oracle database 11g transparent data encryption

8/10/2019 Oracle Database 11g Transparent Data Encryption

1/40

Applying Transparent Data Encryption

Learning Objective

After completing this topic, you should be able to

recognize how Transparent Data Encryption is set up

1. Transparent Data Encryption

Transparent Data Encryption, also known as TDE, is available with Oracle Advanced

Security, commonly known as ASO, and provides easy-to-use protection for your data

without requirin chanes to your applications!

TDE allows customers to encrypt sensitive data in individual columns or entiretablespaces without havin to manae encryption keys!

TDE does not affect access controls, which are confiured usin database roles, secure

application roles, system and ob"ect privilees, views, #irtual $rivate Database, also

known as #$D, Database #ault, or Oracle %abel Security!

Supplement

Selecting the link title opens the resource in a new browser window.

Learning Aid

Access the learnin aid Style Considerationsfor more information on the style

considerations for the Oracle &&gDatabase used in this course!

Any application or user that previously had access to a table will still have access to an

identical encrypted table! TDE is desined to protect data in storae, but does not replace

proper access control!

TDE is transparent to e'istin applications! Encryption and decryption occur at different

levels, dependin on whether it is at the tablespace or column level! (ut in either case,

encrypted values are not displayed and are not handled by the application!

)or e'ample, with TDE, applications desined to display a &*-diit credit card number do

not have to be recoded to handle an encrypted strin that may have many more

characters!

Several reulatory requirements have penalties for OS breaches if sensitive data is not

encrypted in the OS files! TDE eliminates the ability of anyone who has direct access to
http://dowindow%28%27../html/laod_odsc_a10_it_enus_t201_frame.html')http://dowindow%28%27../html/laod_odsc_a10_it_enus_t201_frame.html')http://dowindow%28%27../html/laod_odsc_a10_it_enus_t201_frame.html')


2/40

the data files to ain access to the data by circumventin the database access control

mechanisms!

Even users with access to the data file at the OS level cannot access the data

unencrypted! TDE stores the master key outside the database in an e'ternal security

module, also referred to as ES+, thereby minimiin the possibility of both $ information

and the encryption key bein compromised!

TDE decrypts the data only after database access mechanisms have been satisfied! TDE

is less e'pensive to implement than either application-based or file-based encryption!

There are some more benefits of TDE.

encrypts data in data files, redo lo and archive lo files, memory /only for column encryption0,

and file backups

manaes keys automatically

does not require chanes to the application, and

encrypts inde'es

TDE applies the principle of defense in depth in its desin! The key architecture is a two-

tier system!

The master key is stored in ES+! This is either an Oracle 1allet or a 2ardware Security

+odule, abbreviated as 2S+! This e'ternal store is protected by a password, operatin

system permissions, and encryption!

The master encryption key is used to encrypt the table, and tablespace encryption keys

are used to encrypt the data! So the data is encrypted with a key that is unique for a

tablespace or a table! These keys are stored in the database in an encrypted form! They

have been encrypted with the master key, which is stored in ES+ on the OS!

Some security reulations require a periodic chane of encryption keys! This chane of

keys means that the items that are encrypted are decrypted with the old key and

encrypted with the new key! This is also called rekeyin!

A ma"or advantae of the two-tier architecture is that table-level keys can be rekeyed by

chanin the master key! This automatically causes table-level keys to be rekeyed, but

the table-level keys remain unchaned! So the data does not require rekeyin! This

operation meets the $ayment 3ard ndustry requirement for rekeyin, with a minimum of

overhead!

1ith TDE, you can specify different encryption alorithms to be used at the table or the


3/40

tablespace level! The available alorithms are 3DES168, AES128, AES192, and AES256!

The default is AES128!

TDE enables encryption for sensitive data in columns without requirin users or

applications to manae the encryption key! This freedom can be e'tremely important

when addressin, for e'ample, reulatory compliance issues!

