Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: Where to keep encryption key , DB?
One method would be wrap the procedure. While not perfect, it will make the
key very difficult to locate.
Another method would be put to the key into a flat file.
Rick
andreyNSPAM_at_bookexchange.net (NetComrade) writes:
> We are planning to store credit card #'s in our database..
>
> We are looking into different options to encrypt CC #'s, one is to use
> oracle's built in dbms_obfuscation_toolkit.
>
> The question is, where do we store the encryption key?
>
> I thought of creating a separate account in the db just to hold that
> function, and just grant execute on it to a user that needs to execute
> it, but not see the code of the function.. The thing is, if you grant
> execute to userB, userB's all_source can see the source of the
> function..
>
> How woud you do it? (or did you already)
>
> If we are to store the key in let's say some C code, that we'd have to
> redploy our application each time we are changing the key..
>
> BTW, what are the general industry standards to change the key (how
> often, etc, etc)
>
> Any help is greatly appreciated.
> .......
> We use Oracle 8.1.6-8.1.7 on Solaris 2.6, 2.7 boxes
> Andrey Dmitriev eFax: (978) 383-5892 Daytime: (917) 750-3630
> AOL: NetComrade ICQ: 11340726 remove NSPAM to email
-- Rick Wessman Security Assurance Group Oracle Corporation Rick.Wessman_at_oracle.com The opinions expressed above are mine and do not necessarily reflect those of Oracle Corporation.Received on Mon Oct 15 2001 - 06:36:47 CDT