DECRYPT v17
The DECRYPT
function or procedure decrypts data using a user-specified cipher algorithm, key, and optional initialization vector. The signature of the DECRYPT
function is:
DECRYPT (<src> IN RAW, <typ> IN INTEGER, <key> IN RAW, <iv> IN RAW DEFAULT NULL) RETURN RAW
The signature of the DECRYPT
procedure is:
DECRYPT (<dst> INOUT BLOB, <src> IN BLOB, <typ> IN INTEGER, <key> IN RAW, <iv> IN RAW DEFAULT NULL)
or
DECRYPT (<dst> INOUT CLOB, <src> IN CLOB, <typ> IN INTEGER, <key> IN RAW, <iv> IN RAW DEFAULT NULL)
When invoked as a procedure, DECRYPT
returns BLOB
or CLOB
data to a user-specified BLOB
.
Parameters
dst
dst
specifies the name of a BLOB
to which the output of the DECRYPT
procedure is written. The DECRYPT
procedure overwrites any existing data currently in dst
.
src
src
specifies the source data to decrypt. If you're invoking DECRYPT
as a function, specify RAW
data. If invoking DECRYPT
as a procedure, specify BLOB
or CLOB
data.
typ
typ
specifies the block cipher type and any modifiers. Match the type specified when the src
was encrypted. EDB Postgres Advanced Server supports the following block cipher algorithms, modifiers, and cipher suites:
Block cipher algorithms | |
---|---|
ENCRYPT_DES | CONSTANT INTEGER := 1; |
ENCRYPT_3DES | CONSTANT INTEGER := 3; |
ENCRYPT_AES | CONSTANT INTEGER := 4; |
ENCRYPT_AES128 | CONSTANT INTEGER := 6; |
ENCRYPT_AES192 | CONSTANT INTEGER := 192; |
ENCRYPT_AES256 | CONSTANT INTEGER := 256; |
Block cipher modifiers | |
CHAIN_CBC | CONSTANT INTEGER := 256; |
CHAIN_ECB | CONSTANT INTEGER := 768; |
Block cipher padding modifiers | |
PAD_PKCS5 | CONSTANT INTEGER := 4096; |
PAD_NONE | CONSTANT INTEGER := 8192; |
Block cipher suites | |
DES_CBC_PKCS5 | CONSTANT INTEGER := ENCRYPT_DES + CHAIN_CBC + PAD_PKCS5; |
DES3_CBC_PKCS5 | CONSTANT INTEGER := ENCRYPT_3DES + CHAIN_CBC + PAD_PKCS5; |
AES_CBC_PKCS5 | CONSTANT INTEGER := ENCRYPT_AES + CHAIN_CBC + PAD_PKCS5; |
key
key
specifies the user-defined decryption key. Match the key specified when the src
was encrypted.
iv
iv
(optional) specifies an initialization vector. If an initialization vector was specified when the src
was encrypted, you must specify an initialization vector when decrypting the src
. The default is NULL
.
Examples
This example uses the DBMS_CRYPTO.DECRYPT
function to decrypt an encrypted password retrieved from the passwords
table:
CREATE TABLE passwords ( principal VARCHAR2(90) PRIMARY KEY, -- username ciphertext RAW(9) -- encrypted password ); CREATE FUNCTION get_password(username VARCHAR2) RETURN RAW AS typ INTEGER := DBMS_CRYPTO.DES_CBC_PKCS5; key RAW(128) := 'my secret key'; iv RAW(100) := 'my initialization vector'; password RAW(2048); BEGIN SELECT ciphertext INTO password FROM passwords WHERE principal = username; RETURN dbms_crypto.decrypt(password, typ, key, iv); END;
When calling DECRYPT
, you must pass the same cipher type, key value, and initialization vector that was used when encrypting the target.
- On this page
- Parameters
- Examples