There is no need to use views to decrypt data because the data is transparently

decrypted when a user has passed the necessary access control checks! Security

administrators have the assurance that the data on disk is encrypted, yet handlin

encrypted data is transparent to applications!

ES+ is implemented throuh A$ that allows a variety of possible key storae solutions!

The default ES+ is Oracle 1allet! 2S+ from several vendors are also supported for

storae of master keys!

TDE support of 2S+ varies by database version and whether it is column level ortablespace level!

2. Creating te master !ey

Transparent Data Encryption, also known as TDE, creates a key for each table that uses

encrypted columns and each encrypted tablespace! The table key is stored in the data

dictionary, and tablespace keys are stored in tablespace data files! (oth tablespace and

table keys are encrypted with a master key!

There is one master key for the database! The master key is stored in a PKCS12wallet or

a PKCS11-based 2ardware Security +odule, abbreviated as 2S+, outside the database!

)or the database to use TDE, a wallet must e'ist!

To create a wallet and a master key, create a directory to hold the wallet, which is

accessible to the Oracle owner!

Then specify the location of the wallet file used to store the encryption master key by

addin this entry in 4O5A3%E62O+E7network7admin7sqlnet!ora!

Code

ENCRYPTION_WALLET_LOCATION=

(SOURCE=(METHOD=FILE)(METHOD_DATA=

(DIRECTORY=/!1/"##/$%"&'/#%$&*/11+1+!/,_1/-"''*)))

Then connect to the database as a user with appropriate privilees! The user must have

the ALTERSYSTEMprivilee!


4/40

Code

.'#'. / ". ..,"

After connectin to the database, create the encrypted wallet file usin this command!

Code

SL ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED 4Y

#"..-$%7

f no encrypted wallet is present in the directory defined in S8%9ET!O5A, it

&! creates an encrypted wallet /-"''*+#120

:! opens the wallet, and

;! creates the database server master encryption key for TDE

f an encrypted wallet already e'ists, it

&! opens the wallet

:! creates or re-creates the database server master encryption key for TDE, and

;! re-encrypts the table and tablespace keys

(efore encrypted columns can be viewed by a user, the wallet must be opened! A user

with the ALTERSYSTEMprivilee must issue this command, where -'&$1is the

wallet password!

Code

ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED 4Y

-'&$17

f the wallet is not open and the user attempts to access an encrypted column, an error

messae is enerated!

Code

SL &$&* .&$**/*:;%

C$&*+

SL .& &.*_#"*_:


5/40

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>> >>>>>>>>>>>>>>>

FIRST_NAME ?ARCHAR2(11)

LAST_NAME ?ARCHAR2(1!)

ORDER_NUM4ER NUM4ER(13)

CREDIT_CARD_NUM4ER ?ARCHAR2(2!) ENCRYPT

O%"&' D"*",". 11;@ S&%:* 18 > 1!

O#:; * W"''* (&$*:)

SL .'&* >>>>>>>>> >>>>>>>>>>

$ O'28365@ -"''* :. $* $#

". #sing te auto login $allet


6/40

)rom Oracle 1allet +anaer, open the wallet usin the password!

The Wallet menu contains various menu options such as #ew, Open, and $ownload %rom The

$irector Service.

$rovide the wallet directory location if the wallet is not in the default location! /The default location

of the wallet is 7etc7O5A3%E71A%%ETS7oracle!0&ou provide the wallet director location using the Select $irector dialog box. The directories

listed in the Select $irector dialog box include gnome, gtk, and httpd.

)rom the 1allet menu, select the AutoLogincheckbo'!

Other menu options in the Wallet menu include Save 'n Sstem $e"ault, $elete, !hange

(assword, and )xit.

E'it Oracle 1allet +anaer by selectin E(itfrom the 1allet menu!

)ote

$o not delete the encrption wallet* otherwise, master reke operations will no

longer be possible. When using an auto login wallet, the new master ke is

generated in the encrption wallet and then replicated into the auto login wallet.

