Date post: | 02-Jun-2018 |
Category: |
Documents |
Upload: | yelena-bytenskaya |
View: | 231 times |
Download: | 0 times |
of 40
8/10/2019 Oracle Database 11g Transparent Data Encryption
1/40
Applying Transparent Data Encryption
Learning Objective
After completing this topic, you should be able to
recognize how Transparent Data Encryption is set up
1. Transparent Data Encryption
Transparent Data Encryption, also known as TDE, is available with Oracle Advanced
Security, commonly known as ASO, and provides easy-to-use protection for your data
without requirin chanes to your applications!
TDE allows customers to encrypt sensitive data in individual columns or entiretablespaces without havin to manae encryption keys!
TDE does not affect access controls, which are confiured usin database roles, secure
application roles, system and ob"ect privilees, views, #irtual $rivate Database, also
known as #$D, Database #ault, or Oracle %abel Security!
Supplement
Selecting the link title opens the resource in a new browser window.
Learning Aid
Access the learnin aid Style Considerationsfor more information on the style
considerations for the Oracle &&gDatabase used in this course!
Any application or user that previously had access to a table will still have access to an
identical encrypted table! TDE is desined to protect data in storae, but does not replace
proper access control!
TDE is transparent to e'istin applications! Encryption and decryption occur at different
levels, dependin on whether it is at the tablespace or column level! (ut in either case,
encrypted values are not displayed and are not handled by the application!
)or e'ample, with TDE, applications desined to display a &*-diit credit card number do
not have to be recoded to handle an encrypted strin that may have many more
characters!
Several reulatory requirements have penalties for OS breaches if sensitive data is not
encrypted in the OS files! TDE eliminates the ability of anyone who has direct access to
http://dowindow%28%27../html/laod_odsc_a10_it_enus_t201_frame.html')http://dowindow%28%27../html/laod_odsc_a10_it_enus_t201_frame.html')http://dowindow%28%27../html/laod_odsc_a10_it_enus_t201_frame.html')8/10/2019 Oracle Database 11g Transparent Data Encryption
2/40
the data files to ain access to the data by circumventin the database access control
mechanisms!
Even users with access to the data file at the OS level cannot access the data
unencrypted! TDE stores the master key outside the database in an e'ternal security
module, also referred to as ES+, thereby minimiin the possibility of both $ information
and the encryption key bein compromised!
TDE decrypts the data only after database access mechanisms have been satisfied! TDE
is less e'pensive to implement than either application-based or file-based encryption!
There are some more benefits of TDE.
encrypts data in data files, redo lo and archive lo files, memory /only for column encryption0,
and file backups
manaes keys automatically
does not require chanes to the application, and
encrypts inde'es
TDE applies the principle of defense in depth in its desin! The key architecture is a two-
tier system!
The master key is stored in ES+! This is either an Oracle 1allet or a 2ardware Security
+odule, abbreviated as 2S+! This e'ternal store is protected by a password, operatin
system permissions, and encryption!
The master encryption key is used to encrypt the table, and tablespace encryption keys
are used to encrypt the data! So the data is encrypted with a key that is unique for a
tablespace or a table! These keys are stored in the database in an encrypted form! They
have been encrypted with the master key, which is stored in ES+ on the OS!
Some security reulations require a periodic chane of encryption keys! This chane of
keys means that the items that are encrypted are decrypted with the old key and
encrypted with the new key! This is also called rekeyin!
A ma"or advantae of the two-tier architecture is that table-level keys can be rekeyed by
chanin the master key! This automatically causes table-level keys to be rekeyed, but
the table-level keys remain unchaned! So the data does not require rekeyin! This
operation meets the $ayment 3ard ndustry requirement for rekeyin, with a minimum of
overhead!
1ith TDE, you can specify different encryption alorithms to be used at the table or the
8/10/2019 Oracle Database 11g Transparent Data Encryption
3/40
tablespace level! The available alorithms are 3DES168, AES128, AES192, and AES256!
The default is AES128!
TDE enables encryption for sensitive data in columns without requirin users or
applications to manae the encryption key! This freedom can be e'tremely important
when addressin, for e'ample, reulatory compliance issues!
There is no need to use views to decrypt data because the data is transparently
decrypted when a user has passed the necessary access control checks! Security
administrators have the assurance that the data on disk is encrypted, yet handlin
encrypted data is transparent to applications!
ES+ is implemented throuh A$ that allows a variety of possible key storae solutions!
The default ES+ is Oracle 1allet! 2S+ from several vendors are also supported for
storae of master keys!
TDE support of 2S+ varies by database version and whether it is column level ortablespace level!
2. Creating te master !ey
Transparent Data Encryption, also known as TDE, creates a key for each table that uses
encrypted columns and each encrypted tablespace! The table key is stored in the data
dictionary, and tablespace keys are stored in tablespace data files! (oth tablespace and
table keys are encrypted with a master key!
There is one master key for the database! The master key is stored in a PKCS12wallet or
a PKCS11-based 2ardware Security +odule, abbreviated as 2S+, outside the database!
)or the database to use TDE, a wallet must e'ist!
To create a wallet and a master key, create a directory to hold the wallet, which is
accessible to the Oracle owner!
Then specify the location of the wallet file used to store the encryption master key by
addin this entry in 4O5A3%E62O+E7network7admin7sqlnet!ora!
