Post on 18-Jan-2017
transcript
26-May-2016
TDE – Transparant data encryption Gino D’ Alfonso
22
Transparent Data Encryption
33
Transparent Data Encryption
What is it not
It’s no data masking
44
Transparent Data Encryption
What is it not
It’s no data redaction
55
Transparent Data Encryption
66
Transparent Data Encryption
How to Install tde on database.
Sqlnet.ora needs following line
ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /u01/app/oracle/admin/$ORACLE_UNQNAME/tde_wallet)))
Only oracle access to directory
chmod 600 ewallet.p12
Avoding deleting TDE wallet
chattr +i ewallet.p12chattr +i cwallet.cso
77
Transparent Data Encryption
How to Install tde on database.
Auto logging versus local logging
Opening the wallet is a manual operation and must be performed to make the master encryption key available to the database
$ orapki wallet create –wallet <wallet location> -auto_login
Creates file ewallet.cso
$ orapki wallet create –wallet <wallet location> -auto_login_local
local auto-open wallet can be created, starting with Oracle Database 11.1.0.7; it does not open on any machine other than the one it was created on.
8
Separation of duties
Wallet password is separate from System or DBA password
No access to wallet
99
Transparent Data Encryption
HOW?• The encryption is done at the operating system
level, where data is stored
OWNER_EVL@TEST1_1 SQL> select * from SECURE_CUSTOMER_INFO;
NAME ACCOUNT_NR------------------------------ ----------Semira 123456789Mehrdad 223456789Geert 323456789
$ strings testelvd |grep -i GeertGeert
1010
Transparent Data Encryption
HOW?• The encryption is done at the operating system
level, where data is stored
OWNER_ABC@TEST1_1 SQL> select * from SECURE_CUSTOMER_INFO;NAME ACCOUNT_NR------------------------------ ----------Semira 123456789Mehrdad 223456789Geert 323456789NewCstmer 123456777
$ strings testtablespaceABCD |grep -i Geert
1111
Transparent Data Encryption
The way to encrypt
• Tablespace level Better performance You can’t find all columns with sensitive data Data type/data length not supported by column encryption Sensitive column is foreign key Index type is other then b-tree Range scan search through an index
1212
Transparent Data Encryption
Migration Tablespace level
• Existing data must be move to encrypted tablespace.• Can be done online or offline..• Using dataguard trasient logical standby Downtime < 5 Minutes is the best way.
13
Transparent Data Encryption
1414
Transparent Data Encryption
RESTRICTIONS of TDE
• Only protects data stored on disk/media, not the data in transit
• Decrease performance /Column only• TDE can't be enabled on a SYS-owned table• RMAN backups – not with image copies
1515
Transparent Data Encryption
1616
Transparent Data Encryption
1717
Transparent Data Encryption
1818
Risk when using Transparent Data Encryption
LOST OF AUTOLOGIN WALLETDeleted the file cwallet.sso (the autologin wallet) on the o.s.-level.Result:
SQL> select * from emp; –> no problem reading the data, as expected, it’s just the auto-login wallet. - Shutdown , startup database: no problem with starting the database - SQL> select * from emp; ---> ORA-28365: wallet is not open. - SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY “<password>”; - SQL> select * from emp; --> works again.
1919
Risk when using Transparent Data Encryption
LOST OF WALLET WITH MASTER KEY.Deleted the ewallet.p12 too.Result:
SQL> select * from emp; --> No problem in reading the data, key is read from the database (but when will I find out I’ve lost my wallet?). - SQL> Shutdown , startup database: --> No problem to startup. No errors in alert-file also. - SQL> select * from emp; –> This gives ORA-28365: wallet is not open
2020
Risk when using Transparent Data Encryption
LOST OF WALLET WITH MASTER KEY.
Backup is done of ewallet.p12 by OS BackupBackup is done every day.
So Restore can be done.
Backup is done of cwallet.sso.Separated from ewallet.p12
So Restore can be done.
2121
Appendix A
Physical standby database
• Yes it works• As long as the wallet is available on standby site. After creating wallet for primary
database redo apply on standby stops immediately. You see the following in the alert file of the standby database.
Apply redo for database master key re-key failed: new master key does not exist in the keystore MRP0: Background Media Recovery terminated with error 28374 Errors in file /u01/app/oracle/diag/rdbms/test1_01/TEST1_1/trace/TEST1_1_pr00_8912.trc: ORA-28374: typed master key not found in wallet Mon May 09 16:32:17 2016 Managed Standby Recovery not using Real Time Apply Recovery interrupted! solution: copy wallet to standby site’s
2222
Appendix B
Rekey Wallet-- How do I change (rotate, re-key) the encryption keys?. First copy the current wallet files to backup directory. change wallet password
$ orapki wallet change_pwd -wallet /u01/app/oracle/admin/TEST1_02/tde_walletOracle PKI Tool : Version 11.2.0.4.0 - ProductionCopyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved. Enter wallet password:New password:
. Now change the master key
SYS@TEST1_1 SQL> alter system set encryption key identified by "Secret"; System altered.
. Now copy wallet files to other nodes for Rac or candidate servers for Rac-One.
2323
Appendix B
Rekey Wallet-- How do I change (rotate, re-key) the encryption keys?. Now use orapki wallet display -wallet to validate the new password
$ orapki wallet display -wallet /u01/app/oracle/admin/ADBA1_02/tde_walletOracle PKI Tool : Version 11.2.0.4.0 - ProductionCopyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved. Requested Certificates:Subject: CN=oracleUser Certificates:Oracle Secret Store entries:ORACLE.SECURITY.DB.ENCRYPTION.ARdWiPlpNk//v21yGHOQSCIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAORACLE.SECURITY.DB.ENCRYPTION.ASI051MIg0+tv2umfj9rUiMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAORACLE.SECURITY.DB.ENCRYPTION.ATWs+inFQ09Fv7JneP6xBrwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAORACLE.SECURITY.DB.ENCRYPTION.MASTERKEYORACLE.SECURITY.TS.ENCRYPTION.BTks5HXDwpxFD/olKnblkckCAwAAAAAAAAAAAAAAAAAAAAAAAAAATrusted Certificates:
The red line is the new password for the wallet.
2424
Appendix B
Rekey Wallet-- How do I change (rotate, re-key) the encryption keys?Physical standby database
After rekey wallet for primary database redo apply on standby stops immediately. You see the following in the alert file of the standby database.
Apply redo for database master key re-key failed: new master key does not exist in the keystore MRP0: Background Media Recovery terminated with error 28374 Errors in file /u01/app/oracle/diag/rdbms/test1_01/TEST1_1/trace/TEST1_1_pr00_8912.trc: ORA-28374: typed master key not found in wallet Mon May 09 16:32:17 2016 Managed Standby Recovery not using Real Time Apply Recovery interrupted! solution: copy wallet to standby site’s
2525