问题
Is there any way to encrypt the SQL Packages (Stored procedure, Functions etc) in oracle using specific key and decrypt using the same key for security purpose??? i am using oracle 12c....
Thanks,
回答1:
Yes, you can use the wrap tool for this, see PL/SQL Source Text Wrapping
You can wrap the PL/SQL source text, thereby preventing anyone from displaying that text with the static data dictionary views *_SOURCE.
In principle decryption is not supported, however you can use tools like Unwrap It!.
回答2:
I like Wernfried's answer. I would like to expand a little if I may.
Assuming you will try the WRAP method (some say easily cracked), here are things to try to check it's effectiveness:
- Check with tkprof if executing the WRAPd objects reveals any logic or SQL
- Check the V$SQL and related views to see if executing the WRAPd objects reveals any logic or SQL
- Check with OEM to see if executing the WRAPd objects reveals any logic or SQL
I've never tested the above, but if I was considering using WRAP I would do so that I know the limits of whatever protection it gives. Given the importance of DBAs being able to monitor and tune queries, I would be surprised if the SQL at least was not ascertainable via standard performance views/queries.
Also note, if your code has any dynamic SQL or PLSQL, this could show up in the symbol table of the wrapped file (as hex codes).
I think you cannot wrap TRIGGER code (though, you could of course have triggers call PLSQL procedures that are wrapped).
If you are a software vendor concerned about customer DBA poking around your code, given the above point about SQL monitoring, and assuming the DBA have access to a suitable cracker I don't think there is much you can do to stop them them. You might be able to prevent non-DBA users from doing this by restricting access to DBA_SOURCE, V$SQL and related views.
Out of interest I had a look at Native Compilation of PLSQL, to see if the compiled M-code could be shipped instead of the PLSQL source, but it seems that you have to ship the PLSQL code too.
What other options are there? Can the PLSQL be hived off to a remote protected database and consumed via REST API calls? That depends heavily on application logic and data access, and if having such a service on a protected remote server is feasible.
The one last thing I'd consider if it was absolutely necessary to hide the logic would be to implement as ProC/C/Java modules to create EXTERNAL LIBRARIES. But note here as well, SQL calls within the ProC/C/Java will still be exposed in V$SQL. Plus, there aren't many around who write Pro*C anymore.
回答3:
Using wrap functionality is only obfuscation, not encryption. It is easily undone with a variety of available web sites, python scripts, and other PL/SQL procedures. There are additional obfuscations that you can do to make interpretation of your code more difficult (Oracle's SQL Developer has some built-in functions for this) so that even if your code is unwrapped it is still difficult to read. Here's an example of one other custom obfuscation toolkit, too: https://pmdba.wordpress.com/2020/02/24/code-obfuscation-toolkit/. For a commercial-grade toolkit, check this out: http://www.petefinnigan.com/products/pfclobfuscate.htm
来源:https://stackoverflow.com/questions/60414731/encrypt-decrypt-pl-sql-packages-in-oracle