[SQL] Encrypting and Decrypting Data Using Oracle's DBMS_CRYPTO Package

on

 

Security is a top priority when handling sensitive data in databases. Oracle provides the DBMS_CRYPTO package to help encrypt and decrypt data securely using industry-standard algorithms like AES.

In this blog, we'll walk through:

  • Encrypting plaintext using AES-128 in CBC mode with PKCS5 padding

  • Decrypting that data back to plaintext

  • A full working example in PL/SQL


🔐 Encrypting Data using DBMS_CRYPTO


DECLARE
   l_key        RAW(128) := UTL_RAW.cast_to_raw('1234567890999999'); -- 16 bytes key for AES128
   l_data       RAW(2000);
   l_encrypted  RAW(2000);
BEGIN
   -- Convert plain text to RAW
   l_data := UTL_RAW.cast_to_raw('Hello World');
 
   -- Encrypt using AES128 + CBC + PKCS5 padding
   l_encrypted := DBMS_CRYPTO.ENCRYPT(
                     src => l_data,
                     typ => DBMS_CRYPTO.ENCRYPT_AES128 + 
                            DBMS_CRYPTO.CHAIN_CBC + 
                            DBMS_CRYPTO.PAD_PKCS5,
                     key => l_key);
 
   -- Output encrypted value in HEX format
   DBMS_OUTPUT.put_line('Encrypted (HEX): ' || RAWTOHEX(l_encrypted));
END;
/



🔓 Decrypting the Encrypted Data

Suppose the encrypted value from the above output is:
D35264E8079CCAA958116F5F2FCDD33E


Use the following block to decrypt it:
DECLARE
   l_key        RAW(128) := UTL_RAW.cast_to_raw('1234567890999999');
   l_data       RAW(2000);
   l_decrypted  VARCHAR2(4000);
BEGIN
   -- Assign the encrypted hex value as RAW
   l_data := HEXTORAW('D35264E8079CCAA958116F5F2FCDD33E');
 
   -- Decrypt the data
   l_decrypted := UTL_RAW.cast_to_varchar2(
                     DBMS_CRYPTO.DECRYPT(
                        src => l_data,
                        typ => DBMS_CRYPTO.ENCRYPT_AES128 + 
                               DBMS_CRYPTO.CHAIN_CBC + 
                               DBMS_CRYPTO.PAD_PKCS5,
                        key => l_key));

   DBMS_OUTPUT.put_line('Decrypted text: ' || l_decrypted);
END;
/




🔐 DBMS_CRYPTO.ENCRYPT_AES128

  • What it means: Use the AES algorithm with a 128-bit key size for encryption.
  • AES (Advanced Encryption Standard) is a strong, widely-used symmetric encryption algorithm.
  • 128-bit means the key is 16 bytes long.



🔄 DBMS_CRYPTO.CHAIN_CBC

  • CBC = Cipher Block Chaining mode
  • It’s a block cipher mode that links each block of plaintext with the previous ciphertext block before encrypting it.
  • CBC provides stronger security than ECB (Electronic Codebook) mode because identical plaintext blocks produce different ciphertext (as long as the IV is different).
  • CBC requires an Initialization Vector (IV), which Oracle internally generates if you don't provide it.

📦 DBMS_CRYPTO.PAD_PKCS5
    

  • PKCS5 Padding is a standard padding scheme used when the plaintext doesn’t align exactly with the block size (typically 16 bytes for AES).
  • It adds extra bytes to the last block of data so that it fits the encryption block size.
  • During decryption, the padding is automatically removed.




🧮 Why + is used


Oracle uses the + operator to combine these constants into a single TYP value passed to DBMS_CRYPTO.ENCRYPT() or DECRYPT().
So this line (with value of 4353):

      typ => DBMS_CRYPTO.ENCRYPT_AES128 + DBMS_CRYPTO.CHAIN_CBC + DBMS_CRYPTO.PAD_PKCS5


tells Oracle:
Use AES-128 encryption, with CBC chaining, and PKCS5 padding.




























































Comments











Post a Comment
























All Categories















Account Hierarchy1
Accounting Flexfields1
API2
ASCII1
Autonomous Database1
BIP7
BIP Refresh Time1
BIP Report1
Business Unit1
Call Fusion  BIP Report2




Change Password1
Code Combinations2
Compute Instance2
Data Aggregation2
Database5
Date Conversion1
DB Adapter2
Decryption1
Development1
EBS3
Encryption1
ESS Jobs3
Examine1
FBDI3
Fusion APIs1
Fusion BIP3
GIT2
GL3
GL Journals1
GL_DAILY_CONVERSION_TYPES1
GL_DAILY_RATES1
ICS1
Identity Domain1
Integrations1
Java1
Journal Import1
Keys1
Legal Entity1
LookupTypeLOV1
LOV1
LOVs1
MultiPartAPIs1
Networking1
NVL2
NVL in OIC2
OCI10
OCI Compute5
OCI Events Service1
OCI Free Tier2
OCI Notifification Service1
OCI Security2
OIC3
OIC Mapper2
Oracle18
Oracle ADF17
Oracle APEX1
Oracle Apps58
Oracle Apps R125
Oracle ATP1
Oracle BIP6
Oracle Cloud9
Oracle Cloud Free Tier1
Oracle cloud Infrastructure8
Oracle Cloud Security2
Oracle Cloud VM1
Oracle DB4
oracle ebs4
Oracle ERP2
Oracle ERP Adapter2
Oracle ERP Cloud6
Oracle financials2
Oracle Forms1
Oracle Fusion48
Oracle Fusion BIP3
Oracle Fusion ERP11
Oracle Fusion Financials12
Oracle Integration Cloud3
Oracle OAF17
Oracle OCI13
Oracle OIC21
Oracle SOA 12c10
Oracle SQL16
Oracle VBCS1
Oracle VBS2
Oracle Visual Builder Cloud Service1
Oracle Visual Builder Studio2
Oracle Workflow Notifications1
Others10
Properties1
R121
Register BIP as ESS Job1
Reset Password1
Responsibility1
REST3
Security List1
Site Map1
SOAP2
SOAP API2
SOAP UI3
SQL15
SQL Functions3
SQL Queries14
SQL Query8
SQL Tips3
SSH1
Value Sets1
VBCS1
Virtual Machine2
Virtual Machines1
XML1
XSLT1


Show more