Encrypt Your Sensitive Data Transparently in 30 Minutes or Less

2. The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

3. Encrypt Your Sensitive Data Transparently in 30 Minutes or Less Paul Youn Peter Wahl Senior Member of Technical Staff Senior Product Manager

4. When in Doubt, EncryptEncryption Recognized as Defensible Safeguard • Security Breach Notification Laws recognize encryption as a safeguard against data breaches • Encryption is now a de-facto solution for regulatory compliance with all data privacy and breach notification laws

5. Oracle Advanced SecurityFeature Overview Strong Authentication • Transparent Data Encryption • Full tablespace encryption • Column-level • Encrypted backups (RMAN) and Data Pump Exports • Built-In Key Management • Managed by the database • Hardware Security Module (HSM) integration • Network Encryption • Strong Authentication Network Encryption ^#^*>* 75,000 Encrypted Tape Backups, Disk Backups, Exports

6. Prepare Database for TDE Tablespace EncryptionConfigure External Security Module • Create directory to store Oracle Wallet or install and configure Hardware Security Module • Create Master Key: alter system set encryption key identified by “password”;

7. Rolling out TDE Tablespace Encryption • Fresh Application Installation • Modify install scripts to create encrypted tablespaces • Install application using the modified script • Existing Application • Use Online Table Redefinition to transparently migrate an existing application • No downtime • Transparent to application and application users

8. Fresh InstallationExample: Peoplesoft Enterprise • Edit xxDDL.sql install scripts (e.g. epddl.sql) Replace: CREATE TABLESPACE AMAPP DATAFILE ‘/opt/oracle/oradata/amapp.dbf’ SIZE 90M EXTENT MANAGEMENT LOCAL AUTOEXTENT; With: CREATE TABLESPACE AMAPP DATAFILE ‘/opt/oracle/oradata/amapp.dbf’ SIZE 90M EXTENT MANAGEMENT LOCAL AUTOEXTENT ENCRYPTION using AES256 DEFAULT STORAGE(ENCRYPT); • Run script

9. Existing InstallationStep-by-Step: Preparation • SYS grants execution rights for Online Table Redefinition to SYSADM • Temporary additional storage: size of largest tablespace • Create new encrypted tablespaces containing all interim tables that correspond to the source tablespaces and tables

10. Existing InstallationStep-by-Step: Create Initial Encrypted Copies • Create a procedure that generates individual scripts to start redefining all tables in a tablespace at a time • Copy dependent objects using dbms_redefinition.copy_table_dependents (indexes, triggers, constraints, privileges, statistics, MVlogs)

11. Existing InstallationStep-by-Step: Synchronize and Finish • Create a procedure that generates individual scripts to synchronize interim with original tables • Create a procedure that generates individual scripts that automatically finishes the redefinition process: • Synchronize interim and original tables • Names of original tables and interim tables are switched • Original tables briefly locked • Rename the original tablespaces • Rename encrypted tablespaces to original tablespace name alter tablespace <TBS_NAME_ENC> rename to <TBS_NAME>

12. For More Information search.oracle.com Transparent Data Encryption or http://www.oracle.com/database/security/index.html

13. Oracle Database Security Learn More At These Oracle Sessions