To encrypt obfuscated database link passwords and use the TDE framework to manage the encryption key.
A LOB locator ( pointer to the location of a large object (LOB) value) can be assigned a signature to secure the LOB.
The TDE keystore must exist. The DDL first checks that the TDE:
Keystore is open.
Master Encryption Key exists in the TDE keystore.
If any of the checks fail, the DDL fails. When this happens you must create a TDE keystore and provision a TDE Master Key. For more see the Database Security Guide.
The instance initialization parameter
COMPATIBLEmust be set to 220.127.116.11.
You must have
SYSKMprivileges to execute the command.
This DDL encrypts existing and future obfuscated sensitive information in data dictionaries, for example database link passwords stored in
It performs the following actions:
Inserts a new entry in
It creates and initializes the SGA variable.
De-obfuscates obfuscated passwords in
Encrypts the de-obfuscated passwords using the generated encryption key in
Sets the flag to indicate a valid/usable dblink entry in
When you use this DDL with LOB locator signature keys, they are always encrypted. A LOB locator ( pointer to the location of a large object (LOB) value) can be assigned a signature to secure the LOB.
This DDL is used to change the data encryption key. It is applied to
SYS.LINK$ and any other tables covered under the data dictionary encryption framework.
You can also use this DDL to regenerate the LOB locator signature key for LOB locators. If the database is in restricted mode, then Oracle Database regenerates a new LOB signature key and encrypts it with the new encryption key. If the database is in non-restricted mode, then a new signature key is not regenerated but instead, Oracle Database uses a new encryption key to encrypt the existing LOB signature key.
This DDL marks encrypted passwords unusuable. That means that current password entries in
SYS.LINK$ are marked unusable. It deletes the key in
ENC$ that was used to encrypt the credentials, and clears the SGA variable to prevent future encryption.
You can also use this DDL to delete the encrypted LOB locator signature key and then regenerate a new LOB signature key in obfuscated form.
Managing Security for Application Developers in the Database Security Guide