM$MCP SYS PACKAGE BODY
KUPUTIL PUBLIC SYNONYM

SQL>

Lets describe the internal package:

SQL> desc kupu$utilities_int
PROCEDURE CHECK_ENCRYPTION_WALLET
FUNCTION CHECK_IF_SHARDED_DB RETURNS NUMBER
FUNCTION CHECK_IGNORE_DESC_IN_INDEX RETURNS BOOLEAN
FUNCTION CHECK_TBS_FOR_TDECOL_TABS RETURNS NUMBER
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
TBS VARCHAR2 IN
PROCEDURE CREATE_DIRECTORY
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
DIR_PATH VARCHAR2 IN
PROCEDURE DEBUG
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
STR VARCHAR2 IN
FUNCTION DECODE RETURNS VARCHAR2
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
SRC VARCHAR2 IN
PROCEDURE DH_CHECK_DIGESTS
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
HANDLE NUMBER IN
SRCDIGEST VARCHAR2(512) IN
TARDIGEST VARCHAR2(512) IN
FUNCTION DH_DECRYPT RETURNS VARCHAR2
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
HANDLE NUMBER IN
SRCBUF VARCHAR2 IN
OUTFMT BINARY_INTEGER IN DEFAULT
FUNCTION DH_ENCRYPT RETURNS VARCHAR2
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
HANDLE NUMBER IN
SRCBUF VARCHAR2 IN
INPFMT BINARY_INTEGER IN DEFAULT
PROCEDURE DH_FREE_HANDLE
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
HANDLE NUMBER IN
FUNCTION DH_GEN_SHARED_KEY RETURNS VARCHAR2(512)
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
HANDLE NUMBER IN
PUBKEY VARCHAR2(1024) IN
FUNCTION DH_GET_PUBLIC_KEY RETURNS VARCHAR2(1024)
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
HANDLE NUMBER IN
FUNCTION DH_NEW_HANDLE RETURNS NUMBER
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
KEY_SIZE NUMBER IN
FUNCTION DIRECTORY_SCAN RETURNS BINARY_INTEGER
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
INFILESPEC VARCHAR2 IN
INDEFDIRSPEC VARCHAR2 IN
INSKIPFILEVERIFY BOOLEAN IN DEFAULT
INSUBDIRSEARCH BOOLEAN IN DEFAULT
OUTHASWILDCARD BOOLEAN OUT
INPLSQLARRAY T_DATAFILE_NAMES IN/OUT
INARRAYINDEX BINARY_INTEGER IN
FUNCTION ENCODE RETURNS VARCHAR2
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
SRC VARCHAR2 IN
FUNCTION GET_DP_UPDATE_LOCK RETURNS VARCHAR2
FUNCTION GET_PARAMETER_VALUE RETURNS VARCHAR2
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
NAME VARCHAR2 IN
FUNCTION GET_REMOTE_DBLINK_USER RETURNS VARCHAR2
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
USERID NUMBER IN
LINK_NAME VARCHAR2 IN
FUNCTION GET_SESSION_STAT RETURNS NUMBER
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
STATISTIC VARCHAR2 IN
SID NUMBER IN DEFAULT
FUNCTION GET_SHARDED_TABLE_FAMILY_ID RETURNS NUMBER
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
SCHEMANAME VARCHAR2 IN
TABLENAME VARCHAR2 IN
PROCEDURE INTALGCONV
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
ALG BINARY_INTEGER IN
IN_VAL VARCHAR2 IN
OUT_VAL VARCHAR2 OUT
FUNCTION INT_CHECK_IF_SHARDED_DB RETURNS NUMBER
FUNCTION IS_SUPERSET RETURNS BOOLEAN
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
FRCSID BINARY_INTEGER IN
TOCSID BINARY_INTEGER IN
FUNCTION MAX_DATAPUMP_JOBS_PER_PDB RETURNS BINARY_INTEGER
PROCEDURE RELEASE_DP_UPDATE_LOCK
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
SWLOCK_HANDLE VARCHAR2 IN
PROCEDURE SET_DEBUG
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
DEBUG_FLAGS BINARY_INTEGER IN
PROCEDURE SET_KGL_TIME_TO_WAIT_FOR_LOCKS
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
LWAIT_TIME NUMBER IN
FUNCTION TEN_G_LOGON_ALLOWED RETURNS NUMBER
PROCEDURE UPDATEFEATURETABLE
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
UTILITY_NAME VARCHAR2 IN
FEATURE_INFO FEATURE_INFO_T IN
PROCEDURE WRITEAUDITRECORD
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
ACTION BINARY_INTEGER IN
MASTER_ONLY BOOLEAN IN DEFAULT
DATA_ONLY BOOLEAN IN DEFAULT
METADATA_ONLY BOOLEAN IN DEFAULT
DUMPFILE_PRESENT BOOLEAN IN DEFAULT
JOB_RESTARTED BOOLEAN IN DEFAULT
MASTER_TABNAME VARCHAR2 IN
META_JOB_MODE VARCHAR2 IN
JOB_VERSION VARCHAR2 IN
ACCESS_METHOD VARCHAR2 IN
DATA_OPTIONS VARCHAR2 IN
DUMPER_DIRECTORY VARCHAR2 IN
REMOTE_LINK VARCHAR2 IN
TABLE_EXISTS_ACTION VARCHAR2 IN
PARTITION_OPTIONS VARCHAR2 IN
WARNINGS1 VARCHAR2 IN