Code
ENCRYPTION_WALLET_LOCATION=
(SOURCE=(METHOD=FILE)(METHOD_DATA=
(DIRECTORY=/!1/"##/$%"&'/#%$&*/11+1+!/,_1/-"''*)))
Then connect to the database as a user with appropriate privilees! The user must have
the ALTERSYSTEMprivilee!
8/10/2019 Oracle Database 11g Transparent Data Encryption
4/40
Code
.'#'. / ". ..,"
After connectin to the database, create the encrypted wallet file usin this command!
Code
SL ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED 4Y
#"..-$%7
f no encrypted wallet is present in the directory defined in S8%9ET!O5A, it
&! creates an encrypted wallet /-"''*+#120
:! opens the wallet, and
;! creates the database server master encryption key for TDE
f an encrypted wallet already e'ists, it
&! opens the wallet
:! creates or re-creates the database server master encryption key for TDE, and
;! re-encrypts the table and tablespace keys
(efore encrypted columns can be viewed by a user, the wallet must be opened! A user
with the ALTERSYSTEMprivilee must issue this command, where -'&$1is the
wallet password!
Code
ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED 4Y
-'&$17
f the wallet is not open and the user attempts to access an encrypted column, an error
messae is enerated!
Code
SL &$&* .&$**/*:;%
C$&*+
SL .& &.*_#"*_:
8/10/2019 Oracle Database 11g Transparent Data Encryption
5/40
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>> >>>>>>>>>>>>>>>
FIRST_NAME ?ARCHAR2(11)
LAST_NAME ?ARCHAR2(1!)
ORDER_NUM4ER NUM4ER(13)
CREDIT_CARD_NUM4ER ?ARCHAR2(2!) ENCRYPT
O%"&' D"*",". 11;@ S&%:* 18 > 1!
O#:; * W"''* (&$*:)
SL .'&* >>>>>>>>> >>>>>>>>>>
$ O'28365@ -"''* :. $* $#
". #sing te auto login $allet
8/10/2019 Oracle Database 11g Transparent Data Encryption
6/40
)rom Oracle 1allet +anaer, open the wallet usin the password!
The Wallet menu contains various menu options such as #ew, Open, and $ownload %rom The
$irector Service.
$rovide the wallet directory location if the wallet is not in the default location! /The default location
of the wallet is 7etc7O5A3%E71A%%ETS7oracle!0&ou provide the wallet director location using the Select $irector dialog box. The directories
listed in the Select $irector dialog box include gnome, gtk, and httpd.
)rom the 1allet menu, select the AutoLogincheckbo'!
Other menu options in the Wallet menu include Save 'n Sstem $e"ault, $elete, !hange
(assword, and )xit.
E'it Oracle 1allet +anaer by selectin E(itfrom the 1allet menu!
)ote
$o not delete the encrption wallet* otherwise, master reke operations will no
longer be possible. When using an auto login wallet, the new master ke is
generated in the encrption wallet and then replicated into the auto login wallet.
The master keys are required to access encrypted data, and you must protect these keys
with backups! (ecause master keys reside in Oracle 1allet, the wallet should be
periodically backed up in a secure location alon with the database data files!
8/10/2019 Oracle Database 11g Transparent Data Encryption
7/40
8/10/2019 Oracle Database 11g Transparent Data Encryption
8/40
Option 3:This option is incorrect. egenerating the master ke does not cause
column data to be re/encrpted.
Option 4:This option is correct. &ou need to regenerate the master ke onl i" it
has been compromised. !hanging the master periodicall ma be re+uired b
regulation.
Correct ans$er,s-+
:! All past master keys are held in the wallet or 2S+
! A master key only needs to be reenerated if itBs been compromised
n these two e'amples, a new key is enerated! The first line enerates a new key based
on the alorithm that was specified when the table columns were encrypted!
The second line enerates a new key and chanes the alorithm! (oth e'amples cause
all encrypted data in the tables to be decrypted and updated with a new encrypted value!
Code
ALTER TA4LE &"%_#"*_:
8/10/2019 Oracle Database 11g Transparent Data Encryption
9/40
unauthoried access attempts because 2S+ is a physical device and not an operatin
system file!
All encryption and decryption operations that use the master encryption key are
performed inside 2S+! This means that the master encryption key is never e'posed in
insecure memory!
2S+ can be used for TDE Tablespace Encryption when TDE Tablespace Encryption has
not been used before with a wallet! The e'istin master key cannot be mirated from a
wallet to 2S+!
f the master key is initially created in 2S+, it can be used for TDE Tablespace
Encryption! There are several vendors that provide 2S+! The vendor must also supply
the appropriate libraries!
*uestion
1hat are the features of 2S+@
Options+
&! t is a physical device that provides secure storae for encryption keys
:! t provides secure memory for performin encryption and decryption operations
;! t can be used for TDE Tablespace Encryption when TDE Tablespace Encryption
has been used before with a wallet
! f a master key is created in 2S+, it cannot be used for TDE Tablespace Encryption
Ans$er
Option 1:This option is correct. HSM is a phsical device that provides secure
storage "or encrption kes. There are several vendors that provide HSM.
Option 2:This option is correct. HSM provides secure computational space to
per"orm encrption and decrption operations. HSM is a more secure alternative
to Oracle Wallet.
