What is WRAP and UNWRAP?

WRAP

According to the documentation:

The WRAP Operation Supports Encryption of a Symmetric key using a key Encryption key that has Previously been stored in an Azure Key Vault.

The WRAP Operation is only Strictly necessary for Symmetric Keys stored in Azure Key Vault Since Protection with an Asymmetric key can be performed using the public Portion of the key. This Operation is supported for Asymmetric Keys as a convenience for callers that have a key-Reference but do not have access to the public key material.

That is, it supports encryption of a symmetric key using an encryption key that was previously stored in a Azure Key Vault. It is strictly necessary only for symmetric keys stored in Azure Key Vault, since the protection with an asymmetrical key can be executed using the public part of the key. This operation is supported for asymmetric keys as a convenience for callers who have a key reference but do not have access to public key material.

The Wrapper routine is intended to encrypt the source code in such a way that only Oracle can read and compile the generated text. Some of its characteristics are:

• Converts PL/SQL source code into an intermediate form of "object code".

• "Object code" generated is portable as if it were the source itself.

• The PL/SQL compiler recognizes and loads the code generated by Wrapper automatically.

This routine prevents the source code from being handled by other developers, and because it is a portable version of code, it is platform-independent. The references to variables Bind external are solved in load time and the processes of Import/Export normal accept routine generated files Rappel. Making these the main advantages of Wrapper.

However, it cannot work with the PL/SQL block completely, encompassing all language functions, only with a few specific commands:

• Create Procedure
• Create Functions
• Create Package
• Create Package body

Code line of WRAP:

wrap iname=ra_ex.sql oname=ra_ex_s.plb

UNWRAP

According to the documentation:

The UNWRAP Operation Supports decryption of a Symmetric key using the target key Encryption key. This Operation is the Reverse of the WRAP Operation.

The UNWRAP Operation applies to Asymmetric and Symmetric Keys stored in Azure Key Vault Since it uses the private Portion of the key

This operation supports the decryption of a symmetric key using the destination key encryption. It is the inverse of the WRAP operation. The UNWRAP operation applies to asymmetric and symmetric keys stored in the Azure Key Vault, since it uses the private part of the key.

The example is taken from the book Introduction to Database Systems, C. J. Date. Consider tuples:

T1:

TUPLE {
      NOME NOME, ENDE TUPLE{
                  RUA CHAR, CIDADE CHAR,
                    ESTADO CHAR, CEP CHAR}
    }

T2:

TUPLE {NOME NOME, RUA CHAR, CIDADE CHAR,
ESTADO CHAR, CEP CHAR}

The guy T1 includes an attribute which, by itself, is of some kind of tupla. Now consider NENDE1 and NENDE2 as tuple variables of guys T1 and T2.

The expression:

NENDE2 WRAP{RUA, CIDADE, ESTADO, CEP} AS ENDE

Take the current value of NENDE2 and packaging(wrap) the components RUA, CIDADE, ESTADO and CEP of that value to generate a single component ENDE with the value of the tuple. So the expression output is of the type T1 and therefore the following allocation is valid:

NENDE1 := NENDE2 WRAP {RUA, CIDADE, ESTADO, CEP} AS ENDE;

The expression:

NENDE1 UNWRAP ENDE

Take the current value of NENDE1 and unpacks (unwrap) the components ENDE (with tuple value) of this value to generate four components separated RUA, CIDADE, ESTADO and CEP. Thus the result of expression is of the type T2 and therefore the following allocation is valid:

NENDE2 := NENDE1 UNWRAP ENDE;

References:

• PL/SQL Wrapper
• PL/SQL User’s Guide and Reference
• Wrapper
• Book: Introduction to Database Systems - C.J. Date