Is it possible for higher level DB user accounts to audit or detect the Parameters (particularly the keys) being passed to the DBMS_CRYPTO encrypt and decrypt routines and/or the Results returned from these calls? If so, is there any way to detect or prevent this (current or recent versions of Oracle preferred)?
Results = DBMS_CRYPTO.DECRYPT(Parameters);
Results = DBMS_CRYPTO.ENCRYPT(Parameters);
I'm not sure what you mean by "higher level" DB accounts?
If you mean a DBA, then if a DBA has full access to the database, then there is definitely mechanisms via which they can extract the values for parameters passed.
Obviously there are some good practices to make that difficult, eg don't use literals in the calls, because they will be visible via simple query to V$SQL, but even with a bind variables in use, then there are diagnostic facilities that DBA have access to which would let them dump out bind variables, especially if they have OS access (to things like trace files etc).
Ultimately, if you don't trust your DBAs, you've got a lot of things to worry about, more in terms of organizational processes than technology issues. But if you must block DBA access to things, then you'll be looking into solutions such as Data Vault.
https://www.oracle.com/database/technologies/security/db-vault.html Coming back to casual users, as long as users don't have access to the V$ views, and hence can sniff things like bind variables, then they won't be able to see the keys in use in the database server, but obviously, you'll need to ensure that level of control across the whole stack (eg keys in flight over the network etc).
Key management is.... hard.