Home/ Questions/Q 8858835
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-14T14:55:06+00:00

I have tagged this problem with both Oracle and Java because both Oracle and

  • 0

I have tagged this problem with both Oracle and Java because both Oracle and Java solutions would be accepted for this problem.

I am new to Oracle security and have been presented with the below problem to solve. I have done some research on the internet but I have had no luck so far. At first, I thought Oracle TDE might be helpful for my problem but here: Can Oracle TDE protect data from the DBA? it seems TDE doesn’t protect data against DBA and this is an issue which is not to be tolerated.

Here is the problem:

I have a table containing millions of records. I have a Java application which queries this table using equality or range criteria against a column in the table which is the primary key column of the table. The primary key column contains sensitive data and thus has been encrypted already. As the result, querying data using normal (i.e. decrypted) values from the application cannot use the primary key’s unique index access path. I need to improve the queries’ performance without any changes on the application code (application config can be modified if necessary but not the code). It would be OK to do any changes that are necessary on the database side as long as that column remains encrypted.

Oracle people please: What solution(s) do you suggest to this problem? How can I create an index on decrypted column values and somehow force Oracle to utilize this index? How can I use partitioning such as hash-partitioning? How about views? Any, Any solution?

Java people please: I myself have this very vague idea which is to create a separate application in between (i.e between the database and the application) which acts as a proxy that receives the queries from the application and replaces the decrypted values with encrypted values and sends it for the database, it then receives the response and return the results back to the application. The proxy should behave like a database so that it should be possible for the application to connect to it by changing the connection string in the configuration file only. Would this work? How?

Thanks for all your help in advance!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    which queries this table using equality or range criteria against a column in the table which is the primary key column of the table

    To find a specific value it’s simple enough – you can store the data encrypted any way you like – even as a hash and still retrieve a specific value using an index. But as per my comment elsewhere, you can’t do range queries without either:

    • decrypting each and every row in the table

    or

    • using an algorithm that can be cracked in a few seconds.

    Using a linked list (or a related table) to define order instead of an algorithm with intrinsic ordering would force a brute force check on a much larger set of values – but it’s nowhere near as secure as a properly encrypted value.

    It doesn’t matter if you use Oracle, Java or pencil and paper. Might be possible using quantum computing – but if you can’t afford to ensure the security of your application / pay for good advice from an expert cryptographer, then you certainly won’t be able to afford that.

    • 0