Re: Column encryption use-case

Hi Lok,

Have you tried using VPD? It seems to be a better fit for your use case than dbms_crypto.

Em sex, 15 de set de 2023 23:00, Lok P <loknath.73_at_gmail.com> escreveu:

> Hello Friends, It's Oracle version 19C.
>
> We are using tablespace TDE for "data at rest" encryption. We have got a
> security requirement , as part of which TDE is not sufficient as , although
> it's encrypted in storage , the data is visible to clear text to all
> whoever selects from that table. The sensitive column(e.g. account_number)
> should not be visible to others in clear text and should be stored as
> encrypted only. And should also be decrypted as and when required by the
> application logic from the app account but not from the individual user
> account. And currently the application is required to query/fetch/join that
> column as and when required and we have indexes that exist on the column in
> few cases. Also there are cases, the column/attribute which we want to
> encrypt is part of a clob column which stores Json format strings. Would it
> be okay to encrypt a full clob or should we extract the sensitive column
> out from the clob and store it as a different column and then encrypt that?
>
> While searching over the internet , I found dbms_crypto. But I have never
> used it in the past. So I wanted to know from experts here , if this above
> use case should be catered by the dbms_crypto package and then how the key
> management happens here? or any other possible easy/more performant methods
> are available in latest Oracle versions? Because having indexes created on
> the encrypted column may have performance overhead while decrypting , so I
> want to be cautious.
>
> And this activity we need to do on the existing data and the newly coming
> data to the table. There are 100's of million rows inserted/queried per day
> to/from the table along with that column.
>
> Appreciate your guidance.
>
> Regards
> Lok
>

--
http://www.freelists.org/webpage/oracle-l