The master keys are required to access encrypted data, and you must protect these keys

with backups! (ecause master keys reside in Oracle 1allet, the wallet should be

periodically backed up in a secure location alon with the database data files!


7/40


8/40

Option 3:This option is incorrect. egenerating the master ke does not cause

column data to be re/encrpted.

Option 4:This option is correct. &ou need to regenerate the master ke onl i" it

has been compromised. !hanging the master periodicall ma be re+uired b

regulation.

Correct ans$er,s-+

:! All past master keys are held in the wallet or 2S+

! A master key only needs to be reenerated if itBs been compromised

n these two e'amples, a new key is enerated! The first line enerates a new key based

on the alorithm that was specified when the table columns were encrypted!

The second line enerates a new key and chanes the alorithm! (oth e'amples cause

all encrypted data in the tables to be decrypted and updated with a new encrypted value!

Code

ALTER TA4LE &"%_#"*_:


9/40

unauthoried access attempts because 2S+ is a physical device and not an operatin

system file!

All encryption and decryption operations that use the master encryption key are

performed inside 2S+! This means that the master encryption key is never e'posed in

insecure memory!

2S+ can be used for TDE Tablespace Encryption when TDE Tablespace Encryption has

not been used before with a wallet! The e'istin master key cannot be mirated from a

wallet to 2S+!

f the master key is initially created in 2S+, it can be used for TDE Tablespace

Encryption! There are several vendors that provide 2S+! The vendor must also supply

the appropriate libraries!

*uestion

1hat are the features of 2S+@

Options+

&! t is a physical device that provides secure storae for encryption keys

:! t provides secure memory for performin encryption and decryption operations

;! t can be used for TDE Tablespace Encryption when TDE Tablespace Encryption

has been used before with a wallet

! f a master key is created in 2S+, it cannot be used for TDE Tablespace Encryption

Ans$er

Option 1:This option is correct. HSM is a phsical device that provides secure

storage "or encrption kes. There are several vendors that provide HSM.

Option 2:This option is correct. HSM provides secure computational space to

per"orm encrption and decrption operations. HSM is a more secure alternative

to Oracle Wallet.

Option 3:This option is incorrect. HSM can be used "or T$) Tablespace

)ncrption when T$) Tablespace )ncrption has not been used be"ore with awallet. The existing master ke cannot be migrated "rom a wallet to HSM.

Option 4:This option is incorrect. '" the master ke is initiall created in HSM, it

can be used "or T$) Tablespace )ncrption.

Correct ans$er,s-+


10/40

&! t is a physical device that provides secure storae for encryption keys

:! t provides secure memory for performin encryption and decryption operations

The ENCRYPTION_WALLET_LOCATIONparameter in the S8%9ET!O5A file specifies the

location of Oracle 1allet! To use 2S+ in place of a software wallet, you need to set the

METHODattribute of the parameter to HSM!

f a DIRECTORYvalue is present in the ENCRYPTION_WALLET_LOCATIONparameter,

make sure that you do not delete it! Althouh 2S+ does not require a DIRECTORYvalue,

the value is used to locate your old software wallet when miratin to 2S+-based

Transparent Data Encryption!

Also, the DIRECTORYvalue may be required by tools, such as 5+A9, to locate the

software wallet!

Code

ENCRYPTION_WALLET_LOCATION=

(SOURCE=(METHOD = HSM))

The 2S+ vendor provides a PKCS11library that you must copy to a specified directory

so that the Oracle server can locate it!

Dependin on the OS you are usin, you copy the library to specific locations.

#)/0 and

f it is for =9>, copy it to this location!The location is:

0opt0oracle0extapi0123,4560hsm078)#$O9078)S'O#90libapiname.ext

&indo$s

f it is for 1indows, copy it to this location!

