290 likes | 494 Views
Oracle Transparent Data Encryption. Nguyễn Văn Hiệu 50600745 Nguyễn Thanh Tú 50602872 Vũ Thị Ngọc Hạnh 50600654. Outline. Oracle Transparent Data Encryption. Oracle TDE Overhead and Limitations. Oracle TDE With Other Mechanisms. Transparent Data Encryption. Introduction.
E N D
Oracle Transparent Data Encryption Nguyễn Văn Hiệu 50600745 Nguyễn Thanh Tú 50602872 Vũ Thị Ngọc Hạnh 50600654
Outline • Oracle Transparent Data Encryption. • Oracle TDE Overhead and Limitations. • Oracle TDE With Other Mechanisms.
Transparent Data Encryption • Introduction. • Key Management In TDE. • Supported Algorithms And Data Types. • Using Oracle TDE.
Introduction • TDE Employed by both Microsoft and Oracle. • Starting enable in Advance Security Option of Oracle Database 10g release 2. • TDE protects data "at rest", meaning the data and log files. It protect data in columns of a table or all table-space (Oracle 11g). • Database-base Encryption: the data encrypted by database before stored and decrypt when someone access the data. • You only specify which data needs to be encrypted and TDE does the work for you.
Introduction • The transparent of TDE? • Data from tables is transparently decrypted and encrypted for the database user. • Anyone who accesses the data through the database will sees the data in unencrypted form. • TDE was built to ensure that if someone steals the file they will not have access to sensitive information.
Key Management In TDE • TDE Key Management • Each table has a column encryption key (CK). • CKs are stored in data dictionary in encrypted form using a Master Key. • The Master Key sits within Oracle Wallet secured with a password. Password open wallet extract Master Key decrypt CKs decrypt the data.
Setting Up Oracle TDE • Create a wallet: default wallet or separate wallet for TDE: configure file slqnet.ora ENCRYPTION_WALLET_LOCATION = (SOURCE= (METHOD=file) (METHOD_DATA= (DIRECTORY = C:\oracle\product\10.2.0\db_1\NETWORK\ADMIN\tde_wallet))) • Set The Master Encryption Key: • ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY password
Encrypt Column In Oracle TDE • Create new table with encrypted column • CREATE TABLE employee ( name VARCHAR2(128), address VARCHAR2(128) ENCRYPTNO SALT, salary NUMBER(6) ENCRYPTUSING '3DES168’); • Algorithms: • AES128, AES192, AES256, 3DES168. • Default is: AES192
Encrypt Column In Oracle TDE • Encrypting/Decrypting an Existing Column: ALTER TABLE table name MODIFY column name [ENCRYP | DECRYPT] [SALT | NO SALT] ; Ex: • ALTER TABLE emp MODIFY empno ENCRYPT NO SALT. • ALTER TABLE employee MODIFY (phone_number DECRYPT);
Encrypt Column In Oracle TDE • Resetting key and algorithm ALTER TABLE table name REKEY | USING algorithm name Ex: • ALTER TABLE emp REKEY; • ALTER TABLE emp REKEY USING ‘AES256’;
Encrypt Foreign Key And Index Column • Encrypt Foreign Key: Can’t be encrypted! • Using TDE with table-space encryption. • Index Column: Allow encrypting as long as use no SALT.
Encrypt Table-Space (Oracle 11g) • Encrypt table-space • Starting enable in Oracle 11g. • Encrypt all data stored in an encrypted table-space. • We can’t encrypt an existing tablespace, we can only create a new table space and move data to it. • Less maintenance, planning, design and setup. • Allows index range scans.
Encrypt Table-Space (Oracle 11g) • Master Table-space Encryption Key stored in wallet encrypts Table-space keys. • Create new encrypted tablespace: Example: • CREATE TABLESPACE secure_space DATAFILE '/home/secure01.dbf‘ SIZE 150M DEFAULT STORAGE(ENCRYPT); (Default Algorithm is: AES128.)
Encrypt Table-Space (Oracle 11g) • Create new encrypted tablespace: Example: • CREATE TABLESPACE secure_space DATAFILE '/home/secure01.dbf‘ SIZE 150M ENCRYPTION USING '3DES168‘ DEFAULT STORAGE(ENCRYPT);
Manage TDE Master Keys • Setting a password to protect the Master Key within the wallet: ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY password • By default, the Master Key is random generated by TDE. • You can use a Public Key Infrastructure (PKI) key pair as a Master Key.
Manage TDE Master Keys • Using PKI as Master Key: ALTER SYSTEM SET ENCRYPTION KEY certificate id IDENTIFIED BY password; • When starting the DBMS, the wallet must be opened: ALTER SYSTEM SET ENCTYPTION WALLET OPEN IDENTIFIED BY password; • If using PKI as Master Key, we can use an auto-login wallet. Setting auto-login wallet by using Wallet Manager.
Manage TDE Master Keys • Resetting Master Key: ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY password; • Remember: ALWAYS backup the wallet and passwords in a safe place, it very important when you backup data.
TDE Overhead • Operations take longer because Oracle need to encrypt data when INSERT or UPDATE and decrypt when SELECT. • Take 5% more time when encrypting or decrypting one column. • Storage requirements grow because data encrypted takes up more bytes than the original data.
TDE Limitations • TDE encrypt data at SQL layer before the data reaches the disk. So ultilities that bypass the SQL layer not work when using TDE, ex: Oracle Stream, Change Data Capture, Oracle Audit Vault Redo… • Can’t use TDE with: • Index column and range scan search. • Original import/export utilities.
TDE Limitations • Can’t use TDE with: • Materialized View Logs • External large objects (BFILE) • Transportable tablespaces.
Oracle TDE With Other Mechanism • In older version than Oracle 10g. • DBMS_OBFUSCATION_TOOLKIT package provides a simple API for data encryption. • Only providing a few encryption methods: DES and Triple DES. • Non-transparent encryption and decryption. We must develop a separate function to encrypt / decrypt data for each individual column => Difficult to implement.