ENCRYPT

The ENCRYPT function or procedure uses a user-specified algorithm, key, and optional initialization vector to encrypt RAW, BLOB or CLOB data. The signature of the ENCRYPT function is:

ENCRYPT
  (<src> IN RAW, <typ> IN INTEGER, <key> IN RAW,
   <iv> IN RAW DEFAULT NULL) RETURN RAW

The signature of the ENCRYPT procedure is:

ENCRYPT
  (<dst> INOUT BLOB, <src> IN BLOB, <typ> IN INTEGER, <key> IN RAW,
   <iv> IN RAW DEFAULT NULL)

or

ENCRYPT
  (<dst> INOUT BLOB, <src> IN CLOB, <typ> IN INTEGER, <key> IN RAW,
   <iv> IN RAW DEFAULT NULL)

When invoked as a procedure, ENCRYPT returns BLOB or CLOB data to a user-specified BLOB.

Parameters

dst

dst specifies the name of a BLOB to which the output of the ENCRYPT procedure will be written. The ENCRYPT procedure will overwrite any existing data currently in dst.

src

src specifies the source data that will be encrypted. If you are invoking ENCRYPT as a function, specify RAW data; if invoking ENCRYPT as a procedure, specify BLOB or CLOB data.

typ

typ specifies the block cipher type that will be used by ENCRYPT, and any modifiers. Advanced Server supports the block cipher algorithms, modifiers and cipher suites listed below:

Block Cipher Algorithms

ENCRYPT_DES

CONSTANT INTEGER := 1;

ENCRYPT_3DES

CONSTANT INTEGER := 3;

ENCRYPT_AES

CONSTANT INTEGER := 4;

ENCRYPT_AES128

CONSTANT INTEGER := 6;

ENCRYPT_AES192

CONSTANT INTEGER := 192;

ENCRYPT_AES256

CONSTANT INTEGER := 256;

Block Cipher Modifiers

CHAIN_CBC

CONSTANT INTEGER := 256;

CHAIN_ECB

CONSTANT INTEGER := 768;

Block Cipher Padding Modifiers

PAD_PKCS5

CONSTANT INTEGER := 4096;

PAD_NONE

CONSTANT INTEGER := 8192;

Block Cipher Suites

DES_CBC_PKCS5

CONSTANT INTEGER := ENCRYPT_DES + CHAIN_CBC + PAD_PKCS5;

DES3_CBC_PKCS5

CONSTANT INTEGER := ENCRYPT_3DES + CHAIN_CBC + PAD_PKCS5;

AES_CBC_PKCS5

CONSTANT INTEGER := ENCRYPT_AES + CHAIN_CBC + PAD_PKCS5;

key

key specifies the encryption key.

iv

iv (optional) specifies an initialization vector. By default, iv is NULL.

Examples

The following example uses the DBMS_CRYPTO.DES_CBC_PKCS5 Block Cipher Suite (a pre-defined set of algorithms and modifiers) to encrypt a value retrieved from the passwords table:

CREATE TABLE passwords
(
  principal   VARCHAR2(90) PRIMARY KEY, -- username
  ciphertext  RAW(9) -- encrypted password
);
CREATE PROCEDURE set_password(username VARCHAR2, cleartext RAW) AS
 typ         INTEGER := DBMS_CRYPTO.DES_CBC_PKCS5;
 key         RAW(128) := 'my secret key';
 iv          RAW(100) := 'my initialization vector';
 encrypted   RAW(2048);
BEGIN
  encrypted := dbms_crypto.encrypt(cleartext, typ, key, iv);
  UPDATE passwords SET ciphertext = encrypted WHERE principal = username;
END;

ENCRYPT uses a key value of my secret key and an initialization vector of my initialization vector when encrypting the password; specify the same key and initialization vector when decrypting the password.