Option 3:This option is incorrect. HSM can be used "or T$) Tablespace
)ncrption when T$) Tablespace )ncrption has not been used be"ore with awallet. The existing master ke cannot be migrated "rom a wallet to HSM.
Option 4:This option is incorrect. '" the master ke is initiall created in HSM, it
can be used "or T$) Tablespace )ncrption.
Correct ans$er,s-+
8/10/2019 Oracle Database 11g Transparent Data Encryption
10/40
&! t is a physical device that provides secure storae for encryption keys
:! t provides secure memory for performin encryption and decryption operations
The ENCRYPTION_WALLET_LOCATIONparameter in the S8%9ET!O5A file specifies the
location of Oracle 1allet! To use 2S+ in place of a software wallet, you need to set the
METHODattribute of the parameter to HSM!
f a DIRECTORYvalue is present in the ENCRYPTION_WALLET_LOCATIONparameter,
make sure that you do not delete it! Althouh 2S+ does not require a DIRECTORYvalue,
the value is used to locate your old software wallet when miratin to 2S+-based
Transparent Data Encryption!
Also, the DIRECTORYvalue may be required by tools, such as 5+A9, to locate the
software wallet!
Code
ENCRYPTION_WALLET_LOCATION=
(SOURCE=(METHOD = HSM))
The 2S+ vendor provides a PKCS11library that you must copy to a specified directory
so that the Oracle server can locate it!
Dependin on the OS you are usin, you copy the library to specific locations.
#)/0 and
f it is for =9>, copy it to this location!The location is:
0opt0oracle0extapi0123,4560hsm078)#$O9078)S'O#90libapiname.ext
&indo$s
f it is for 1indows, copy it to this location!
The location is:
S&ST)M;$'8)
8/10/2019 Oracle Database 11g Transparent Data Encryption
11/40
Code
ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED 4Y
.%_:@#"..-$%
MIRATE USIN -"''*_#"..-$%J
n this e'ample, .%_:is the user D created usin the 2S+ manaement interfaceC
#"..-$%is the password created usin the 2S+ manaement interfaceC and
-"''*_#"..-$%is the password required to open an e'istin Oracle 1allet on the
file system!
The MIRATEUSIN-"''*_#"..-$%clause is applicable if you are already
usin TDE! E'istin column encryption keys are decrypted and then re-encrypted with the
new 2S+-based master encryption key!
8/10/2019 Oracle Database 11g Transparent Data Encryption
12/40
Code
ALTER SYSTEM SET WALLET OPEN IDENTIFIED 4Y .%_I@#"..-$%
Summary
n this topic, youBve learned how TDE is set up!
Coniguring Encrypted Columns
Learning Objective
After completing this topic, you should be able to
configure encrypted columns
1. Creating encrypted columns
To create an encrypted column, use the ENCRYPTkeyword when the table is created or
altered!
n this e'ample, the NOSALTkeywords are used to allow an inde' to be created over this
column! The default is SALT!
Code
CREATE TA4LE &.*_#"*_:
8/10/2019 Oracle Database 11g Transparent Data Encryption
13/40
SL &%"* *",' &.*_:
8/10/2019 Oracle Database 11g Transparent Data Encryption
14/40
*uestion
dentify the characteristics of the ENCRYPTclause synta'!
Options+
&! t allows you to specify the alorithm to use
:! The IDENTIFIED4Y#"..-$%clause is required
;! The NOMACparameter allows you to skip TDE interity checks
! The table creator determines the key lenth
Ans$er
Option 1:This option is correct. The ENCRYPTclause allows ou to speci" the
encrption algorithm to use. 8alid algorithm names are 3DES168, AES128,
AES192=de"ault>, and AES256.
Option 2:This option is incorrect. The IDENTIFIED4Y#"..-$%clause is
optional. Speci"ing a password means that the ke used to protect the table will
be based on that password.
Option 3:This option is correct. 'n database @A.3.A.5 and @@[email protected] versions, the
NOMACparameter enables ou to skip the integrit check per"ormed b T$). This
saves 3A btes o" disk space per encrpted value.
Option 4:This option is incorrect. The name o" an algorithm implicitl determines
the ke length.
Correct ans$er,s-+
&! t allows you to specify the alorithm to use
;! The NOMACparameter allows you to skip TDE interity checks
A (-tree inde' can be created on an encrypted column with NOSALT! A (-tree may not be
created on a column with SALT! Equality lookup operations are supported on the inde'!
A bitmapped inde' cannot be created on encrypted columns! TDE column encryption is
not supported on forein keys! This is because each table has its own encryption key! )or
this reason, do not use sensitive data items such as a credit card number or a national
identity number as the primary key!
nde' rane-scan operations are supported for equality lookups because the value is
encrypted before the comparison with stored values! WHEREclauses with 4ETWEENAND
or LIKEcomparison operators will use full-table scans!
8/10/2019 Oracle Database 11g Transparent Data Encryption
15/40
Tablespace-level TDE supports all inde' types, all internal data types, and forein keys!
*uestion
1hat are the considerations when creatin an inde' on an encrypted column@
Options+
&! A (-tree inde' can be created on an encrypted column with NOSALT
:! A bitmapped inde' can be created on encrypted columns
;! TDE column encryption is not supported on forein keys
! nde' rane-scan operations are not supported for equality lookups
Ans$er
Option 1:This option is correct. - C/tree index can be created on an encrpted
column with NOSALT. - C/tree ma not be created on a column with SALT.
