Transparent Data
Encryption
Reference: http://docs.oracle.com/
Oracle
Database uses authentication, authorization, and auditing mechanisms to secure
data in the database, but not in the operating system data files where data is
stored. To protect these data files, Oracle Database provides Transparent Data
Encryption (TDE). TDE encrypts sensitive data stored in data files. To prevent
unauthorized decryption, TDE stores the encryption keys in a security module
external to the database.
Database
users and applications do not need to manage key storage or create auxiliary
tables, views, and triggers. An application that processes sensitive data can
use TDE to provide strong data encryption with little or no change to the
application.
Use
TDE to protect confidential data, such as credit card and social security
numbers, stored in table columns. You can also use TDE to encrypt entire
tablespaces.
Transparent
Data Encryption (TDE) has the following advantages:
-
As a security administrator, you
can be sure that sensitive data is safe in case the storage media or data file
gets stolen.
-
Implementing TDE helps you
address security-related regulatory compliance issues.
-
You do not need to create
triggers or views to decrypt data for the authorized user or application. Data
from tables is transparently decrypted for the database user and application.
-
Database users and applications
need not be aware of the fact that the data they are accessing is stored in
encrypted form. Data is transparently decrypted for the database users and
applications.
-
Applications need not be modified
to handle encrypted data. Data encryption and decryption is managed by the
database.
-
Key management operations are
automated. The user or application does not need to manage encryption keys.
TDE
Column Encryption:
TDE column encryption is used to protect confidential data, such as credit card and social security numbers, stored in table columns.
TDE column encryption is used to protect confidential data, such as credit card and social security numbers, stored in table columns.
TDE
Tablespace Encryption:
TDE tablespace encryption enables you to encrypt an entire tablespace. All objects created in the encrypted tablespace are automatically encrypted. TDE tablespace encryption is useful if you want to secure sensitive data in tables. You do not need to perform a granular analysis of each table column to determine the columns that need encryption.
TDE tablespace encryption enables you to encrypt an entire tablespace. All objects created in the encrypted tablespace are automatically encrypted. TDE tablespace encryption is useful if you want to secure sensitive data in tables. You do not need to perform a granular analysis of each table column to determine the columns that need encryption.
Enabling Transparent Data Encryption
TDE column encryption was first introduced in
Oracle Database 10g release 2 (10.2). To use this feature, you must be running
Oracle Database 10g release 2 (10.2) or higher.
TDE tablespace encryption was introduced in Oracle
Database 11g release 1 (11.1). To use this feature, you must be running Oracle
Database 11g release 1 (11.1) or higher.
To start using TDE, the security administrator must
create a wallet and set a master key. The wallet can be the default database
wallet shared with other Oracle Database components, or a separate wallet
specifically used by TDE. Oracle strongly recommends that you use a separate
wallet to store the master encryption key.
A simple way to use wallet
1.
Setting Wallet directory is simple, modify sqlnet.ora and add strings as
below example:
ENCRYPTION_WALLET_LOCATION =
(SOURCE = (METHOD=FILE)
(METHOD_DATA=
(DIRECTORY=/$ORACLE_BASE/admin/labtest2/wallet)))
|
2.
Setting the Master Encryption Key
Before you can encrypt or decrypt database columns
or tablespaces, you must generate a master encryption key. Oracle Database 11g
Release 2 (11.2) uses the same master encryption key for both TDE column
encryption and TDE tablespace encryption.
To set the master encryption key, use the following
command:
SQL> ALTER SYSTEM SET ENCRYPTION KEY
IDENTIFIED BY "password";
|
3.
Opening and Closing the Encrypted Wallet
The database must load the master encryption key
into memory before it can encrypt or decrypt columns/tablespaces.
Use the following ALTER SYSTEM command to
explicitly open the wallet:
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN
IDENTIFIED BY "password";
|
Enclose the password string in double quotation
marks (" ").
Once the wallet has been opened, it remains open
until you shut down the database instance, or close it explicitly by issuing
the following command:
SQL> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE
IDENTIFIED BY "password";
|
Closing the wallet disables all encryption and
decryption operations. Any attempt to encrypt/decrypt data or access encrypted
data results in the following error:
ORA-28365: wallet is not open
Each time you restart a database instance, you must
issue the ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY
"password" command to reenable encryption and decryption operations.
Note:
Auto login wallets are opened automatically and do
not need to be opened explicitly.
In case an auto login wallet needs to be closed, it
can be closed with the following command:
SQL> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE
No password is required to close an auto login
wallet.
Creating a Table with an Encrypted Column
By default, TDE uses the AES encryption algorithm
with a 192-bit key length (AES192). If you encrypt a table column without
specifying an algorithm, the column is encrypted using the AES192 algorithm.