The location is:

S&ST)M;$'8)


11/40

Code

ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED 4Y

.%_:@#"..-$%

MIRATE USIN -"''*_#"..-$%J

n this e'ample, .%_:is the user D created usin the 2S+ manaement interfaceC

#"..-$%is the password created usin the 2S+ manaement interfaceC and

-"''*_#"..-$%is the password required to open an e'istin Oracle 1allet on the

file system!

The MIRATEUSIN-"''*_#"..-$%clause is applicable if you are already

usin TDE! E'istin column encryption keys are decrypted and then re-encrypted with the

new 2S+-based master encryption key!


12/40

Code

ALTER SYSTEM SET WALLET OPEN IDENTIFIED 4Y .%_I@#"..-$%

Summary

n this topic, youBve learned how TDE is set up!

Coniguring Encrypted Columns

Learning Objective


configure encrypted columns

1. Creating encrypted columns

To create an encrypted column, use the ENCRYPTkeyword when the table is created or

altered!

n this e'ample, the NOSALTkeywords are used to allow an inde' to be created over this

column! The default is SALT!

Code

CREATE TA4LE &.*_#"*_:


13/40

SL &%"* *",' &.*_:


14/40

*uestion

dentify the characteristics of the ENCRYPTclause synta'!

Options+

&! t allows you to specify the alorithm to use

:! The IDENTIFIED4Y#"..-$%clause is required

;! The NOMACparameter allows you to skip TDE interity checks

! The table creator determines the key lenth

Ans$er

Option 1:This option is correct. The ENCRYPTclause allows ou to speci" the

encrption algorithm to use. 8alid algorithm names are 3DES168, AES128,

AES192=de"ault>, and AES256.

Option 2:This option is incorrect. The IDENTIFIED4Y#"..-$%clause is

optional. Speci"ing a password means that the ke used to protect the table will

be based on that password.

Option 3:This option is correct. 'n database @A.3.A.5 and @@[email protected] versions, the

NOMACparameter enables ou to skip the integrit check per"ormed b T$). This

saves 3A btes o" disk space per encrpted value.

Option 4:This option is incorrect. The name o" an algorithm implicitl determines

the ke length.

Correct ans$er,s-+

&! t allows you to specify the alorithm to use

;! The NOMACparameter allows you to skip TDE interity checks

A (-tree inde' can be created on an encrypted column with NOSALT! A (-tree may not be

created on a column with SALT! Equality lookup operations are supported on the inde'!

A bitmapped inde' cannot be created on encrypted columns! TDE column encryption is

not supported on forein keys! This is because each table has its own encryption key! )or

this reason, do not use sensitive data items such as a credit card number or a national

identity number as the primary key!

nde' rane-scan operations are supported for equality lookups because the value is

encrypted before the comparison with stored values! WHEREclauses with 4ETWEENAND

or LIKEcomparison operators will use full-table scans!


15/40

Tablespace-level TDE supports all inde' types, all internal data types, and forein keys!

*uestion

1hat are the considerations when creatin an inde' on an encrypted column@

Options+

&! A (-tree inde' can be created on an encrypted column with NOSALT

:! A bitmapped inde' can be created on encrypted columns

;! TDE column encryption is not supported on forein keys

! nde' rane-scan operations are not supported for equality lookups

Ans$er

Option 1:This option is correct. - C/tree index can be created on an encrpted

column with NOSALT. - C/tree ma not be created on a column with SALT.

Option 2:This option is incorrect. - bitmapped index cannot be created on

encrpted columns.

Option 3:This option is correct. T$) column encrption is not supported on

"oreign kes. This is because each table has its own encrption ke.

Option 4:This option is incorrect. 'ndex range/scan operations are supported "or

e+ualit lookups because the value is encrpted be"ore the comparison withstored values. WHEREclauses with 4ETWEENDANDor LIKEcomparison operators

will use "ull/table scans.

