cao tiến Đức. outline what is tde how tde works basic tde operations tablespace encryption hsm...

Cao Tiến Đức

OutlineWhat is TDEHow TDE worksBasic TDE operationsTablespace encryption HSM Reference

What is TDEA mechanism to protect sensitive data which

is stored in data filesTransparently decrypt data with who has

access to data Use TDE when you want to protect

confiential data such as credit card and social security number

Benefits of TDEAs a security administrator, you can be sure that

sensitive data is safe in case the storage media or data file gets stolen.

You do not need to create triggers or views to decrypt data. Data from tables is transparently decrypted for the database user.

Database users need not be aware of the fact that the data they are accessing is stored in encrypted form. Data is transparently decrypted for the database users and does not require any action on their part.

Applications need not be modified to handle encrypted data. Data encryption/decryption is managed by the database.

Restrictions when use TDECan't use with table which has foregin keyCan't use with some other database features

• Index types other than B-tree• Range scan search through an index• External large objects (BFILE)• Materialized View Logs• Synchronous Change Data Capture• Transportable Tablespaces• Original import/export utilities

Restrictions when use TDEOnly protects data stored on disk/media, not

the data in transitCan use DBMS_CRYPTO package to perform

unsupport features Decrease performance Need more storage

How TDE work

How TDE workKey-based access control system.Data retrieved must be decrypted to

understand.Column encryption keys are stored in a

dictionary table of the database.Security administrator (master encryption

key) vs database administrator (column encrtypion key)Enhance security

How TDE workMaster key

• Random key generated by TDE• PKI certificate designed for encryption

More secure Greater decrease performance Require more system resource

How TDE workSome recommendation when using TDE

Must be running Oracle Database 10g release 2 (10.2) or higher

Use a separate wallet to store the master encryption key

Basic TDE operationsRequirement: must have the ALTER SYSTEM

privilege and a valid password to the Oracle wallet

Basic TDE operationsCreate new maskter key

ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY password

Enclose the password in double quotation marks

Basic TDE operationsCreate new table with encrypted columns

CREATE TABLE table_name ( column_name column_type ENCRYPT,....);Default AES encryption algorithm with a 192-

bit key length (AES192)Can use other algorithms: 3DES168, AES128,

AES256If you want index the encrypted column, use

NO SALT

Basic TDE operationsIndex and salt keyword

If you want index the encrypted column, use NO SALTCREATE TABLE employee (

first_name VARCHAR2(128), last_name VARCHAR2(128), empID NUMBER ENCRYPT NO SALT, salary NUMBER(6) ENCRYPT USING

'3DES168');

ALTER TABLE employee MODIFY (first_name ENCRYPT SALT);

ALTER TABLE employee MODIFY (first_name ENCRYPT NO SALT);

Basic TDE operationsModify/add column table

ALTER TABLE table_name MODIFY/ADD ( column_name column_type ENCRYPT,...);

ALTER TABLE employee MODIFY (first_name DECRYPT);

Basic TDE operationsOracle wallet

ALTER SYSTEM SET ENCRYPTION WALLET CLOSEOnce the wallet has been opened, it remains

open until you shut down the database instanceALTER SYSTEM SET ENCRYPTION WALLET

OPEN IDENTIFIED BY password

Basic TDE operationsSave Disk Space and Improve Performance

Use the NOMAC ParameterSaves 20 bytes of disk space per encrypted valueCauses the integrity check to be skipped during

encryption and decryption operationsCREATE TABLE employee (

first_name VARCHAR2(128),last_name VARCHAR2(128),empID NUMBER ENCRYPT 'NOMAC' NO

SALT ,salary NUMBER(6));

Basic TDE operationsChange encryption key

ALTER TABLE employee REKEY; ALTER TABLE employee REKEY USING

'3DES168';

Tablespace encryptionAll objects created in the encrypted

tablespace are automatically encryptedincludes internal large objects (LOBs) such as

BLOBs and CLOBsdoes not encrypt data that is stored outside the

tablespace

Tablespace encryptionThe tablespace encryption master key is

stored in Oracle walletThe encrypted data is protected during

operations like JOIN and SORT. This means that the data is safe when it is moved to temporary tablespaces.

Allows index range scans on data in encrypted tablespacesnot possible with column-based transparent

data encryption

Tablespace encryptionCreate encrypted tablespace

CREATE TABLESPACE securespaceDATAFILE '/home/user/oradata/secure01.dbf'SIZE 150MENCRYPTION USING '3DES168'DEFAULT STORAGE(ENCRYPT);

Can use other algorithms: DES168, AES128(default), AES256

Tablespace encryptionCannot encrypt an existing tablespaceCan import data into an encrypted tablespace

using the Oracle Data Pump utilityOr you can use this command ALTER

TABLE...MOVE... to move a table into the encrypted tablespace

Tablespace encryptionEncryption status of a tablespace

DBA_TABLESPACES, USER_TABLESPACES : The ENCRYPTED column indicates whether a tablespace is encrypted

Hardware Security ModuleA physical device that provides secure

storage for encryption keysOrovides secure computational space

(memory) to perform encryption and decryption operations

A more secure alternative to the Oracle wallet

Need to configure transparent data encryption to use HSM.

Referencehttp://download.oracle.com/docs/cd/

B28359_01/network.111/b28530/asotrans.htm

cao tiến Đức. outline what is tde how tde works basic tde operations tablespace encryption hsm...

Documents