TDE adds salt to cleartext before encrypting it.
This makes it harder for attackers to steal data through a brute force attack.
TDE also adds a Message Authentication Code (MAC) to the data for integrity
checking. The SHA-1 integrity algorithm is used by default.
Example: Creating a New Table with an Encrypted
Column Using the Default Algorithm (AES192)
CREATE TABLE employee (
first_name VARCHAR2(128),
last_name VARCHAR2(128),
empID
NUMBER,
salary
NUMBER(6) ENCRYPT);
|
Creating a
Table with an Encrypted Column Using a Nondefault Algorithm and No Salt
By default, TDE adds salt to cleartext before
encrypting it. This makes it harder for attackers to steal data through a brute
force attack. However, if you plan to
index the encrypted column, you must use NO SALT.
Example: Creating a New Table with an Encrypted
Column Using 3DES168 and NO SALT
CREATE TABLE employee (
first_name VARCHAR2(128),
last_name VARCHAR2(128),
empID
NUMBER ENCRYPT
NO SALT,
salary
NUMBER(6) ENCRYPT
USING '3DES168');
|
Creating an Encrypted Tablespace
The CREATE TABLESPACE command enables you to create
an encrypted tablespace. If no encryption algorithm is specified, the default
encryption algorithm is used. The default encryption algorithm is AES128.
Example Creating an Encrypted Tablespace
CREATE TABLESPACE securespace
DATAFILE '/home/user/oradata/secure01.dbf'
SIZE 150M
ENCRYPTION USING '3DES168'
DEFAULT STORAGE(ENCRYPT);
|
Example Creating an Encrypted Tablespace
CREATE TABLESPACE securespace2
DATAFILE '/home/user/oradata/secure01.dbf'
SIZE 150M
ENCRYPTION
DEFAULT STORAGE(ENCRYPT);
|
The following data dictionary views maintain
information about the encryption status of a tablespace. You can query these
views to verify that a tablespace has been encrypted:
- DBA_TABLESPACES: The ENCRYPTED column indicates whether a tablespace is
encrypted
- USER_TABLESPACES: The ENCRYPTED column indicates whether a tablespace is
encrypted
Transparent Data Encryption Works with Export and
Import
You can use Oracle Data Pump to export and import
tables that contain encrypted columns, as well as encrypt entire dump sets.
When you use Oracle Data Pump to export and import tables containing encrypted
columns, it uses the ENCRYPTION parameter to enable encryption of data in dump
file sets. The ENCRYPTION parameter allows the following values:
ENCRYPTED_COLUMNS_ONLY: Writes encrypted columns to
the dump file set in encrypted format
DATA_ONLY: Writes all of the data to the dump file
set in encrypted format
METADATA_ONLY: Writes all of the metadata to the
dump file set in encrypted format
ALL: Writes all of the data and metadata to the
dump file set in encrypted format
NONE: Does not use encryption for dump file sets
ENCRYPTION_PASSWORD
The
ENCRYPTION_PASSWORD parameter is not new in Oracle Data Pump 11g release 1. It
was first introduced in Oracle Data Pump 10g release 2 and was used when
exporting TDE encrypted columns. It now can also be used when creating
encrypted dump file sets. The password value that is supplied specifies a key
for re-encrypting encrypted table columns, metadata segments, or table data
segments so that they are not written as clear text in the dump file set. If
the export operation involves encrypted table columns, but an encryption
password is not supplied, then the encrypted columns are written to the dump
file set as clear text and a warning is issued. For export operations, this
parameter is required if the ENCRYPTION_MODE parameter is set to either
PASSWORD or DUAL. It is also required if the ENCRYPTION parameter is set to
ENCRYPTED_COLUMNS_ONLY.
Exporting and Importing Tables with Encrypted
Columns
1. Ensure that the keystore is open before you
attempt to export tables containing encrypted columns.To find if the keystore
is open, query the STATUS column of the V$ENCRYPTION_WALLET view.
2. Run the EXPDP command, using the
ENCRYPTION_PASSWORD parameter to specify a password that is used to encrypt
column data in the export dump file set.
example:
expdp \'/ as sysdba \' schemas=alan
directory=alan dumpfile=alan.dmp logfile=alanexp.log compression=all
encryption_password="password"
|
RMAN with TDE
To use TDE with RMAN, ensure that the wallet is
open before you attempt to backup database. To find if the wallet is open,
query the STATUS column of the V$ENCRYPTION_WALLET view.
Example:
|
CONFIGURE ENCRYPTION FOR DATABASE ON;
backup as compressed backupset database;
|
or
|
set encryption on;
backup as compressed backupset database;
|
沒有留言:
張貼留言