Correct ans$er,s-+

&! A (-tree inde' can be created on an encrypted column with NOSALT

;! TDE column encryption is not supported on forein keys

2. Altering an encrypted column


16/40

All the encrypted columns in a sinle table must use the same alorithm! f there are two

or more columns that are encrypted, you can chane the encryption alorithm for the

entire table with one command!

Code

ALTER TA4LE &.*_#"*_:


17/40

NCHAR, and

NUM4ER

Other scalar data types supported by TDE column encryption are

N?ARCHAR2

RAW

TIMESTAMP/includes TIMESTAMPWITHTIMEONEand TIMESTAMPWITHLOCALTIMEONE0

?ARCHAR2/must be less than or equal to ;,F;: bytes0

3haracter lare ob"ects, commonly known as CLO4/Secure)iles0, and

(inary lare ob"ect, also known as 4LO4, /Secure)iles0

TDE column encryption supports Oracle Data Guard in the physical standby

confiuration! To use TDE with Data Guard, both primary and secondary databases must

be of the same version!


18/40

encryption supports the Data Guard loical standby confiuration!

%os may be mined either on the source or the taret databaseC thus, the wallet must be

the same for both databases! Every time the master key is chaned usin the ALTER

SYSTEMSETENCRYPTIONKEYIDENTIFIED4Y-"''*_#"..-$%command, the

wallet must be copied from the primary database to the standby database!

An error is raised if the D(A attempts to chane the master key on the standby database!

f auto loin wallet is not used, the wallet must be opened on the standby! 1allet open

and close commands on the primary are not replicated on the standby!

A different password can be used to open the wallet on the standby! The wallet owner can

chane the password to be used for the copy of the wallet on the standby!

Storae overhead associated with TDE column encryption can be sinificant! 1hen

specified, SALTrequires &* bytes! Specifyin NOSALTreduces storae requirement and

saves 3ritical $atch =pdate, abbreviated as 3$=, cycles!

+essae Authentication 3ode, also known as +A3, an interity check associated with

each encrypted value, requires an additional :H bytes! n addition, TDE will pad out

encrypted values to a multiple of &* bytes! So if a credit card number required F bytes of

storae, encryptin the credit card number would require an additional I bytes of storae!

Encryptin a sinle column in a table with SALTwill require between ;I and J: bytes of

additional storae per row!

SALTis not needed if clear te't values are unique, and SALTcannot be used with

columns that will be inde'ed!

n database &H!:!H! and &&!&!H!I versions, the NOMACparameter enables you to skip the

interity check performed by TDE! This saves :H bytes of disk space per encrypted value!

f the number of rows and encrypted columns in the table is lare, this adds up to a

sinificant amount of disk space!

The NOMACparameter also reduces the performance overhead! The NOMACparameter is

applied to all columns of a table! f one column uses NOMAC, they all must use the NOMAC

option!

A customer encryptin a sinle column usin both NOSALTand NOMACparameters canreduce the encryption overhead to between & and &J bytes per row of additional storae,

instead of ;I to J: bytes!

TDE column encryption cannot be used with forein keys or with inde' types other than

(-tree inde'es! SYSschema ob"ects cannot be encrypted!

n Oracle Database &&g, internal lare ob"ect, also referred to as %O(, data types /such


19/40

as (%O( and 3%O(0 can be encrypted, but e'ternal %O(s /such as binary lare file

ob"ects K4FILEdata typeL0 cannot be encrypted!

Applications that need to use these unsupported features can use the TDE tablespace

encryption! TDE tablespace encryption supports all data types, e'cept e'ternal table and

4FILE! The SYSTEMtablespace cannot be encrypted!

)ote

)xternal tables can have encrpted columns using the ORACLE_DATAPUMP

access driver.

". Creating an encrypted tablespace

TDE tablespace encryption is performed at the 7O level on a per-block basis! The only

encryption penalty is associated with 7O, so the performance overhead will be seen in the7O statistics!

1hen there are a lare number of columns in a table to be encrypted, tablespace

encryption may provide better performance than column encryption! S8% access paths

are unchaned and all data types are supported! (ecause the data is not encrypted in

memory, there is no difference in the handlin of data when it is read off the disk!

