You can
encrypt table data while exporting to Object Storage.
Use the format parameter and the
encryption option with DBMS_CLOUD.EXPORT_DATA to encrypt data when you export
from Autonomous Database to Object
Storage.
Note the following when you export encrypted data to Object Storage:
The encryption option is only supported when exporting data from Autonomous Database to Object Storage
as CSV, JSON, or XML.
When the export includes both encryption and compression, the order of operations is:
first the data is compressed, next the data is encrypted, and then it is
uploaded to Object Storage.
There are two supported encryption methods:
Using a user-defined function.
Using a DBMS_CRYPTO specified encryption algorithm.
See DBMS_CRYPTO for
information on the cryptographic functions and procedures for encryption
and decryption.
Create a credential to store the encryption key (the encryption key to be used for
encrypting data).
When you encrypt data using DBMS_CRYPTO encryption algorithms you
store the encryption key in a credential. The key is specified in the
password field in a credential you create with DBMS_CLOUD.CREATE_CREDENTIAL.
As an alternative you can create a credential to store the key in a vault. For example:
BEGIN
DBMS_CLOUD.CREATE_CREDENTIAL (
credential_name => 'ENC_CRED_NAME',
params => JSON_OBJECT ('username' value 'Any_username',
'region' value 'Region',
'secret_id' value 'Secret_id_value'));
END;
/
Note
The username parameter you specify in the credential that stores the key can be any string.
This creates the ENC_CRED_NAME credential which is a vault secret credential, where the secret (decryption/encryption key) is stored as a secret in Oracle Cloud Infrastructure Vault.
Use the format parameter with the
encryption option. The encryption type specifies the
DBMS_CRYPTO encryption algorithm to use to encrypt the table data and
the credential_name value is credential that specifies the secret
(encryption key).
For example:
BEGIN
DBMS_CLOUD.EXPORT_DATA (
credential_name => 'OBJ_STORE_CRED',
file_uri_list => 'https://objectstorage.us-phoenix-1.oraclecloud.com/n/namespace-string/b/bucketname/o/encrypted.csv',
query => 'SELECT * FROM ADMIN.employees',
format => json_object(
'type' value 'csv',
'encryption' value json_object(
'type' value DBMS_CRYPTO.ENCRYPT_AES256 + DBMS_CRYPTO.CHAIN_CBC + DBMS_CRYPTO.PAD_PKCS5,
'credential_name' value 'ENC_CRED_NAME'))
);
END;
/
This encrypts and exports the data from the EMPLOYEES
table into a CSV file.
In this example, namespace-string is the Oracle
Cloud Infrastructure object storage namespace and
bucketname is the bucket
name. See Understanding
Object Storage Namespaces for more
information.
After you encrypt files with DBMS_CLOUD.EXPORT_DATA, when you use DBMS_CRYPTO
encryption algorithms to encrypt the files, you have these options for using or importing
the files you exported:
You can use DBMS_CLOUD.COPY_DATA or DBMS_CLOUD.COPY_COLLECTION with the same
encryption algorithm options and the key to decrypt the files.
You can query the data in an external table by supplying the same encryption algorithm
options and the key to decrypt the files, with any of the following procedures:
DBMS_CLOUD.CREATE_EXTERNAL_TABLE
DBMS_CLOUD.CREATE_EXTERNAL_PART_TABLE
DBMS_CLOUD.CREATE_HYBRID_PART_TABLE
For DBMS_CLOUD.CREATE_HYBRID_PART_TABLE this option is
only applicable to the Object Storage files.
Create a user-defined callback function to encrypt data.
For example:
CREATE OR REPLACE FUNCTION encryption_func (data IN BLOB)
RETURN BLOB
IS
l_encrypted_data BLOB;
BEGIN
DBMS_LOB.CREATETEMPORARY (l_encrypted_data, TRUE, DBMS_LOB.CALL);
DBMS_CRYPTO.ENCRYPT (
dst => l_encrypted_data,
src => data,
typ => DBMS_CRYPTO.ENCRYPT_AES256 + DBMS_CRYPTO.CHAIN_CBC + DBMS_CRYPTO.PAD_PKCS5,
key => 'encryption key'
);
RETURN l_encrypted_data;
END encryption_func;
/
This creates the ENCRYPTION_FUNC encryption function. This function encrypts data using a stream or block cipher with a user supplied key.
Note
You must create an encryption key to be used as
a value in the KEY parameter. See DBMS_CRYPTO Operational Notes for
more information on generating the encryption key.
Run DBMS_CLOUD.EXPORT_DATA with the
format parameter, include the encryption option and
specify a user_defined_function.
For example:
BEGIN
DBMS_CLOUD.EXPORT_DATA (
credential_name => 'OBJ_STORE_CRED',
file_uri_list => 'https://objectstorage.us-phoenix-1.oraclecloud.com/n/namespace-string/b/bucketname/o/encrypted.csv',
query => 'SELECT * FROM ADMIN.emp',
format => json_object(
'type' value 'csv',
'encryption' value json_object('user_defined_function' value 'admin.encryption_func'))
);
END;
/
This encrypts the data from the specified query the on
EMP table and exports the data as a CSV file on Cloud Object Storage.
The format parameter with the encryption value
specifies the user-defined encryption function to use to encrypt the data.
Note
You must have
EXECUTE privilege on the encryption function.
In this example, namespace-string is the Oracle
Cloud Infrastructure object storage namespace and
bucketname is the bucket
name. See Understanding
Object Storage Namespaces for more
information.