Re: Encryption

Hi Jim

Have a look on http://asktom.oracle.com, i think there is an example of using dbms_obfuscation_toolkit on there, Toms Book "expert one on one Oracle" also has a chapter/section on dbms_obfuscation_toolkit.

You should not use a trigger to call the PL/SQL API as this would mean having the encryption keys in the trigger source code. Just encrypting data is not a security solution for Oracle, you need to ensure that the database, server and application are security audited and that all possible / known security issues with Oracle and the underlying OS and network are plugged. Also if the data is as sensitive as you say then do not allow Internet access to it.

I posted about this package last week also in reply to someone else have a look for that posting.

If you are interested in commercial products as far as I know there are only three commercial alternatives to this package, from DbEncrypt from www.appsecinc.com, Secure.Data from www.protegrity.com and encryption wizard from www.relationalwizards.com. You can of course write your own encryption code using extproc and external C procedures and calling one of the many public encryption libraries available.

Your biggest issue with encryption is securely managing the keys, but as i said encryption is only part of the story for a sensitive database you need a total security solution. Have a look at my site www.petefinnigan.com there are about 65 oracle security papers on there that might help you a bit.

hth

kind regards

Pete

-- 
Pete Finnigan
email:pete_at_petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security information and services
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.