All data types, inde' types, and even %O(s, are supported with tablespace encryption!

Data retrieved from encrypted tablespaces is protected whenever it is written to disk,

includin temporary tablespaces, undo tablespace, and redo los!

Durin operations such as OINand SORT, data that is selected from an encrypted

tablespace is encrypted when written to temporary tablespaces! Encrypted tablespaces

are transportable if the platforms have the same endianess and the same wallet!

There is currently no mechanism to rekey a tablespace! Tablespace encryption does not

require additional storae space!

The CREATETA4LESPACEcommand has an ENCRYPTIONclause that sets the

encryption properties, and an ENCRYPTstorae parameter that causes the encryption to

be used!


20/40

ALTER SYSTEM SET ENCRYPTION KEY

IDENTIFIED 4Y #"..-$%7

CREATE TA4LESPACE &%#*_*.

DATAFILE GORACLE_HOME/,./&%#*+"*G SIE 1!!M

ENCRYPTION USIN G3DES168G

DEFAULT STORAE (ENCRYPT)7

(ecause tablespace encryption is performed at the 7O level, many of the restrictions that

apply to TDE column encryption do not apply to tablespace encryption!

The followin restrictions apply to tablespace encryption.

Temporary and undo tablespaces cannot be encrypted! (ut when a data buffer containin data

from an encrypted tablespace is written to an undo or a temporary tablespace, that data block is

encrypted!

The 4FILEdata type and e'ternal tables are not encrypted because they are not stored in

tablespaces!

Transportable tablespaces across different endian platforms are not supported!

The key for encrypted tablespaces cannot be chaned! A workaround is to create a tablespace

with the desired properties and move all ob"ects to the new tablespace!

The previous version of the e'port and import utilities, #and :#, did not support TDE!

An error messae is raised when #attempts to e'port a table with an encrypted

column!

Code

EQP>!!1!@ F"*% (COLUMN ENCRYPTION) $< &$'

ORDER_NUM4ER : *",' *",'_" :. $* .##$%*+ T

*",' -:'' $* , #$%*+

The Data $ump E'port utility, ##, can e'port the table! (y default, the data is stored

in the dump file in clear te't!


21/40

)ote

The same password must be used to import the dump "ile using the $ata (ump

'mport, :##.

Oracle Database &&gintroduces Secure)iles implementation /of %O(s0, which offers

intellient compression and transparent encryption! Encrypted data in Secure)iles is

stored in place and is available for random reads and writes!

The encryption takes place at the block level! %O( implementation from earlier versions is

still supported for backward compatibility and is now referred to as (asic)iles!

Code

CREATE TA4LE *.*1

($& CLO4 ENCRYPT USIN GAES128G)LO4($&) STORE AS SECUREFILE (CACHE NOLOIN)

f you add a %O( column to a table, you can specify how it should be created usin

SECUREFILEor 4ASICFILEkeywords! To ensure backward compatibility, the default

%O( type is 4ASICFILE!

To enable encryption of %O(s, you must create the %O( with the SECUREFILEkeyword,

with encryption enabled /ENCRYPT0 or disabled /DECRYPT, which is the default0 on the

%O( column! The current TDE synta' is used for e'tendin encryption to %O( data types!

There are multiple correct synta' possibilities!

#alid encryption alorithms are ;DES&*M, AES&:M, AES&F:, and AES:J*! The default is

AES&F:!

Code

CREATE TA4LE *.*1

($& CLO4 ENCRYPT USIN GAES128G)

LO4($&) STORE AS SECUREFILE (CACHE NOLOIN)

Summary

n this topic, youBve learned how to confiure encrypted columns!