Option 2:This option is incorrect. - bitmapped index cannot be created on
encrpted columns.
Option 3:This option is correct. T$) column encrption is not supported on
"oreign kes. This is because each table has its own encrption ke.
Option 4:This option is incorrect. 'ndex range/scan operations are supported "or
e+ualit lookups because the value is encrpted be"ore the comparison withstored values. WHEREclauses with 4ETWEENDANDor LIKEcomparison operators
will use "ull/table scans.
Correct ans$er,s-+
&! A (-tree inde' can be created on an encrypted column with NOSALT
;! TDE column encryption is not supported on forein keys
2. Altering an encrypted column
8/10/2019 Oracle Database 11g Transparent Data Encryption
16/40
All the encrypted columns in a sinle table must use the same alorithm! f there are two
or more columns that are encrypted, you can chane the encryption alorithm for the
entire table with one command!
Code
ALTER TA4LE &.*_#"*_:
8/10/2019 Oracle Database 11g Transparent Data Encryption
17/40
NCHAR, and
NUM4ER
Other scalar data types supported by TDE column encryption are
N?ARCHAR2
RAW
TIMESTAMP/includes TIMESTAMPWITHTIMEONEand TIMESTAMPWITHLOCALTIMEONE0
?ARCHAR2/must be less than or equal to ;,F;: bytes0
3haracter lare ob"ects, commonly known as CLO4/Secure)iles0, and
(inary lare ob"ect, also known as 4LO4, /Secure)iles0
TDE column encryption supports Oracle Data Guard in the physical standby
confiuration! To use TDE with Data Guard, both primary and secondary databases must
be of the same version!
8/10/2019 Oracle Database 11g Transparent Data Encryption
18/40
encryption supports the Data Guard loical standby confiuration!
%os may be mined either on the source or the taret databaseC thus, the wallet must be
the same for both databases! Every time the master key is chaned usin the ALTER
SYSTEMSETENCRYPTIONKEYIDENTIFIED4Y-"''*_#"..-$%command, the
wallet must be copied from the primary database to the standby database!
An error is raised if the D(A attempts to chane the master key on the standby database!
f auto loin wallet is not used, the wallet must be opened on the standby! 1allet open
and close commands on the primary are not replicated on the standby!
A different password can be used to open the wallet on the standby! The wallet owner can
chane the password to be used for the copy of the wallet on the standby!
Storae overhead associated with TDE column encryption can be sinificant! 1hen
specified, SALTrequires &* bytes! Specifyin NOSALTreduces storae requirement and
saves 3ritical $atch =pdate, abbreviated as 3$=, cycles!
+essae Authentication 3ode, also known as +A3, an interity check associated with
each encrypted value, requires an additional :H bytes! n addition, TDE will pad out
encrypted values to a multiple of &* bytes! So if a credit card number required F bytes of
storae, encryptin the credit card number would require an additional I bytes of storae!
Encryptin a sinle column in a table with SALTwill require between ;I and J: bytes of
additional storae per row!
SALTis not needed if clear te't values are unique, and SALTcannot be used with
columns that will be inde'ed!
n database &H!:!H! and &&!&!H!I versions, the NOMACparameter enables you to skip the
interity check performed by TDE! This saves :H bytes of disk space per encrypted value!
f the number of rows and encrypted columns in the table is lare, this adds up to a
sinificant amount of disk space!
The NOMACparameter also reduces the performance overhead! The NOMACparameter is
applied to all columns of a table! f one column uses NOMAC, they all must use the NOMAC
option!
A customer encryptin a sinle column usin both NOSALTand NOMACparameters canreduce the encryption overhead to between & and &J bytes per row of additional storae,
instead of ;I to J: bytes!
TDE column encryption cannot be used with forein keys or with inde' types other than
(-tree inde'es! SYSschema ob"ects cannot be encrypted!
n Oracle Database &&g, internal lare ob"ect, also referred to as %O(, data types /such
8/10/2019 Oracle Database 11g Transparent Data Encryption
19/40
as (%O( and 3%O(0 can be encrypted, but e'ternal %O(s /such as binary lare file
ob"ects K4FILEdata typeL0 cannot be encrypted!
Applications that need to use these unsupported features can use the TDE tablespace
encryption! TDE tablespace encryption supports all data types, e'cept e'ternal table and
4FILE! The SYSTEMtablespace cannot be encrypted!
)ote
)xternal tables can have encrpted columns using the ORACLE_DATAPUMP
access driver.
". Creating an encrypted tablespace
TDE tablespace encryption is performed at the 7O level on a per-block basis! The only
encryption penalty is associated with 7O, so the performance overhead will be seen in the7O statistics!
1hen there are a lare number of columns in a table to be encrypted, tablespace
encryption may provide better performance than column encryption! S8% access paths
are unchaned and all data types are supported! (ecause the data is not encrypted in
memory, there is no difference in the handlin of data when it is read off the disk!
All data types, inde' types, and even %O(s, are supported with tablespace encryption!
Data retrieved from encrypted tablespaces is protected whenever it is written to disk,
includin temporary tablespaces, undo tablespace, and redo los!
