Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Oracle Transparent Data Encryption _TDE_

VIEWS: 19 PAGES: 31

									Cao Tiến Đức
Outline
 What is TDE
 How TDE works
 Basic TDE operations
 Tablespace encryption
 HSM
 Reference
Outline
 What is TDE
 How TDE works
 Basic TDE operations
 Tablespace encryption
 HSM
 Reference
What is TDE
 A mechanism to protect sensitive data which is stored
  in data files
 Transparently decrypt data with who has access to data
 Use TDE when you want to protect confiential data
  such as credit card and social security number
Benefits of TDE
 As a security administrator, you can be sure that sensitive
  data is safe in case the storage media or data file gets stolen.
 You do not need to create triggers or views to decrypt data.
  Data from tables is transparently decrypted for the
  database user.
 Database users need not be aware of the fact that the data
  they are accessing is stored in encrypted form. Data is
  transparently decrypted for the database users and does
  not require any action on their part.
 Applications need not be modified to handle encrypted
  data. Data encryption/decryption is managed by the
  database.
Restrictions when use TDE
 Can't use with table which has foregin key
 Can't use with some other database features
   • Index types other than B-tree
   • Range scan search through an index
   • External large objects (BFILE)
   • Materialized View Logs
   • Synchronous Change Data Capture
   • Transportable Tablespaces
   • Original import/export utilities
Restrictions when use TDE
 Only protects data stored on disk/media, not the data
  in transit
 Can use DBMS_CRYPTO package to perform
  unsupport features
 Decrease performance
 Need more storage
Outline
 What is TDE
 How TDE works
 Basic TDE operations
 Tablespace encryption
 HSM
 Reference
How TDE work
How TDE work
 Key-based access control system.
 Data retrieved must be decrypted to understand.
 Column encryption keys are stored in a dictionary
  table of the database.
 Security administrator (master encryption key) vs
  database administrator (column encrtypion key)
   Enhance security
How TDE work
                        Master key
• Random key generated by TDE
• PKI certificate designed for encryption
       More secure
       Greater decrease performance
       Require more system resource
How TDE work
 Some recommendation when using TDE
    Must be running Oracle Database 10g release 2 (10.2) or
     higher
    Use a separate wallet to store the master encryption key
Outline
 What is TDE
 How TDE works
 Basic TDE operations
 Tablespace encryption
 HSM
 Reference
Basic TDE operations
 Requirement: must have the ALTER SYSTEM privilege
 and a valid password to the Oracle wallet
Basic TDE operations
                Create new maskter key
 ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED
  BY password
 Enclose the password in double quotation marks
Basic TDE operations
       Create new table with encrypted columns
 CREATE TABLE table_name ( column_name
  column_type ENCRYPT,....);
   Default AES encryption algorithm with a 192-bit key
    length (AES192)
   Can use other algorithms: 3DES168, AES128, AES256
   If you want index the encrypted column, use NO SALT
Basic TDE operations
                   Index and salt keyword
 If you want index the encrypted column, use NO SALT
   CREATE TABLE employee (
       first_name VARCHAR2(128),
      last_name VARCHAR2(128),
      empID NUMBER ENCRYPT NO SALT,
      salary NUMBER(6) ENCRYPT USING '3DES168'
      );
 ALTER TABLE employee MODIFY (first_name ENCRYPT
  SALT);
 ALTER TABLE employee MODIFY (first_name ENCRYPT
  NO SALT);
Basic TDE operations
            Modify/add column table
 ALTER TABLE table_name MODIFY/ADD (
  column_name column_type ENCRYPT,...);
 ALTER TABLE employee MODIFY (first_name
  DECRYPT);
Basic TDE operations
                 Oracle wallet
 ALTER SYSTEM SET ENCRYPTION WALLET CLOSE
   Once the wallet has been opened, it remains open until
   you shut down the database instance
 ALTER SYSTEM SET ENCRYPTION WALLET OPEN
 IDENTIFIED BY password
Basic TDE operations
         Save Disk Space and Improve Performance
 Use the NOMAC Parameter
   Saves 20 bytes of disk space per encrypted value
   Causes the integrity check to be skipped during encryption
    and decryption operations
   CREATE TABLE employee (
       first_name VARCHAR2(128),
      last_name VARCHAR2(128),
      empID NUMBER ENCRYPT 'NOMAC' NO SALT ,
      salary NUMBER(6));
Basic TDE operations
              Change encryption key
 ALTER TABLE employee REKEY;
 ALTER TABLE employee REKEY USING '3DES168';
Outline
 What is TDE
 How TDE works
 Basic TDE operations
 Tablespace encryption
 HSM
 Reference
Tablespace encryption
 All objects created in the encrypted tablespace are
 automatically encrypted
   includes internal large objects (LOBs) such as BLOBs
    and CLOBs
   does not encrypt data that is stored outside the
    tablespace
Tablespace encryption
 The tablespace encryption master key is stored in
  Oracle wallet
 The encrypted data is protected during operations like
  JOIN and SORT. This means that the data is safe when
  it is moved to temporary tablespaces.
 Allows index range scans on data in encrypted
  tablespaces
   not possible with column-based transparent data
    encryption
Tablespace encryption
              Create encrypted tablespace
 CREATE TABLESPACE securespace
  DATAFILE '/home/user/oradata/secure01.dbf'
  SIZE 150M
  ENCRYPTION USING '3DES168'
  DEFAULT STORAGE(ENCRYPT);
 Can use other algorithms: DES168, AES128(default),
  AES256
Tablespace encryption
 Cannot encrypt an existing tablespace
 Can import data into an encrypted tablespace using
  the Oracle Data Pump utility
 Or you can use this command ALTER
  TABLE...MOVE... to move a table into the encrypted
  tablespace
Tablespace encryption
           Encryption status of a tablespace
 DBA_TABLESPACES, USER_TABLESPACES : The
  ENCRYPTED column indicates whether a tablespace is
  encrypted
Outline
 What is TDE
 How TDE works
 Basic TDE operations
 Tablespace encryption
 HSM
 Reference
Hardware Security Module
 A physical device that provides secure storage for
  encryption keys
 Orovides secure computational space (memory) to
  perform encryption and decryption operations
 A more secure alternative to the Oracle wallet
 Need to configure transparent data encryption to use
  HSM.
Outline
 What is TDE
 How TDE works
 Basic TDE operations
 Tablespace encryption
 HSM
 Reference
Reference
 http://download.oracle.com/docs/cd/B28359_01/netw
 ork.111/b28530/asotrans.htm

								
To top