/mplementing TDE

Learning Objective


22/40


implement Transparent Data Encryption

E(ercise overvie$


23/40

Steps list

/nstructions

! Type SELECT FROM $+&.*_#"*_:


24/40

OE!3=ST6$A69A+E, TA(%E69A+E, and

STAT=S columns of the =SE569DE>ES table for this table! nclude the )5O+ and

where clauses on separate lines! Then rebuild the unusable inde'!

Steps list

/nstructions

&! Type CONNECT $and press Enter

:! Type $%"&'and press Enter

;! Type ALTER TA4LE $+&.*_#"*_:


25/40

Steps list

/nstructions

&&! 3lick Submit 8ob

&:! 3lick 9ie$ 8ob Details

Tas! 4+ 9eriying transparent encryption


26/40

5+A9 backup encryption is available only in the Enterprise Edition of the database, and

the COMPATI4LEparameter must be set to &H!:!H or hiher!

Encrypted backup to disk does not require Oracle Advanced Security, commonly known

as ASO, but the use of 5+A9 with a third-party media manaer library does require ASOto provide the key infrastructure!

Encrypted backups to tape require Oracle Secure (ackup, also referred to as OS(, to

provide the key infrastructure! OS( includes the same technoloy as ASO!

OS( version &H!: is available in both Standard Edition and Enterprise Edition of Oracle

Database &&g! OS( includes the secure communications technoloy of ASO in the

Enterprise Edition to provide secure communication between hosts /administrative,

source, and taret0 in the OS( domain!

OS( encrypts the transmitted data and control messaes with a default key of &,H: bitsenerated for each session usin secure sockets layer, also known as SS%!

OS( provides this key from an embedded wallet that is separate from Oracle 1allet used

by 5+A9 to encrypt backups!

f 5+A9 encryption is provided, OS( does not encrypt the data aain for transmission!

(ut if 5+A9 encryption is disabled, and the OS( host encryption policy is set to required,

the OS( encryption will be used for the dataC if the OS( encryption policy is set to

allowed, in principal, the decision is referred to the ne't lower level!


27/40

version of the wallet does not require a password!

The obfuscated wallet is created when the wallet is opened and destroyed when the

wallet is closed! This wallet, which is scrambled but not encrypted, enables the OS(

software to run without requirin a password durin system startup!

The password for the password-protected wallet is enerated by OS( and not made

available to the user! The password-protected wallet is not normally used after the

security credentials for the host have been established because the OS( daemons use

the obfuscated wallet!

To reduce the risk of unauthoried access to obfuscated wallets, OS( does not back

them up!

The obfuscated version of a wallet is named &-"''*+..$! (y default, the wallet is

located in this path on %inu' and =9>, and on 1indows, it is located in this path!

%rapic

On Einux and F#'G, the wallet is located in the "ollowing path:

0usr0etc0ob0wallet

On Windows, the wallet is located in the "ollowing path:

!:


28/40

secures your file-system backups over the network by usin SS%!

5+A9 can create encrypted backups on tape usin OS( or a third-party media manaer

with ASO!

2. Creating 7'A);encrypted bac!ups

)or improved security, 5ecovery +anaer, commonly known as 5+A9, backups created

as backup sets can be encrypted! mae copy backups cannot be encrypted!

Encrypted backups are decrypted automatically durin restore and recover operations, as

lon as the required decryption keys are available, by means of either a user-supplied

password or Oracle Encryption 1allet!

5+A9 supports three encryption modes.

transparent

password, and

dual

Transparent encryption does not require D(A intervention as lon as the required Oracle

key manaement infrastructure is available!

Transparent encryption is best suited for day-to-day backup operations, where backups

will be restored on the same database that they were backed up from!

Transparent encryption is the default encryption mode!