Durin operations such as OINand SORT, data that is selected from an encrypted
tablespace is encrypted when written to temporary tablespaces! Encrypted tablespaces
are transportable if the platforms have the same endianess and the same wallet!
There is currently no mechanism to rekey a tablespace! Tablespace encryption does not
require additional storae space!
The CREATETA4LESPACEcommand has an ENCRYPTIONclause that sets the
encryption properties, and an ENCRYPTstorae parameter that causes the encryption to
be used!
8/10/2019 Oracle Database 11g Transparent Data Encryption
20/40
ALTER SYSTEM SET ENCRYPTION KEY
IDENTIFIED 4Y #"..-$%7
CREATE TA4LESPACE &%#*_*.
DATAFILE GORACLE_HOME/,./&%#*+"*G SIE 1!!M
ENCRYPTION USIN G3DES168G
DEFAULT STORAE (ENCRYPT)7
(ecause tablespace encryption is performed at the 7O level, many of the restrictions that
apply to TDE column encryption do not apply to tablespace encryption!
The followin restrictions apply to tablespace encryption.
Temporary and undo tablespaces cannot be encrypted! (ut when a data buffer containin data
from an encrypted tablespace is written to an undo or a temporary tablespace, that data block is
encrypted!
The 4FILEdata type and e'ternal tables are not encrypted because they are not stored in
tablespaces!
Transportable tablespaces across different endian platforms are not supported!
The key for encrypted tablespaces cannot be chaned! A workaround is to create a tablespace
with the desired properties and move all ob"ects to the new tablespace!
The previous version of the e'port and import utilities, #and :#, did not support TDE!
An error messae is raised when #attempts to e'port a table with an encrypted
column!
Code
EQP>!!1!@ F"*% (COLUMN ENCRYPTION) $< &$'
ORDER_NUM4ER : *",' *",'_" :. $* .##$%*+ T
*",' -:'' $* , #$%*+
The Data $ump E'port utility, ##, can e'port the table! (y default, the data is stored
in the dump file in clear te't!
8/10/2019 Oracle Database 11g Transparent Data Encryption
21/40
)ote
The same password must be used to import the dump "ile using the $ata (ump
'mport, :##.
Oracle Database &&gintroduces Secure)iles implementation /of %O(s0, which offers
intellient compression and transparent encryption! Encrypted data in Secure)iles is
stored in place and is available for random reads and writes!
The encryption takes place at the block level! %O( implementation from earlier versions is
still supported for backward compatibility and is now referred to as (asic)iles!
Code
CREATE TA4LE *.*1
($& CLO4 ENCRYPT USIN GAES128G)LO4($&) STORE AS SECUREFILE (CACHE NOLOIN)
f you add a %O( column to a table, you can specify how it should be created usin
SECUREFILEor 4ASICFILEkeywords! To ensure backward compatibility, the default
%O( type is 4ASICFILE!
To enable encryption of %O(s, you must create the %O( with the SECUREFILEkeyword,
with encryption enabled /ENCRYPT0 or disabled /DECRYPT, which is the default0 on the
%O( column! The current TDE synta' is used for e'tendin encryption to %O( data types!
There are multiple correct synta' possibilities!
#alid encryption alorithms are ;DES&*M, AES&:M, AES&F:, and AES:J*! The default is
AES&F:!
Code
CREATE TA4LE *.*1
($& CLO4 ENCRYPT USIN GAES128G)
LO4($&) STORE AS SECUREFILE (CACHE NOLOIN)
Summary
n this topic, youBve learned how to confiure encrypted columns!
/mplementing TDE
Learning Objective
8/10/2019 Oracle Database 11g Transparent Data Encryption
22/40
After completing this topic, you should be able to
implement Transparent Data Encryption
E(ercise overvie$
8/10/2019 Oracle Database 11g Transparent Data Encryption
23/40
Steps list
/nstructions
! Type SELECT FROM $+&.*_#"*_:
8/10/2019 Oracle Database 11g Transparent Data Encryption
24/40
OE!3=ST6$A69A+E, TA(%E69A+E, and
STAT=S columns of the =SE569DE>ES table for this table! nclude the )5O+ and
where clauses on separate lines! Then rebuild the unusable inde'!
Steps list
/nstructions
&! Type CONNECT $and press Enter
:! Type $%"&'and press Enter
;! Type ALTER TA4LE $+&.*_#"*_:
8/10/2019 Oracle Database 11g Transparent Data Encryption
25/40
Steps list
/nstructions
&&! 3lick Submit 8ob
&:! 3lick 9ie$ 8ob Details
Tas! 4+ 9eriying transparent encryption
8/10/2019 Oracle Database 11g Transparent Data Encryption
26/40
5+A9 backup encryption is available only in the Enterprise Edition of the database, and
the COMPATI4LEparameter must be set to &H!:!H or hiher!
Encrypted backup to disk does not require Oracle Advanced Security, commonly known
as ASO, but the use of 5+A9 with a third-party media manaer library does require ASOto provide the key infrastructure!
Encrypted backups to tape require Oracle Secure (ackup, also referred to as OS(, to
provide the key infrastructure! OS( includes the same technoloy as ASO!
OS( version &H!: is available in both Standard Edition and Enterprise Edition of Oracle
Database &&g! OS( includes the secure communications technoloy of ASO in the
Enterprise Edition to provide secure communication between hosts /administrative,
source, and taret0 in the OS( domain!
