230 likes | 238 Views
Database Security. TDE DP RMAN VPD. Objectives. After completing this lesson, you should be able to do the following: Implement Transparent Data Encryption (TDE) Use TDE with encrypted columns Describe Data Pump (DP) encryption
E N D
TDE DP RMAN VPD Objectives • After completing this lesson, you should be able to do the following: • Implement Transparent Data Encryption (TDE) • Use TDE with encrypted columns • Describe Data Pump (DP) encryption • Identify components of Recovery Manager (RMAN)–encrypted backups • Define basic concepts of a Virtual Private Database (VPD) • Apply a column-level VPD policy
Column and index data Wallet Oracle Transparent Data Encryption (TDE): Overview • Need for secure information • Automatic encryption of sensitive information: • Embedded in the Oracle database • No need to change application logic • Encrypts data and index values • Using an encryption key: • Master key for the entire database • Stored in Oracle Wallet Encryption/Decryption
Name Sal Card Address Name Sal Card Address JFV É&à{ +”~é[ Rognes JFV 10000 A0023 Rognes ])°=# §!?&} 20000 B1524 &(è`$ }{|\ç{ 10000 C2568 @”#|} #{[|è` 30000 D1483 µ£*°{ }|_@} 20000 E0732 ~{([ç^ “&²#è 40000 F3456 TDE Process Wallet Master key Column keys ExternalSecurityModule Encrypted data Clear data SELECT|INSERT|UPDATE|CREATE TABLE ALTER TABLE
Implementing Transparent Data Encryption • Create a wallet: automatically or by using Oracle Wallet Manager. Example sqlnet.ora entry: ENCRYPTION_WALLET_LOCATION= (SOURCE=(METHOD=FILE)(METHOD_DATA= (DIRECTORY=/opt/oracle/product/10.2.0/db_1/)))
Implementing Transparent Data Encryption 2. Set the master key from within your instance: 3. Open the wallet from within your instance (future): 4. Create tables that contain encrypted columns: ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY <password>; ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY <password>; CREATE TABLE emp ( first_name VARCHAR2(128), last_name VARCHAR2(128), empID NUMBER ENCRYPT NO SALT, salary NUMBER(6) ENCRYPT USING '3DES168', comm NUMBER(6) ENCRYPT);
Existing Tables and TDE • Add encrypted columns: • Encrypt unencrypted columns: • Disable column encryption: • Add or remove salt: • Change keys and the encryption algorithm: ALTER TABLE emp ADD (ssn VARCHAR2(11) ENCRYPT); ALTER TABLE emp MODIFY (first_name ENCRYPT); ALTER TABLE emp MODIFY (first_name DECRYPT); ALTER TABLE emp MODIFY(first_name ENCRYPT[NO]SALT); ALTER TABLE emp REKEY USING '3DES168';
Transparent Data Encryption: Considerations • You cannot encrypt tables owned by SYS. • LONG and LOB data types are not supported. • The supported encryption algorithms are: • 3DES168 • AES128 • AES192 • AES256 • NO SALT must be used to encrypt index columns. • TDE works with indexes for equality searches. • Encrypted data must be decrypted before expressions evaluation. • Best practice tip: Back up the wallet.