SQL>

There are quite a few functions and procedures of interest listed here:

FUNCTION ENCODE RETURNS VARCHAR2
FUNCTION DH_GET_PUBLIC_KEY RETURNS VARCHAR2(1024)
FUNCTION DH_NEW_HANDLE RETURNS NUMBER
FUNCTION DH_GET_PUBLIC_KEY RETURNS VARCHAR2(1024)
FUNCTION DH_GEN_SHARED_KEY RETURNS VARCHAR2(512)
PROCEDURE DH_FREE_HANDLE
FUNCTION DH_ENCRYPT RETURNS VARCHAR2
FUNCTION DH_DECRYPT RETURNS VARCHAR2
PROCEDURE DH_CHECK_DIGESTS
PROCEDURE CHECK_ENCRYPTION_WALLET

Of particular interest is the wallet procedure CHECK_ENCRYPTION_WALLET and the encrypt/decrypt functions. We can also check the dependencies of this package:

SQL> @dep
Enter value for object_to_test: KUPU$UTILITIES_INT
old 3: where referenced_name='&&object_to_test'
new 3: where referenced_name='KUPU$UTILITIES_INT'
Enter value for owner_to_test: SYS
old 4: and referenced_owner='&&owner_to_test'
new 4: and referenced_owner='SYS'

NAME OWNER TYPE
------------------------------ -------------------- ------------------------------
DBMS_DATAPUMP SYS PACKAGE BODY
KUPV$FT_INT SYS PACKAGE BODY
KUPP$PROC SYS PACKAGE BODY
DBMS_DATAPUMP_UTL SYS PACKAGE BODY
KUPV$FT SYS PACKAGE BODY
KUPU$UTILITIES SYS PACKAGE BODY
KUPU$UTILITIES_INT SYS PACKAGE BODY
DBMS_METADATA_UTIL SYS PACKAGE BODY
KUPW$WORKER SYS PACKAGE BODY
KUPM$MCP SYS PACKAGE BODY
KUPF$FILE_INT SYS PACKAGE BODY

NAME OWNER TYPE
------------------------------ -------------------- ------------------------------
DBMS_PLUGTS SYS PACKAGE BODY
DBMS_TTS SYS PACKAGE BODY
DBMS_METADATA SYS PACKAGE BODY
DBMS_METADATA_DIFF SYS PACKAGE BODY

15 rows selected.

SQL>

And also look to see what packages use this internal package:

SQL> col referenced_owner for a30
SQL> col referenced_name for a30
SQL> col referenced_type for a30
SQL> select referenced_owner,referenced_name,referenced_type
2 from dba_dependencies
3 where name='KUPU$UTILITIES_INT' and owner='SYS';

REFERENCED_OWNER REFERENCED_NAME REFERENCED_TYPE
------------------------------ ------------------------------ ------------------------------
SYS STANDARD PACKAGE
SYS STANDARD PACKAGE
SYS PLITBLM PACKAGE
SYS DBMS_LOCK PACKAGE
SYS DBMS_UTILITY PACKAGE
SYS DBMS_ASSERT PACKAGE
SYS DBMS_METADATA_UTIL PACKAGE
SYS KUPP$PROC PACKAGE
SYS KUPCC PACKAGE
SYS KUPF$FILE PACKAGE
PUBLIC KUPUTIL SYNONYM

REFERENCED_OWNER REFERENCED_NAME REFERENCED_TYPE
------------------------------ ------------------------------ ------------------------------
PUBLIC KUPUTIL SYNONYM
SYS KUPU$UTILITIES_INT PACKAGE
SYS KUPULIB LIBRARY
SYS X$KSPPI TABLE
SYS X$KSPPCV TABLE

16 rows selected.

SQL>

So, this package KUPU$UTILITIES_INT does not use DBMS_CRYPTO or DBMS_OBFUSCATION_TOOLKIT so its unlikely that there is any package shipped by Oracle that provides key management using wallets in the database. Because we do not see evidence of DBMS_CRYPTO used with wallets to manage symetric keys then the assumtion is that the undocumented package KUPU$UTILITIES_INT is aimed at the TDE wallet and encryption using a TDE key. But it is not documented so we dont know for sure.