OS( encrypts the transmitted data and control messaes with a default key of &,H: bitsenerated for each session usin secure sockets layer, also known as SS%!
OS( provides this key from an embedded wallet that is separate from Oracle 1allet used
by 5+A9 to encrypt backups!
f 5+A9 encryption is provided, OS( does not encrypt the data aain for transmission!
(ut if 5+A9 encryption is disabled, and the OS( host encryption policy is set to required,
the OS( encryption will be used for the dataC if the OS( encryption policy is set to
allowed, in principal, the decision is referred to the ne't lower level!
8/10/2019 Oracle Database 11g Transparent Data Encryption
27/40
version of the wallet does not require a password!
The obfuscated wallet is created when the wallet is opened and destroyed when the
wallet is closed! This wallet, which is scrambled but not encrypted, enables the OS(
software to run without requirin a password durin system startup!
The password for the password-protected wallet is enerated by OS( and not made
available to the user! The password-protected wallet is not normally used after the
security credentials for the host have been established because the OS( daemons use
the obfuscated wallet!
To reduce the risk of unauthoried access to obfuscated wallets, OS( does not back
them up!
The obfuscated version of a wallet is named &-"''*+..$! (y default, the wallet is
located in this path on %inu' and =9>, and on 1indows, it is located in this path!
%rapic
On Einux and F#'G, the wallet is located in the "ollowing path:
0usr0etc0ob0wallet
On Windows, the wallet is located in the "ollowing path:
!:
8/10/2019 Oracle Database 11g Transparent Data Encryption
28/40
secures your file-system backups over the network by usin SS%!
5+A9 can create encrypted backups on tape usin OS( or a third-party media manaer
with ASO!
2. Creating 7'A);encrypted bac!ups
)or improved security, 5ecovery +anaer, commonly known as 5+A9, backups created
as backup sets can be encrypted! mae copy backups cannot be encrypted!
Encrypted backups are decrypted automatically durin restore and recover operations, as
lon as the required decryption keys are available, by means of either a user-supplied
password or Oracle Encryption 1allet!
5+A9 supports three encryption modes.
transparent
password, and
dual
Transparent encryption does not require D(A intervention as lon as the required Oracle
key manaement infrastructure is available!
Transparent encryption is best suited for day-to-day backup operations, where backups
will be restored on the same database that they were backed up from!
Transparent encryption is the default encryption mode!
8/10/2019 Oracle Database 11g Transparent Data Encryption
29/40
RMAN CONFIURE ENCRYPTION FOR DATA4ASE ON
RMAN CONFIURE ENCRYPTION FOR TA4LESPACE
*",'.#"&_" ON
RMAN SET ENCRYPTION ALORITHM G"';$%:* "G
create a $allet
The first step is to create a wallet usin Oracle 1allet +anaer! (y default, an unencrypted
wallet /&-"''*+..$0 is created when Oracle Database is installed! An encrypted wallet
/-"''*+#120 is recommended for use with backup set encryption! $lace an entry in the
S8%9ET!O5A file!
open te $allet
(efore you can use backup set encryption, you need to make sure that the wallet is
opened by your instance! The password specified with the ALTERSYSTEMcommand is the
same password you specified when you created the wallet!
set te master !ey
1hen the wallet is opened, you need to set the master key from within your instance!
conigure te 7'A) encryption level< and
The CONFIUREENCRYPTIONcommand is used to specify encryption settins for the
database or tablespaces within the database, which apply unless overridden usin the SET
command!
Options specified for an individual tablespace take precedence over options specified for
the whole database!
set an encryption algoritm< i needed
8uery ?RMAN_ENCRYPTION_ALORITHMSto obtain a list of encryption alorithms
supported by 5+A9! The default encryption alorithm is &:M-bit AES!
1hen you use password encryption, you must provide a password to create and restore
encrypted backups! 1hen you restore the password-encrypted backup, you must supply
the same password that was used to create the backup!
$assword encryption is most appropriate for backups that will be restored at remote
locations, but which must remain secure in transit! To enable password encryption, use
this command in your 5+A9 scripts!
Code
SET ENCRYPTION ON IDENTIFIED 4Y #"..-$% ONLY
$assword encryption cannot be persistently confiured! The Enterprise +anaer interface
will place the proper command in the 5+A9 backup scripts that it enerates!
8/10/2019 Oracle Database 11g Transparent Data Encryption
30/40
%rapic
The )ncrption section o" the )nterprise Manager inter"ace is open. &ou use this
section to encrpt the backup using the Oracle )ncrption Wallet, a user/supplied
password, or both, to protect sensitive data. The section includes the Secure the
backup using ecover Manager encrption checkbox, which is selected, and the
)ncrption -lgorithm drop/down list, in which -)S@3 is selected.
The )ncrption Mode subsection contains two checkboxes: Cackups will be
encrpted using the Oracle )ncrption Wallet and Cackups will be encrpted using
the "ollowing password, which is currentl selected. This section also contains the
(assword and !on"irm (assword "ields. Coth "ields are "illed.
)ote
%or securit reasons, it is not possible to permanentl modi" our existing backupenvironment so that M-# backups are encrpted using password mode. &ou
can enable password/encrpted backups onl "or the duration o" an M-#
session.