Wallet Support for Usernames and Passwords • Wallets can now hold more than just a certificate: • You can store usernames and passwords in a wallet rather than providing them on the command line. • Batch job processing: • Protects exposure of usernames and passwords when listing processes on the OS • Set up using: • WALLET_LOCATION in sqlnet.ora • mkstore utility connect /@db_connect_string
TDE > DP RMAN VPD Data Pump and Transparent Data Encryption • Use your own provided column key during export and import: • Also true for external tables: ENCRYPTION_PASSWORD = <password> CREATE TABLE emp_ext ( first_name, last_name, empID, salary ENCRYPT IDENTIFIED BY "xIcf3T9u" ) ORGANIZATION EXTERNAL ( TYPE ORACLE_DATAPUMP DEFAULT DIRECTORY "D_DIR" LOCATION('emp_ext.dat') ) REJECT LIMIT UNLIMITED as select * from employees;
TDE DP > RMAN VPD RMAN Encrypted Backups: Overview • Three possible encryption modes for your backups: • Transparent mode: • Requires Oracle Wallet • Is best suited for day-to-day backup and restore operations at the same location • Is the default encryption mode • Password mode: • Requires you to provide a password • Is best suited for backups restored at remote locations • Dual mode: • Can use either Oracle Wallets or passwords • Is best suited for backups restored locally and remotely
Transparent Mode Setup 1. Create a wallet: automatically or by using Oracle Wallet Manager. 2. Open the wallet from within your instance: 3. Set the master key from within your instance: 4. Configure RMAN to use transparent encryption: 5. There are no changes to your backup or recover commands. 6. Permanent configuration can be temporarily overwritten: ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY <password>; ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY <password>; CONFIGURE ENCRYPTION FOR DATABASE ON SET ENCRYPTION OFF
Password Mode Setup 1. Set your RMAN session to use password encryption: 2. There are no changes to your backup commands. • Set your RMAN session to decrypt password-encrypted backups: 4. There are no changes to your recover commands. SET ENCRYPTION ON IDENTIFIED BY password ONLY SET DECRYPTION IDENTIFIED BY password1 {, password2,…, passwordn}
Dual Mode Setup 1. Create a wallet: automatically or by using Oracle Wallet Manager. 2. Open the wallet from within your instance: 3. Set your RMAN session to use dual encryption: 4. There are no changes to your backup commands. 5. If necessary, set your RMAN session to decrypt your backups by using the password: 6. There are no changes to your recover commands. ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY <password>; SET ENCRYPTION ON IDENTIFIED BY password SET DECRYPTION IDENTIFIED BY password1 {, password2,…, passwordn}
RMAN-Encrypted Backups: Considerations • Image copy backups cannot be encrypted. • COMPATIBLE must be set to at least 10.2.0. • V$RMAN_ENCRYPTION_ALGORITHMS contains the list of possible encryption algorithms. • Backup encryption is available only with Oracle Database Enterprise Edition. • One new encryption key is used for each new encrypted backup. • You can increase disk performance by using multiple channels. • You can change the master key anytime without affecting your transparent encrypted backups. CONFIGURE ENCRYPTION ALGORITHM 'algorithmname' SET ENCRYPTION ALGORITHM 'algorithmname'
TDE DP RMAN > VPD Need for Data Privacy • Examples: • Employees: Protect salary and commission percent (used in the remainder of this lesson) • Online banking: Protect access to accounts • Web store: Supply individual shopping baskets • Web host: Allow each customer to see only their own data • Used in Oracle SalesOnline.com and Oracle Portal
Definition and Usage of Terms • Fine-grained access control (FGAC): Use of functions • Application context: To preserve user identity and serve as a secure data cache for application attributes and values • Application attributes: Used by fine-grained access policies
Virtual Private Database: Overview • Virtual Private Database (VPD) consists of: • Fine-grained access control (FGAC) • Secure application context • VPD uses policies to add conditions to SQL statements that protect sensitive data. • VPD provides row-level access control. • Application attributes defined inside an application context are used byfine-grained access policies.
Virtual Private Database: Features • Column-level VPD enforces row-level access control based on accessed security columns. • With customization, you can define static and nonstatic policies. • Using shared policies, you can associate one policy with multiple objects. • Policy type can be INDEX. • Policy predicate text string can be of size 32 KB.
Column-Level VPD: Example • Statements are not always rewritten. • Consider a policy protecting the SALARY and COMMISSION_PCT columns of the EMPLOYEES table. Fine-grained access control is: • Not needed for this query: • Enforced for these queries: SQL> SELECT last_name FROM employees; SQL> SELECT last_name, salary 2 FROM employees; SQL> SELECT * FROM employees;
Creating a Column-Level Policy • Grant the privilege. • Create the function. • Apply the policy to the object. BEGIN dbms_rls.add_policy(object_schema => 'hr', object_name => 'employees', policy_name => 'hr_policy', function_schema =>'hr', policy_function => 'hrsec', statement_types =>'select,insert', sec_relevant_cols=>'salary,commission_pct'); END; /
Summary • In this lesson, you should have learned how to: • Implement Transparent Data Encryption • Use TDE with encrypted columns • Describe Data Pump encryption • Identify components of RMAN-encrypted backups • Define basic concepts of a Virtual Private Database • Apply a column-level VPD policy
Practice Overview:Using Oracle Database Security • This practice covers the following topics: • Implementing TDE by creating an encrypted wallet and encryption keys • Using TDE with encrypted columns