RE: Overwriting/deleting blobs

From: Mark W. Farnham <>
Date: Sat, 23 Feb 2013 08:41:36 -0500
Message-ID: <038001ce11cb$8143f1b0$83cbd510$>

JL's on target as usual.

I have a slightly different perspective, but ONLY IF the following assumptions are true:

  1. You have to keep everything relevant from some point in time (accounting date, perhaps) until some statutory time limit past the year, for example, 7 full fiscal years for a lot of stuff, or 25 years after project closure for EPA projects.
  2. You are in a jurisdiction where legal discovery in a court case requires production of everything relevant you have, whether or not you are still legally required to still have it by the government.

IF that is the case, then we can view the problem as legitimate AND as a time phased aggregate problem rather than individual blobs. That problem is tractable by using time based partitions in their own tablespace/file by partition. Then, at the time you are required to obfuscate you can partition exchange or drop partition. With the tablespace thus empty, you can drop the partition and use OS level obfuscation software to eradicate the contents of the file on disk.

Of course this will still leave all your backups around. Depending on the jurisdiction you *MAY* have to retrieve backups if you can. Chasing down all backup copies for destruction is a tedious problem, but it can be done as well *IF* you know where they all are.

I really don't know if this was the intent of your security department, or whether they are trying to obscure drawings related to something that was originally planned to be a patent that is now intended to be kept a trade secret. Or something completely different. I can only hope they are not attempting to corrupt the audit trail. If you suspect they are, watch your six.


-----Original Message-----
From: [] On Behalf Of Jonathan Lewis
Sent: Saturday, February 23, 2013 6:02 AM To:
Subject: Re: Overwriting/deleting blobs

WGB, I think you need to get your security department to explain exactly what they would like the database to achieve, but I think the answer is

  1. when you update a blob the data for the old blob is still in the file until some unspecified future time - it's just a little harder to get at
  2. that's the way it works with all the other data in the database, though the specific mechanism are different, so why are they worrying about blobs in particular

Of course there's always the reverse question - why is your security department so keen to destroy the audit trail ? ;)


Jonathan Lewis

Author: Oracle Core (Apress 2011)

  • Original Message ----- From: <> To: <> Sent: Saturday, February 23, 2013 4:36 AM Subject: Overwriting/deleting blobs

| Greetings,
| I've been asked by our security department if there's a way to overwrite
| blob in the database but I don't know of any way to do it. I asked my
| trusted coworker Google if there was a way to do it but he didn't have
| good ideas either. I would love to ask Oracle but this app didn't think
| purchasing support from Oracle was important. So, I come to the most
| knowledgable DBAs in the world to ask for help.
| Something tells me that it's not just as easy as inserting a new blob in
| the table as I would guess that it would have to be the exact same size
| the current blob. Also, could I guarantee that it would be placed in the
| exact same blocks/segments that the current blob is in.
| So, is there a way to "securely" overwrite/delete the current blob? What
| are my options, if any.
| Thank you,


Received on Sat Feb 23 2013 - 14:41:36 CET

Original text of this message