APEX

Hello APEX fellows,

I'm looking into an aspect of APEX (and the underlying Oracle DB) that's new to me: storing sensitive data. For example, I have a table - colA/name (varchar2) and colB/SSN (varchar2).

I'm wanting to store colB data encrypted, so I'm trying to read-up and understand the options. I'm reading FGAC/Virtual Private DB, but not sure if that's what I should be evaluating vs. using DBMS_ENCRYPT/DECRYPT (I'm thinking it's the latter I should be using, an embedding the proper PL/SQL code into APEX page processes to display the data unencrypted).

1) I'm not the only SYS/DBA level account with access to the actual Oracle DB. If I store the data in a table, encrypted, does it mean that someone else (as a SYS acct) could access the data and unencrypt it -- or would they need to know some key value

2) is that key value stored in some SYS/other table

3) it seems like if I'm go use dbms_encrypt/decrypt that I will not store the data as varchar2 in the target table, instead it should be datatype raw? So my APEX form would take the data they input, convert it to raw and commit the row - something like that? And retreival (via APEX) would essentially be the opposite - the page process would fetch the row and apply a pl/sql transform against the encrypted value to display it unencrypted?

As I progress through this, I'll update this thread but if anyone has some tips on where to start looking I would be grateful.