Crypto rules are designed to read the data in a column and replace each item with its encrypted version. The Oracle supplied DBMS_Obfuscation toolkit is used for this purpose which implies that these rules are only available on Oracle versions 8.1 or greater. The quality of the encryption is as good as the DBMS_Obfuscation toolkit provides - which is to say that it is probably good enough for normal business security but that organizations with expertise in such things (like the CIA etc) could almost certainly decrypt it if they choose to do so. Read the Oracle DBMS_Obfuscation toolkit manual for more information on this topic.

Crypto rules can also decrypt the previously encrypted data so that the original information is restored. Crypto rules are the only type of Masking Rule in which it is possible to recover previously masked data via the application of a rule.

The benefit of Crypto rules lies in the fact that the data is "masked" to people who do not have the encryption key - but available to those who do. Because the encryption process uses the Oracle standard DBMS_Obfuscation toolkit there are a variety of options (outside of the Data Masker) available to decrypt the data and present it in its original form.

For example, a column of customer last names could be disguised using a Crypto rule but the front end screens of a select group of people (administrators perhaps) could, if required, use their own calls to the DBMS_Obfuscation toolkit to decode and view the column information.

Once the Crypto rule has begun to execute, the processing continues until all rows in the table are updated with the new data. Commits happen at user configurable intervals (every 5000 rows is the default).

There can be any number of Crypto rules on any of the columns in any table in a schema. In general, it is not appropriate to apply Crypto rules to columns involved in foreign key relationships (either as the parent or child) or to those which are used in primary or unique keys since this will invalidate those constraints and make them impossible to enable.

Crypto rules do use options. Options are associated with the rule when it is created using the New Crypto Rule dialog box and can be adjusted at any time using the Options panel on the Set Rules tab.

Crypto Options

These options configure the rule for encryption or decryption, choose the encryption key and the field padding character.

A Sample Data Masker Crypto Rule Options Panel

Rule Type

Set this option to indicate whether the rule should encrypt or decrypt the data in the specified column. Note: you cannot encrypt an already encrypted column of data - the Oracle DBMS_Obfuscation toolkit will generate an error.

Padding Character

The DBMS_Obfuscation toolkit requires that the number of characters in each encrypted field be a multiple of 8. For most char and varchar2 data this means that some padding is required to meet this requirement. In the encryption mode the specified padding character will be concatenated onto the end of each field as many times as required so that the length is a multiple of 8. The Decryption mode of this rule will optionally strip this character back off.

It is important to specify a padding character that cannot be present as the last character in any of your data. When the decryption operation later removes the padding characters it cannot tell the difference between padding characters added by the encryption rule and identical characters that were originally present.

Trim Padding on Decryption

Set this option to remove or not remove (after decryption) the padding character placed at the end of the data by the encryption operation.

Encryption/Decryption Password

This is the password used to encode and decode the data. It must be a minimum of eight characters. Do not forget this password - if you do it will not be possible to decrypt the data.

Note: This password is not stored in an encrypted form when the Masking Set is saved. The Masking Set itself must be kept secure in order to preserve the privacy of this password.