Help - Search - Members - Calendar
Full Version: Encrypting/masking columns in DB
Oracle DBA Forums > Oracle > Oracle Forum
ski0801
All,
I am a fairly new DBA and have a requirement to encrypt the password columns in my DB's. What they want is that when someone is looking at the DB using SQL developer or Toad that they can't read the passwords. I have done so much reading on different ways to encrypt that my head is starting to spin, most of the stuff is way over my skill level. I am hoping there is an easy way to do this. I am assuming some sort of masking would work. Any suggestions?
Thanks,
Thomas Chelmowski

- Transparent data encryption doesn't seem to work because if you are an authenticated user the data will be decrypted.
- Looking at DBMS_CRYPTO but hoping there is a simpler way.
burleson
Hi Thomas,

>> have a requirement to encrypt the password columns in my DB's.

You know that the password column in dba_table is already encrypted, right?

However, it can be cracked:

http://www.dba-oracle.com/oracle_news/2005...limitations.htm

Are you looking for stronger encryption? If so, check out Paul Wright's book "Oracle Forensics":

http://www.rampant-books.com/book_2007_1_o...e_forensics.htm

>> have a requirement to encrypt the password columns in my DB's.

Here is one way, used with db link password encryption:

http://www.dba-oracle.com/t_password_hidin...ion_db_link.htm


********************************************************************
>> I am hoping there is an easy way to do this.

Well, one old-fashioned but effective way is to store the passwords on the OS filesystem, in a file with 700 permissions.

http://dba.ipbhost.com/index.php?showtopic=498

********************************************************************

>> Any suggestions?

Have you explored dbms_obfuscation?

http://www.dba-oracle.com/forensics/t_fore...ackagestate.htm


********************************************************************
>> Transparent data encryption doesn't seem to work because if you are an authenticated user the data will be decrypted.

What's wrong with that? You want the authorized person to get them, right?
The 11g transparent data encryption is very nice:

http://www.dba-oracle.com/t_11g_new_data_encryption.htm
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2014 Invision Power Services, Inc.