1 / 28

Oracle Transparent Data Encryption (TDE) 12c

Oracle Transparent Data Encryption (TDE) 12c. Prepare by Huan Luu 20/10/2014. Typical Deployment of Databases. Attack Surface. Direct Access to Data. Agenda. What is TDE? Benefits of Using TDE Types and Components of TDE Oracle Wallet TDE Column Encryption Tablespace Encryption.

duncan-padilla
Download Presentation

Oracle Transparent Data Encryption (TDE) 12c

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Oracle Transparent Data Encryption (TDE) 12c Prepare by HuanLuu 20/10/2014

  2. Typical Deployment of Databases

  3. Attack Surface

  4. Direct Access to Data

  5. Agenda • What is TDE? • Benefits of Using TDE • Types and Components of TDE • Oracle Wallet • TDE Column Encryption • Tablespace Encryption

  6. What is TDE? • An Oracle advanced security feature that allows to encrypt data-at-rest completely transparent to applications • It is not an access control mechanism for Oracle database users • Notice that the data is encrypted only at rest when the database server processes the data in the SQL layer, data records are decrypted an processed

  7. Why TDE/Encryption? • If attackers can gain access to the operating system as a powerful user (e.g. root or oracle), they can bypass the database and have direct access to data. Encryption can protect database files stored in the disk • Also, many regulatory compliance requires encrypting data at rest

  8. Benefits of Using TDE • Sensitive data is encrypted and therefore safe in the event that the storage media or data file is stolen. • Do not need to create auxiliary tables, triggers, or views to decrypt data for the authorized user or application • Data is transparently decrypted for database users and applications that access this data

  9. Standard encryption and hashing algorithms used by TDE

  10. TDE Setup

  11. TDE Workflow • Setup wallet and master key • Identify • Tables with sensitive columns • Tablespaces with sensitive tables • Open wallet • Encrypt • The identified columns • The identified tablespaces • Close wallet

  12. Oracle Wallet • Oracle Wallet Manager manage public key security credentials on Oracle clients and servers. • A wallet is: • A password-protected container used to store authentication and signing credentials (private keys, certificates…) • A data structure used to store and manage security credentials for an individual entity. • For Transparent Data Encryption, the term for wallet is keystore.

  13. Oracle Wallet • A PKCS#12 formatted file residing outside of the database (residing in the file system) • Encrypted using password based encryption as defined in PKCS#5 • Holds the TDE master key • It is a good practice to setup the wallet outside of the $ORACLE_BASE and grant minimal privileges to the wallet folder

  14. Setting up Oracle Wallet • Specify wallet location using the sqlnet.ora ENCRYPTION_WALLET_LOCATION: ENCRYPTION_WALLET_LOCATION= (SOURCE=(METHOD=FILE)(METHOD_DATA= (DIRECTORY=/etc/orcl/keystore))) • Initialize and create the master key in SQL*PLUS in CDB$ROOT: ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/etc/orcl/keystore’ IDENTIFIED BY password; • This creates a file called ewallet.p12 in the wallet folder

  15. Opening the Wallet • Once the wallet is open, the master key becomes available to the database ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY chia_123 CONTAINER = ALL; • Once the wallet is open, you can perform TDE operations • Column encryption • Tablespace encryption • v$encryption_wallet view shows the wallet status

  16. Opening the Wallet • In order to exercise least privilege and separation of duty constraints, it is recommended to use a SYSKM user instead of a SYSDBA to perform wallet management

  17. Two-Tier Key Architecture • Master key is stored in an Oracle Wallet (keystore) • Tablespace or table (column) keys are stored in the database itself in the Oracle data dictionary - they are encrypted using the master key • If HSM is used for the Oracle Wallet, master key is not fetched to the database to decrypt the tablespace/table keys

  18. TDE Column Encryption • Allows to encrypt one or more columns of a table • Each column is assigned a unique symmetric key • The symmetric keys are stored encrypted using the master key in the Oracle data dictionary (in sys.enc$ table)

  19. TDE Column Encryption • Create encemp table with two encrypted columns create table encemp ( name varchar2(128) encrypt, salary number(6) encrypt, position varchar2(32) ); • user_encrypted_columns view shows the encrypted columns TABLE_NAME COLUMN_NAME ENCRYPTION_ALG ------------------- ----------------------- ------------------------- ENCEMP NAME AES 192 bits key ENCEMP SALARY AES 192 bits key

  20. TDE Column Encryption

  21. TDE Column Encryption • Can change encryption parameters, encrypt, or decrypt table columns later using ALTER TABLE statement. • Can change both master key and table keys • If master key is changed, no change to the encrypted columns • If table keys are changed, encrypted columns are re-encrypted with the new keys

  22. Limitations of Column Encryption • Higher overhead than tablespace encryption • Supports only B-tree indexes • Foreign key columns cannot be encrypted • Cannot perform range scans over encrypted data • Requires more storage

  23. Tablespace Encryption • Every object in the tablespace is encrypted • Specify encryption parameters at the time of tablespace creation create tablespaceencts logging datafile '?/dbs/encts.dbf' size 32m autoextend on next 32m maxsize 2048m default storage(encrypt) Note that you cannot encrypt existing tablespaces

  24. Tablespace Encryption

  25. Tablespace Encryption • You can view the encrypted tablespaces using the dba_tablespaces view TABLESPACE_NAME ENCRYPTED -------------------------- --------------- SYSTEM NO SYSAUX NO TEMP NO SYSEXT NO ENCTS YES • Use v$encrypted_tablespaces table to see the encryption options set for encrypted tablespaces

  26. Re-Key Support * Unified master key where both column and tablespace encryption uses the same master key

  27. Column vs. TablespaceEncryptionColumnEncryption

  28. References  • Oracle Transparent Data Encryption, online at http://docs.oracle.com/database/121/ASOAG/asotrans.htm • Encryption and Redaction in Oracle Database 12c with Oracle Advanced Security, online at http://www.oracle.com/technetwork/database/options/advanced-security/advanced-security-wp-12c-1896139.pdf

More Related