Dual-mode encrypted backups can be restored transparently or by specifyin a
password!
Dual-mode encrypted backups are useful when you create backups that are normally
restored usin Oracle Encryption 1allet, but which occasionally need to be restored
where Oracle Encryption 1allet is not available!
%rapic
'n the )ncrption Mode subsection, in this example, the Cackups will be encrpted
using the Oracle )ncrption Wallet and Cackups will be encrpted using the
"ollowing password checkboxes are selected.
To create dual-mode encrypted backup sets, specify this command in your 5+A9 scripts!
Code
SET ENCRYPTION ON IDENTIFIED 4Y G#"..-$%G
=se the SETDECRYPTIONcommand to specify one or more decryption passwords to be
used when readin dual-mode or password-encrypted backups!
1hen 5+A9 reads encrypted backup pieces, it tries each password in the list until it finds
the correct one to decrypt that backup piece! An error is sinaled if none of the specified
8/10/2019 Oracle Database 11g Transparent Data Encryption
31/40
keys are correct! f you lose the password for a password-encrypted backup, you cannot
restore that backup!
Code
SET DECRYPTION IDENTIFIED 4Y G#"..-$%_1GB G#"..-$%_2GBBG#"..-$%_G
(ecause the Oracle key manaement infrastructure archives all previous master keys in
the wallet, chanin or resettin the current database master key does not affect your
ability to restore encrypted backups performed usin an older master key!
8/10/2019 Oracle Database 11g Transparent Data Encryption
32/40
Option 2:This option is incorrect. '" ou lose the password "or a password/
encrpted backup, ou cannot restore that backup. -lso, i" ou lose the wallet
containing the ke "or a transparent encrpted backup, ou cannot restore that
backup.
Option 3:This option is incorrect. Cecause the Oracle ke management
in"rastructure archives all previous master kes in the wallet, changing or resetting
the current database master ke does not a""ect our abilit to restore encrpted
backups per"ormed using an older master ke.
Option 4:This option is correct. When M-# reads encrpted backup pieces, it
tries each password in the list until it "inds the correct one to decrpt that backup
piece. -n error is signaled i" none o" the speci"ied kes are correct.
Correct ans$er,s-+
&! TheSET
DECRYPTION
command is used to specify decryption passwords
! 1hen 5+A9 reads encrypted backup pieces, it tries each password in the list
until it finds the correct one
There are certain considerations for 5+A9-encrypted backups!
Any 5+A9 backups created as backup sets can be encrypted! 2owever, imae copy
backups cannot be encrypted!
The ?RMAN_ENCRYPTION_ALORITHMSview contains a list of encryption alorithms
supported by 5+A9! f no encryption alorithm is specified, the default encryption
alorithm is &:M-bit AES!
8/10/2019 Oracle Database 11g Transparent Data Encryption
33/40
". Data ump encryption
Every file that could contain sensitive data should be protected in some wayC the dump
file produced by Data $ump E'port is no e'ception! n Oracle Database &&g, Data $ump
E'port can encrypt the dump file!
Data $ump file encryption requires that Oracle Advanced Security, commonly known as
ASO, be installed! The ##process receives the data unencrypted from the database,
even if the data is encrypted in the database with Transparent Data Encryption,
abbreviated as TDE!
)ote
The #process cannot decrpt data that has been encrpted with application
encrption, such as D4MS_CRYPTOprocedures.
Data may be e'ported across network connections! f the ##process connects to the
database usin a service name, the data may be encrypted if ASO network encryption is
specified between the client /where ##is e'ecutin0 and the server!
The ##process may also connect usin a database link specified with the
NETWORK_LINKparameter! The data will be sent across this link in clear te't unless the
database link has been confiured to use network encryption!
The ENCRYPTIONparameter determines the scope of the encryption ? that is, which data
elements are encrypted! The ENCRYPTION_MODEparameter determines the type of
encryption used ? that is, the type of key used! The ENCRYPTION_PASSWORDinteracts
with both the other parameters!
%rapic
-n example o" a service name is hr0IIIIJH;$C.
*uestion
dentify the features of Data $ump encryption!
Options+
&! t requires that ASO be installed
:! The ENCRYPTION_MODEparameter determines the scope of the encryption
;! The ##process receives the data unencrypted from the database
! Data cannot be e'ported across network connections
8/10/2019 Oracle Database 11g Transparent Data Encryption
34/40
8/10/2019 Oracle Database 11g Transparent Data Encryption
35/40
The NONEsettin is the default! f ENCRYPTION_PASSWORDis set and ENCRYPTIONis not
set, ENCRYPTIONdefaults to ALL!
The ENCRYPTION_PASSWORDparameter may be used by itself in the command line or
the parameter file! ENCRYPTION_PASSWORDspecifies a key for re-encryptin encrypted
table columns so that they are not written as clear te't in the dump file set!
f the e'port operation involves encrypted table columns, but an encryption password is
not supplied, the encrypted columns will be written to the dump file set as clear te't, and
a warnin will be issued!
There is no connection or dependency between the key specified with the Data $ump
ENCRYPTION_PASSWORDparameter and the key specified with the ENCRYPTkeyword
when the table with encrypted columns was initially created! )or e'ample, suppose a
table is created with an encrypted column whose key is 3%!