Lets try some of the kupu$utility_int functions, the wallet function and the encrypt functions for fun!

In particular these are the interesting ones from earlier:

FUNCTION ENCODE RETURNS VARCHAR2
FUNCTION DH_GET_PUBLIC_KEY RETURNS VARCHAR2(1024)
FUNCTION DH_NEW_HANDLE RETURNS NUMBER
FUNCTION DH_GET_PUBLIC_KEY RETURNS VARCHAR2(1024)
FUNCTION DH_GEN_SHARED_KEY RETURNS VARCHAR2(512)
PROCEDURE DH_FREE_HANDLE
FUNCTION DH_ENCRYPT RETURNS VARCHAR2
FUNCTION DH_DECRYPT RETURNS VARCHAR2
PROCEDURE DH_CHECK_DIGESTS
PROCEDURE CHECK_ENCRYPTION_WALLET

We can try the wallet procedure:

SQL> exec sys.kupu$utilities_int.check_encryption_wallet;
BEGIN sys.kupu$utilities_int.check_encryption_wallet; END;

*
ERROR at line 1:
ORA-28365: wallet is not open
ORA-06512: at "SYS.KUPU$UTILITIES_INT", line 96
ORA-06512: at line 1


SQL>

Which wallet is not open?

SQL> set serveroutput on
SQL> @sc_print 'select * from v$encryption_wallet'
old 32: lv_str:=translate('&&1','''','''''');
new 32: lv_str:=translate('select * from v$encryption_wallet','''','''''');
Executing Query [select * from v$encryption_wallet]
WRL_TYPE : FILE
WRL_PARAMETER :
STATUS : NOT_AVAILABLE
WALLET_TYPE : UNKNOWN
WALLET_ORDER : SINGLE
KEYSTORE_MODE : UNITED
FULLY_BACKED_UP : UNDEFINED
CON_ID : 3
-------------------------------------------

PL/SQL procedure successfully completed.

SQL>

This seems to align

SQL> @sc_print 'select * from v$wallet'
old 32: lv_str:=translate('&&1','''','''''');
new 32: lv_str:=translate('select * from v$wallet','''','''''');
Executing Query [select * from v$wallet]

PL/SQL procedure successfully completed.

SQL>

SQL> @sc_print 'select * from v$encryption_keys'
old 32: lv_str:=translate('&&1','''','''''');
new 32: lv_str:=translate('select * from v$encryption_keys','''','''''');
Executing Query [select * from v$encryption_keys]

PL/SQL procedure successfully completed.

SQL>

If this function tries to use a TDE wallet then we likely would need a TDE license to create a wallet and open it. This would make use of these functions not possible even if we could find how to use them properly. Lets try the encryption:

FUNCTION DH_DECRYPT RETURNS VARCHAR2
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
HANDLE NUMBER IN
SRCBUF VARCHAR2 IN
OUTFMT BINARY_INTEGER IN DEFAULT
FUNCTION DH_ENCRYPT RETURNS VARCHAR2
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
HANDLE NUMBER IN
SRCBUF VARCHAR2 IN
INPFMT BINARY_INTEGER IN DEFAULT

My guess is these functions could encrypt and decrypt TDE data?

SQL> set serveroutput on
SQL> declare
2 lv_in varchar2(32767):='this is text';
3 lv_out varchar2(32767);
4 begin
5 lv_out:=kupu$utilities_int.dh_encrypt(1,lv_in,1);
6 dbms_output.put_line(lv_out);
7 end;
8 /

PL/SQL procedure successfully completed.


SQL>

The call did not fail but didnt return anything; maybe it needs the wallet?

There is one way to use a wallet to manage keys for DBMS_CRYPTO and this is to use Oracle Key Vault introduced in 21c and use the integration accelerator for DBMS_CRYPTO. There is a PL/SQL API that allows simple features such as FetchKey() and CreateKey() from a wallet held in the Oracle Key Vault. There is a sample script dbms_crypto_using_okv_keymgmt.sql available with the product demonstrating use of a wallet and DBMS_CRYPTO. A Java SDK Program KeyManager.java is supplied called okv_key_mgtm that can be modified.

Oracle Key Vault (OKV) is out of the scope for most people wanting to use a wallet as OKV is an additonally licensed appliance and is overkill if you wanted to use DBMS_CRYPTO to encrypt small amounts of data columns / rows

So in conclusion there is no simple free way to use a wallet to manage keys for use with DBMS_CRYPTO

#oracleace #sym_42 #oracle #key #vault #wallet #encryption #tde #key