Tde oracle customer_demo

26-May-2016

TDE – Transparant data encryption Gino D’ Alfonso

22

Transparent Data Encryption

33


What is it not

It’s no data masking

44


What is it not

It’s no data redaction

55


66


How to Install tde on database.

Sqlnet.ora needs following line

ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /u01/app/oracle/admin/$ORACLE_UNQNAME/tde_wallet)))

Only oracle access to directory

chmod 600 ewallet.p12

Avoding deleting TDE wallet

chattr +i ewallet.p12chattr +i cwallet.cso

77


How to Install tde on database.

Auto logging versus local logging

Opening the wallet is a manual operation and must be performed to make the master encryption key available to the database

$ orapki wallet create –wallet <wallet location> -auto_login

Creates file ewallet.cso

$ orapki wallet create –wallet <wallet location> -auto_login_local

local auto-open wallet can be created, starting with Oracle Database 11.1.0.7; it does not open on any machine other than the one it was created on.

8

Separation of duties

Wallet password is separate from System or DBA password

No access to wallet

99


HOW?• The encryption is done at the operating system

level, where data is stored

OWNER_EVL@TEST1_1 SQL> select * from SECURE_CUSTOMER_INFO;

NAME ACCOUNT_NR------------------------------ ----------Semira 123456789Mehrdad 223456789Geert 323456789

$ strings testelvd |grep -i GeertGeert

1010


HOW?• The encryption is done at the operating system

level, where data is stored

OWNER_ABC@TEST1_1 SQL> select * from SECURE_CUSTOMER_INFO;NAME ACCOUNT_NR------------------------------ ----------Semira 123456789Mehrdad 223456789Geert 323456789NewCstmer 123456777

$ strings testtablespaceABCD |grep -i Geert

1111


The way to encrypt

• Tablespace level Better performance You can’t find all columns with sensitive data Data type/data length not supported by column encryption Sensitive column is foreign key Index type is other then b-tree Range scan search through an index

1212


Migration Tablespace level

• Existing data must be move to encrypted tablespace.• Can be done online or offline..• Using dataguard trasient logical standby Downtime < 5 Minutes is the best way.

13


1414


RESTRICTIONS of TDE

• Only protects data stored on disk/media, not the data in transit

• Decrease performance /Column only• TDE can't be enabled on a SYS-owned table• RMAN backups – not with image copies

1515


1616


1717


1818

Risk when using Transparent Data Encryption

LOST OF AUTOLOGIN WALLETDeleted the file cwallet.sso (the autologin wallet) on the o.s.-level.Result:

SQL> select * from emp; –> no problem reading the data, as expected, it’s just the auto-login wallet. - Shutdown , startup database: no problem with starting the database - SQL> select * from emp; ---> ORA-28365: wallet is not open. - SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY “<password>”; - SQL> select * from emp; --> works again.

1919


LOST OF WALLET WITH MASTER KEY.Deleted the ewallet.p12 too.Result:

SQL> select * from emp; --> No problem in reading the data, key is read from the database (but when will I find out I’ve lost my wallet?). - SQL> Shutdown , startup database: --> No problem to startup. No errors in alert-file also. - SQL> select * from emp; –> This gives ORA-28365: wallet is not open

2020


LOST OF WALLET WITH MASTER KEY.

Backup is done of ewallet.p12 by OS BackupBackup is done every day.

So Restore can be done.

Backup is done of cwallet.sso.Separated from ewallet.p12

So Restore can be done.

2121

Appendix A

Physical standby database

• Yes it works• As long as the wallet is available on standby site. After creating wallet for primary

database redo apply on standby stops immediately. You see the following in the alert file of the standby database.

Apply redo for database master key re-key failed: new master key does not exist in the keystore MRP0: Background Media Recovery terminated with error 28374 Errors in file /u01/app/oracle/diag/rdbms/test1_01/TEST1_1/trace/TEST1_1_pr00_8912.trc: ORA-28374: typed master key not found in wallet Mon May 09 16:32:17 2016 Managed Standby Recovery not using Real Time Apply Recovery interrupted! solution: copy wallet to standby site’s

2222

Appendix B

Rekey Wallet-- How do I change (rotate, re-key) the encryption keys?. First copy the current wallet files to backup directory. change wallet password

$ orapki wallet change_pwd -wallet /u01/app/oracle/admin/TEST1_02/tde_walletOracle PKI Tool : Version 11.2.0.4.0 - ProductionCopyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved. Enter wallet password:New password:

. Now change the master key

SYS@TEST1_1 SQL> alter system set encryption key identified by "Secret"; System altered.

. Now copy wallet files to other nodes for Rac or candidate servers for Rac-One.

2323

Appendix B

Rekey Wallet-- How do I change (rotate, re-key) the encryption keys?. Now use orapki wallet display -wallet to validate the new password

$ orapki wallet display -wallet /u01/app/oracle/admin/ADBA1_02/tde_walletOracle PKI Tool : Version 11.2.0.4.0 - ProductionCopyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved. Requested Certificates:Subject: CN=oracleUser Certificates:Oracle Secret Store entries:ORACLE.SECURITY.DB.ENCRYPTION.ARdWiPlpNk//v21yGHOQSCIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAORACLE.SECURITY.DB.ENCRYPTION.ASI051MIg0+tv2umfj9rUiMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAORACLE.SECURITY.DB.ENCRYPTION.ATWs+inFQ09Fv7JneP6xBrwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAORACLE.SECURITY.DB.ENCRYPTION.MASTERKEYORACLE.SECURITY.TS.ENCRYPTION.BTks5HXDwpxFD/olKnblkckCAwAAAAAAAAAAAAAAAAAAAAAAAAAATrusted Certificates:

The red line is the new password for the wallet.

2424

Appendix B

Rekey Wallet-- How do I change (rotate, re-key) the encryption keys?Physical standby database

After rekey wallet for primary database redo apply on standby stops immediately. You see the following in the alert file of the standby database.

Apply redo for database master key re-key failed: new master key does not exist in the keystore MRP0: Background Media Recovery terminated with error 28374 Errors in file /u01/app/oracle/diag/rdbms/test1_01/TEST1_1/trace/TEST1_1_pr00_8912.trc: ORA-28374: typed master key not found in wallet Mon May 09 16:32:17 2016 Managed Standby Recovery not using Real Time Apply Recovery interrupted! solution: copy wallet to standby site’s

2525

Date post:	18-Jan-2017
Category:	Design
Upload:	viaggio-italia
View:	134 times
Download:	0 times

Tde oracle customer_demo

Design