Code
CREATE TA4LE # (."'"% NUM4ER(8B2) ENCRYPT IDENTIFIED 4Y
3%)7
1hen you e'port the EMPtable, you can supply any arbitrary value for
ENCRYPTION_PASSWORD! t does not have to be 3%! $asswords should never be used
in a command line!
As a best practice, you should place the ENCRYPTION_PASSWORDparameter in a
parameter file!
)or network e'ports, the ENCRYPTION_PASSWORDparameter is not supported with user-
defined e'ternal tables that have encrypted columns! The table will be skipped and an
error messae will be displayed, but the "ob will continue!
Code
CREATE TA4LE # (."'"% NUM4ER(8B2) ENCRYPT IDENTIFIED 4Y
3%)7
*uestion
1hich statements most accurately describe the ENCRYPTION_PASSWORD
parameter@
Options+
8/10/2019 Oracle Database 11g Transparent Data Encryption
36/40
&! t may be used by itself in the command line
:! t specifies a key for re-encryptin encrypted table columns
;! t is supported with user-defined e'ternal tables that have encrypted columns
! There is a dependency between the key specified with this parameter and the key
specified with the ENCRYPTkeyword at table creation
Ans$er
Option 1:This option is correct. The ENCRYPTION_PASSWORDparameter ma be
used b itsel" in the command line or the parameter "ile.
Option 2:This option is correct. ENCRYPTION_PASSWORDspeci"ies a ke "or re/
encrpting encrpted table columns so that the are not written as clear text in the
dump "ile set.
Option 3:This option is incorrect. %or network exports, the
ENCRYPTION_PASSWORDparameter is not supported with user/de"ined external
tables that have encrpted columns.
Option 4:This option is incorrect. There is no connection or dependenc between
the ke speci"ied with the $ata (ump ENCRYPTION_PASSWORDparameter and
the ke speci"ied with the ENCRYPTkeword when the table with encrpted
columns was initiall created.
Correct ans$er,s-+
&! t may be used by itself in the command line
:! t specifies a key for re-encryptin encrypted table columns
The ENCRYPTION_MODEparameter sets the method of obtainin the key for encryptin
the dump file! The ENCRYPTIONor ENCRYPTION_PASSWORDparameter must also be set
when specifyin the ENCRYPTION_MODEparameter!
f the encryption wallet is confiured and TRANSPARENTis specified, the dump file is
encrypted with no intervention by the D(A required! The ENCRYPTION_PASSWORD
parameter is not needed, and the ##process will return an error if
ENCRYPTION_PASSWORDis specified!
A dump file e'ported in transparent mode may be imported transparently if the encryption
wallet is available! These dump files should be imported to the same database that they
e'ported from!
1hen PASSWORDmode is specified, the password is not stored, but must be specified on
import! Dump files created in password mode are best suited for cases where the file will
be imported offsite where the encryption wallet is not available!
8/10/2019 Oracle Database 11g Transparent Data Encryption
37/40
ENCRYPTION_PASSWORDmust be specified when usin this mode! To import the dump
file, the same password must be specified, and the taret table must have the same
encryption attributes as the source table /the same columns must be declared as
ENCRYPTor NOENCRYPT0!
Dual mode allows the dump file to be imported transparently where the encryption wallet
is available, or with a password where the wallet is not available!
TDE allows you to protect your database data files and imae backups by encryptin the
data of sensitive columns!
Data $ump E'port allows you to e'port that data into a dump file or an e'ternal table that
is created in >+% format! (y default, the data in the dump file is in clear te't! n the
e'ample, you can encrypt only the data, or you can encrypt the entire dump file! This
e'ample uses transparent mode!
Code
## % TA4LES=#'$.
DIRECTORY="*"_##_:% DUMPFILE=%_#+#
ENCRYPTION_MODE=TRANSPARENT
ENCRYPTION=DATA_ONLY
1hen you want to encrypt in the dump file, only the columns that are encrypted in the
database, use ENCRYPTION=ENCRYPTED_COLUMNS_ONLY ! ENCRYPTION_PASSWORD
must be specified! Therefore, ENCRYPTION_MODEmust be PASSWORD!
This e'ample uses password mode to enerate the key! t also uses the encryption
password on the command line! $asswords should never be placed on the command
line! =se PARFILEwith ##or :##to specify ENCRYPTION_PASSWORD!
Code
## $ TA4LES=&.*_#"*_:
8/10/2019 Oracle Database 11g Transparent Data Encryption
38/40
#sing 7'A) 6ac!up :ile Encryption
Learning Objective
After completing this topic, you should be able to
create and recover backups
E(ercise overvie$
8/10/2019 Oracle Database 11g Transparent Data Encryption
39/40
E>A+$%E tablespace to 7home7oracle7backup7e'ampleHH&!bck! Set *"; =
*%".#"%*so that it can be specified in the restore command! nclude the format and
ta clauses on separate lines!
Steps list
/nstructions
&! Type ," *",'.#"& "#'and press Enter
:! Type
8/10/2019 Oracle Database 11g Transparent Data Encryption
40/40
Steps list
/nstructions
&! Type RESTORE TA4LESPACE "#' FROM TA *%".#"%*7and press Enter
:! Type SET DECRYPTION IDENTIFIED 4Y #"..-$%17and press Enter
;! Type RESTORE TA4LESPACE "#' FROM TA #"..-$%7and press Enter