What is TDEA mechanism to protect sensitive data which
is stored in data filesTransparently decrypt data with who has
access to data Use TDE when you want to protect
confiential data such as credit card and social security number
Benefits of TDEAs a security administrator, you can be sure that
sensitive data is safe in case the storage media or data file gets stolen.
You do not need to create triggers or views to decrypt data. Data from tables is transparently decrypted for the database user.
Database users need not be aware of the fact that the data they are accessing is stored in encrypted form. Data is transparently decrypted for the database users and does not require any action on their part.
Applications need not be modified to handle encrypted data. Data encryption/decryption is managed by the database.
Restrictions when use TDECan't use with table which has foregin keyCan't use with some other database features
• Index types other than B-tree• Range scan search through an index• External large objects (BFILE)• Materialized View Logs• Synchronous Change Data Capture• Transportable Tablespaces• Original import/export utilities
Restrictions when use TDEOnly protects data stored on disk/media, not
the data in transitCan use DBMS_CRYPTO package to perform
unsupport features Decrease performance Need more storage
How TDE workKey-based access control system.Data retrieved must be decrypted to
understand.Column encryption keys are stored in a
dictionary table of the database.Security administrator (master encryption
key) vs database administrator (column encrtypion key)Enhance security
How TDE workMaster key
• Random key generated by TDE• PKI certificate designed for encryption
More secure Greater decrease performance Require more system resource
How TDE workSome recommendation when using TDE
Must be running Oracle Database 10g release 2 (10.2) or higher
Use a separate wallet to store the master encryption key
Basic TDE operationsRequirement: must have the ALTER SYSTEM
privilege and a valid password to the Oracle wallet
Basic TDE operationsCreate new maskter key
ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY password
Enclose the password in double quotation marks
Basic TDE operationsCreate new table with encrypted columns
CREATE TABLE table_name ( column_name column_type ENCRYPT,....);Default AES encryption algorithm with a 192-
bit key length (AES192)Can use other algorithms: 3DES168, AES128,
AES256If you want index the encrypted column, use
NO SALT
Basic TDE operationsIndex and salt keyword
If you want index the encrypted column, use NO SALTCREATE TABLE employee (
first_name VARCHAR2(128), last_name VARCHAR2(128), empID NUMBER ENCRYPT NO SALT, salary NUMBER(6) ENCRYPT USING
'3DES168');
ALTER TABLE employee MODIFY (first_name ENCRYPT SALT);
ALTER TABLE employee MODIFY (first_name ENCRYPT NO SALT);
Basic TDE operationsModify/add column table
ALTER TABLE table_name MODIFY/ADD ( column_name column_type ENCRYPT,...);
ALTER TABLE employee MODIFY (first_name DECRYPT);
Basic TDE operationsOracle wallet
ALTER SYSTEM SET ENCRYPTION WALLET CLOSEOnce the wallet has been opened, it remains
open until you shut down the database instanceALTER SYSTEM SET ENCRYPTION WALLET
OPEN IDENTIFIED BY password
Basic TDE operationsSave Disk Space and Improve Performance
Use the NOMAC ParameterSaves 20 bytes of disk space per encrypted valueCauses the integrity check to be skipped during
encryption and decryption operationsCREATE TABLE employee (
first_name VARCHAR2(128),last_name VARCHAR2(128),empID NUMBER ENCRYPT 'NOMAC' NO
SALT ,salary NUMBER(6));
Basic TDE operationsChange encryption key
ALTER TABLE employee REKEY; ALTER TABLE employee REKEY USING
'3DES168';
Tablespace encryptionAll objects created in the encrypted
tablespace are automatically encryptedincludes internal large objects (LOBs) such as
BLOBs and CLOBsdoes not encrypt data that is stored outside the
tablespace
Tablespace encryptionThe tablespace encryption master key is
stored in Oracle walletThe encrypted data is protected during
operations like JOIN and SORT. This means that the data is safe when it is moved to temporary tablespaces.
Allows index range scans on data in encrypted tablespacesnot possible with column-based transparent
data encryption
Tablespace encryptionCreate encrypted tablespace
CREATE TABLESPACE securespaceDATAFILE '/home/user/oradata/secure01.dbf'SIZE 150MENCRYPTION USING '3DES168'DEFAULT STORAGE(ENCRYPT);
Can use other algorithms: DES168, AES128(default), AES256
Tablespace encryptionCannot encrypt an existing tablespaceCan import data into an encrypted tablespace
using the Oracle Data Pump utilityOr you can use this command ALTER
TABLE...MOVE... to move a table into the encrypted tablespace
Tablespace encryptionEncryption status of a tablespace
DBA_TABLESPACES, USER_TABLESPACES : The ENCRYPTED column indicates whether a tablespace is encrypted
Hardware Security ModuleA physical device that provides secure
storage for encryption keysOrovides secure computational space
(memory) to perform encryption and decryption operations
A more secure alternative to the Oracle wallet
Need to configure transparent data encryption to use HSM.
Top Related