VIEWS: 19 PAGES: 31 POSTED ON: 8/29/2012
Cao Tiến Đức Outline What is TDE How TDE works Basic TDE operations Tablespace encryption HSM Reference Outline What is TDE How TDE works Basic TDE operations Tablespace encryption HSM Reference What is TDE A mechanism to protect sensitive data which is stored in data files Transparently decrypt data with who has access to data Use TDE when you want to protect confiential data such as credit card and social security number Benefits of TDE As a security administrator, you can be sure that sensitive data is safe in case the storage media or data file gets stolen. You do not need to create triggers or views to decrypt data. Data from tables is transparently decrypted for the database user. Database users need not be aware of the fact that the data they are accessing is stored in encrypted form. Data is transparently decrypted for the database users and does not require any action on their part. Applications need not be modified to handle encrypted data. Data encryption/decryption is managed by the database. Restrictions when use TDE Can't use with table which has foregin key Can't use with some other database features • Index types other than B-tree • Range scan search through an index • External large objects (BFILE) • Materialized View Logs • Synchronous Change Data Capture • Transportable Tablespaces • Original import/export utilities Restrictions when use TDE Only protects data stored on disk/media, not the data in transit Can use DBMS_CRYPTO package to perform unsupport features Decrease performance Need more storage Outline What is TDE How TDE works Basic TDE operations Tablespace encryption HSM Reference How TDE work How TDE work Key-based access control system. Data retrieved must be decrypted to understand. Column encryption keys are stored in a dictionary table of the database. Security administrator (master encryption key) vs database administrator (column encrtypion key) Enhance security How TDE work Master key • Random key generated by TDE • PKI certificate designed for encryption More secure Greater decrease performance Require more system resource How TDE work Some recommendation when using TDE Must be running Oracle Database 10g release 2 (10.2) or higher Use a separate wallet to store the master encryption key Outline What is TDE How TDE works Basic TDE operations Tablespace encryption HSM Reference Basic TDE operations Requirement: must have the ALTER SYSTEM privilege and a valid password to the Oracle wallet Basic TDE operations Create new maskter key ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY password Enclose the password in double quotation marks Basic TDE operations Create new table with encrypted columns CREATE TABLE table_name ( column_name column_type ENCRYPT,....); Default AES encryption algorithm with a 192-bit key length (AES192) Can use other algorithms: 3DES168, AES128, AES256 If you want index the encrypted column, use NO SALT Basic TDE operations Index and salt keyword If you want index the encrypted column, use NO SALT CREATE TABLE employee ( first_name VARCHAR2(128), last_name VARCHAR2(128), empID NUMBER ENCRYPT NO SALT, salary NUMBER(6) ENCRYPT USING '3DES168' ); ALTER TABLE employee MODIFY (first_name ENCRYPT SALT); ALTER TABLE employee MODIFY (first_name ENCRYPT NO SALT); Basic TDE operations Modify/add column table ALTER TABLE table_name MODIFY/ADD ( column_name column_type ENCRYPT,...); ALTER TABLE employee MODIFY (first_name DECRYPT); Basic TDE operations Oracle wallet ALTER SYSTEM SET ENCRYPTION WALLET CLOSE Once the wallet has been opened, it remains open until you shut down the database instance ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY password Basic TDE operations Save Disk Space and Improve Performance Use the NOMAC Parameter Saves 20 bytes of disk space per encrypted value Causes the integrity check to be skipped during encryption and decryption operations CREATE TABLE employee ( first_name VARCHAR2(128), last_name VARCHAR2(128), empID NUMBER ENCRYPT 'NOMAC' NO SALT , salary NUMBER(6)); Basic TDE operations Change encryption key ALTER TABLE employee REKEY; ALTER TABLE employee REKEY USING '3DES168'; Outline What is TDE How TDE works Basic TDE operations Tablespace encryption HSM Reference Tablespace encryption All objects created in the encrypted tablespace are automatically encrypted includes internal large objects (LOBs) such as BLOBs and CLOBs does not encrypt data that is stored outside the tablespace Tablespace encryption The tablespace encryption master key is stored in Oracle wallet The encrypted data is protected during operations like JOIN and SORT. This means that the data is safe when it is moved to temporary tablespaces. Allows index range scans on data in encrypted tablespaces not possible with column-based transparent data encryption Tablespace encryption Create encrypted tablespace CREATE TABLESPACE securespace DATAFILE '/home/user/oradata/secure01.dbf' SIZE 150M ENCRYPTION USING '3DES168' DEFAULT STORAGE(ENCRYPT); Can use other algorithms: DES168, AES128(default), AES256 Tablespace encryption Cannot encrypt an existing tablespace Can import data into an encrypted tablespace using the Oracle Data Pump utility Or you can use this command ALTER TABLE...MOVE... to move a table into the encrypted tablespace Tablespace encryption Encryption status of a tablespace DBA_TABLESPACES, USER_TABLESPACES : The ENCRYPTED column indicates whether a tablespace is encrypted Outline What is TDE How TDE works Basic TDE operations Tablespace encryption HSM Reference Hardware Security Module A physical device that provides secure storage for encryption keys Orovides secure computational space (memory) to perform encryption and decryption operations A more secure alternative to the Oracle wallet Need to configure transparent data encryption to use HSM. Outline What is TDE How TDE works Basic TDE operations Tablespace encryption HSM Reference Reference http://download.oracle.com/docs/cd/B28359_01/netw ork.111/b28530/asotrans.htm
"Oracle Transparent Data Encryption _TDE_"