--- Title: Secure access URL Source: https://company-skill.com/p/oceanbase/oceanbase-secure-access Language: en Description: You want to protect sensitive data in OceanBase by either encrypting stored data, enforcing strong authentication rules, or controlling who can access which tables. This includes meeting compliance… --- # Secure access Part of **OceanBase**. Route queries via `POST https://company-skill.com/api/route`. ## What You Want to Do You want to protect sensitive data in OceanBase by either encrypting stored data, enforcing strong authentication rules, or controlling who can access which tables. This includes meeting compliance requirements like GDPR or PCI DSS. **Typical User Questions**: - How to encrypt sensitive data in OceanBase? - Can I encrypt data at rest in OceanBase? ## Decision Tree Pick the best path for your situation: - **If** you need to encrypt specific columns (e.g., ID numbers) using AES and your application can call `DBMS_CRYPTO.ENCRYPT` → Use DBMS_CRYPTO (go to *oceanbase/oceanbase-security*) - **If** you need to programmatically check whether a user has `SELECT` on a table via `information_schema.TABLE_PRIVILEGES` → Use / (go to *oceanbase/oceanbase-security*) - **If** you want entire tablespaces automatically encrypted with **Transparent Data Encryption (TDE)** and enforce a **MEDIUM** password policy → Use (go to *oceanbase/oceanbase-security*) - **Otherwise (default)** → Start with **** if you need system-wide security; otherwise, use **/** for basic access control. ## Path Comparison | Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill | |------|----------|------------|---------------|------------|----------|-------------| | DBMS_CRYPTO | LOB GDPR | medium | Yes | Yes | Requires data to be of `RAW` type; uses `ENCRYPT_AES128` algorithm with explicit `key` and `iv` | `oceanbase/api/oceanbase-security` | | / | low | Yes | Yes | Queries `information_schema.TABLE_PRIVILEGES` where `GRANTEE` and `PRIVILEGE_TYPE` are exposed | `oceanbase/api/oceanbase-security` | | TDE | medium | Yes | Yes | Uses `ADMINISTER KEY MANAGEMENT` to create keystore for **TDE**; supports only **MEDIUM** password policy | `oceanbase/api/oceanbase-security` | ## Path Details ### Path 1: DBMS_CRYPTO **Best For**: LOB GDPR **Brief Description**: `DBMS_CRYPTO` is a PL/SQL package in OceanBase that provides industry-standard encryption functions like `DBMS_CRYPTO.ENCRYPT` and `DBMS_CRYPTO.DECRYPT`. It supports algorithms such as `ENCRYPT_AES128` and requires input data to be in `RAW` format. The application must manage the encryption `key`, initialization vector (`iv`), and `algorithm` explicitly. **Key technical facts**: - Billing: Free — included with OceanBase database license at no additional cost **When to Use**: - LOB GDPR ### Path 2: / **Brief Description**: This approach uses SQL queries against `information_schema.SCHEMA_PRIVILEGES`, `information_schema.TABLE_PRIVILEGES`, and `information_schema.USER_PRIVILEGES` to inspect granted privileges. The `GRANT` statement is used to assign permissions, with metadata fields like `GRANTEE`, `PRIVILEGE_TYPE`, and `IS_GRANTABLE` indicating current access rights. **Key technical facts**: - Billing: Free — included with OceanBase database license at no additional cost ### Path 3: Console / Dashboard **Best For**: TDE **Brief Description**: This method uses the `ADMINISTER KEY MANAGEMENT` statement to create and open a keystore, enabling **Transparent Data Encryption (TDE)** for tablespaces. It also configures a built-in **password policy** with predefined levels, including **MEDIUM**, which enforces basic complexity rules without custom logic. **Key technical facts**: - Billing: Free — included with OceanBase database license at no additional cost - PCI DSS - LOW MEDIUM ## FAQ Q: Which path should I start with? A: If you're building a new system and need broad protection, start with **** to enable **TDE** and **MEDIUM password policy**. If you only need to verify or assign table access, begin with **/**. Q: What if I need to encrypt credit card numbers but chose ****? A: You’ll get full-tablespace encryption via **TDE**, but you won’t have field-level control or masking—credit card numbers will be encrypted along with all other data, making selective decryption or auditing harder than with `DBMS_CRYPTO`. Q: What if I try to use `DBMS_CRYPTO` on a `VARCHAR` column without converting to `RAW`? A: The `DBMS_CRYPTO.ENCRYPT` function will fail because it only accepts `RAW` input. You must explicitly convert using `UTL_RAW.CAST_TO_RAW` or similar—this is a hard limitation listed in the fact card. Q: Can I combine `DBMS_CRYPTO` and **TDE**? A: Yes—they operate at different layers. **TDE** encrypts the entire tablespace on disk, while `DBMS_CRYPTO` adds an extra application-layer encryption for sensitive fields. This is common in high-compliance environments. Q: What if my tenant already has a keystore but I need a second one for a new schema? A: You’ll hit the limitation that **keystore**—OceanBase does not allow multiple keystores per tenant, so you must reuse the existing one or rearchitect. Q: Why can’t I see all users’ privileges when querying `information_schema.USER_PRIVILEGES`? A: Due to the limitation “”, you’ll only see privileges for objects your user has been granted access to—this is intentional for security isolation. ## Related queries secure database access, encrypt sensitive data, table-level encryption, strong password policy, audit user permissions, data at rest encryption, how to encrypt columns in OceanBase, can I use TDE in OceanBase, configure password complexity, check table privileges, grant select permission, DBMS_CRYPT --- Part of [OceanBase](https://company-skill.com/p/oceanbase.md) · https://company-skill.com/llms.txt