I'm tasked to create encryption/decryption methods inside an Oracle database. By researching I came up to this SO discussion which provides a great code example using the DBMS_CRYPTO package.
However there is a security concern: in this design, the KEY/IV pair, the encryption algorithm, and the encrypted data are all stored in one place (the database). Making it too easy for gathering all the necessary pieces to get the real value.
For some reason the management turned down the option to store the keys outside Oracle db. The reason is occasionally we need to provide a data dump to the client. They cannot have encrypted data and they cannot decrypt it. The data dump is done by SQL so the decryption can be performed in the SELECT query.
Is there a best practice for this scenario?
Thank you for your time.