Granting Encryption Permission to the Database Owner
In order for the database owner to use an encryption key to encrypt a database or column, the SYSDSO must first grant encrypt permission to the database or table owner to use the key. Only the SYSDSO can grant encrypt permission.
To grant permission to encrypt, use the following syntax:
GRANT ENCRYPT ON ENCRYPTION key-name to user-name;
For example, if a SYSDBA is the database owner:
GRANT ENCRYPT ON ENCRYPTION expenses_key to SYSDBA;
gives the SYSDBA permission to use the payroll-key to encrypt a database or a column.
- Important: Only the user who encrypts a column or database can grant decrypt privileges to those who need to view the encrypted data. Only the database owner can grant decrypt privileges.