Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> Re: Tough question for oracle DBAs/Solaris Admins. Log shipping.

Re: Tough question for oracle DBAs/Solaris Admins. Log shipping.

From: ohaya <ohaya_at_cox.net>
Date: Sat, 02 Sep 2006 13:01:15 -0400
Message-ID: <0KiKg.7811$Zm1.180@dukeread02> 





>> Where does Oracle keep the encryption keys?  If someone has root could
>> they not just sniff out where oracle has the encryption keys and then
>> decrypt the data?




> 

> They can not sniff them for different reasons depending on how you go

> about creating the system. Here's one way.

> 

> Create they key using the DBMS_CRYPTO package with RANDOMBYTES

> inside of a function created using DBMS_DDL.CREATE_WRAPPED.

> No human ever sees it and no human ever can.





Hi,



It's been awhile since I've worked with Oracle crypto (it was called 
DBMS_OBFUSCATION back then... has that changed?), but when I did work 
with it, it was clearly stated that key management was left to the user.



In our case, we initially went with an approach where the keys 
themselves were encrypted using a passphrase that the operator had to 
key in when the system was started.  I had to write some code for 
masking the keyed-in passphrase.  We're now looking at using using a 
hardware-based (HSM) solution, e.g., nCipher's SecureDB.



Jim
Received on Sat Sep 02 2006 - 12:01:15 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US