Purpose
This function returns the encryption password for the corresponding archived file based on the pwd_id (encryption key identifier) in the archived audit log file name. This password is used for offline decryption, forensic analysis, or integration with external tools in a controlled environment.
Applicability
This content applies only to OceanBase Database Enterprise Edition. OceanBase Database Community Edition does not support the audit feature.
Syntax
AUDIT_LOG_ENCRYPTION_PASSWORD_GET(pwd_id);
Privilege requirements
You must have the SUPER privilege to use this function.
Description
Parameters
pwd_id: The timestamp suffix of the log file, which corresponds to the key identifier after the.enc.segment in the encrypted archive file name. This parameter is used to return the encryption password for the corresponding archived log file based on its timestamp suffix. If not provided, the password corresponding to the latestpwd_idis retrieved by default.
Note
This function returns confidential information. Strictly restrict call permissions and perform operation auditing and result desensitization. For the archive file name format, see the table in "Set log encryption" under "Set and view audit rules" at the end of this topic.
Limitations
- Similar to other audit functions: it must be directly and uniquely used as an output column in a
SELECTstatement and cannot be used in subqueries. For more information, see the usage restrictions and considerations in Overview of audit functions. - This function is only applicable to scenarios where audit records are written to disk files (
audit_trailisLOG).
Return value
The function returns a string.
- When the query is successful, return the password corresponding to
pwd_id. - When a query fails, the
SELECTstatement may still execute successfully, but the function returns an error message.
Examples
Get the encryption password for the latest archived log:
SELECT AUDIT_LOG_ENCRYPTION_PASSWORD_GET() FROM DUAL;
Assume an archive file named audit.log.20231031080646317.enc.1001. You can pass 1001 as pwd_id (replace it with the identifier parsed from your actual file name):
SELECT AUDIT_LOG_ENCRYPTION_PASSWORD_GET(1001) FROM DUAL;
The return result is as follows (the actual key content is omitted):
+-------------------------------------------+
| AUDIT_LOG_ENCRYPTION_PASSWORD_GET(1001) |
+-------------------------------------------+
| <password> |
+-------------------------------------------+
1 row in set