29/40

RMAN CONFIURE ENCRYPTION FOR DATA4ASE ON

RMAN CONFIURE ENCRYPTION FOR TA4LESPACE

*",'.#"&_" ON

RMAN SET ENCRYPTION ALORITHM G"';$%:* "G

create a $allet

The first step is to create a wallet usin Oracle 1allet +anaer! (y default, an unencrypted

wallet /&-"''*+..$0 is created when Oracle Database is installed! An encrypted wallet

/-"''*+#120 is recommended for use with backup set encryption! $lace an entry in the

S8%9ET!O5A file!

open te $allet

(efore you can use backup set encryption, you need to make sure that the wallet is

opened by your instance! The password specified with the ALTERSYSTEMcommand is the

same password you specified when you created the wallet!

set te master !ey

1hen the wallet is opened, you need to set the master key from within your instance!

conigure te 7'A) encryption level< and

The CONFIUREENCRYPTIONcommand is used to specify encryption settins for the

database or tablespaces within the database, which apply unless overridden usin the SET

command!

Options specified for an individual tablespace take precedence over options specified for

the whole database!

set an encryption algoritm< i needed

8uery ?RMAN_ENCRYPTION_ALORITHMSto obtain a list of encryption alorithms

supported by 5+A9! The default encryption alorithm is &:M-bit AES!

1hen you use password encryption, you must provide a password to create and restore

encrypted backups! 1hen you restore the password-encrypted backup, you must supply

the same password that was used to create the backup!

$assword encryption is most appropriate for backups that will be restored at remote

locations, but which must remain secure in transit! To enable password encryption, use

this command in your 5+A9 scripts!

Code

SET ENCRYPTION ON IDENTIFIED 4Y #"..-$% ONLY

$assword encryption cannot be persistently confiured! The Enterprise +anaer interface

will place the proper command in the 5+A9 backup scripts that it enerates!


30/40

%rapic

The )ncrption section o" the )nterprise Manager inter"ace is open. &ou use this

section to encrpt the backup using the Oracle )ncrption Wallet, a user/supplied

password, or both, to protect sensitive data. The section includes the Secure the

backup using ecover Manager encrption checkbox, which is selected, and the

)ncrption -lgorithm drop/down list, in which -)S@3 is selected.

The )ncrption Mode subsection contains two checkboxes: Cackups will be

encrpted using the Oracle )ncrption Wallet and Cackups will be encrpted using

the "ollowing password, which is currentl selected. This section also contains the

(assword and !on"irm (assword "ields. Coth "ields are "illed.

)ote

%or securit reasons, it is not possible to permanentl modi" our existing backupenvironment so that M-# backups are encrpted using password mode. &ou

can enable password/encrpted backups onl "or the duration o" an M-#

session.

Dual-mode encrypted backups can be restored transparently or by specifyin a

password!

Dual-mode encrypted backups are useful when you create backups that are normally

restored usin Oracle Encryption 1allet, but which occasionally need to be restored

where Oracle Encryption 1allet is not available!

%rapic

'n the )ncrption Mode subsection, in this example, the Cackups will be encrpted

using the Oracle )ncrption Wallet and Cackups will be encrpted using the

"ollowing password checkboxes are selected.

To create dual-mode encrypted backup sets, specify this command in your 5+A9 scripts!

Code

SET ENCRYPTION ON IDENTIFIED 4Y G#"..-$%G

=se the SETDECRYPTIONcommand to specify one or more decryption passwords to be

used when readin dual-mode or password-encrypted backups!

1hen 5+A9 reads encrypted backup pieces, it tries each password in the list until it finds

the correct one to decrypt that backup piece! An error is sinaled if none of the specified


31/40

keys are correct! f you lose the password for a password-encrypted backup, you cannot

restore that backup!

Code

SET DECRYPTION IDENTIFIED 4Y G#"..-$%_1GB G#"..-$%_2GBBG#"..-$%_G

(ecause the Oracle key manaement infrastructure archives all previous master keys in

the wallet, chanin or resettin the current database master key does not affect your

ability to restore encrypted backups performed usin an older master key!


32/40

Option 2:This option is incorrect. '" ou lose the password "or a password/

encrpted backup, ou cannot restore that backup. -lso, i" ou lose the wallet

containing the ke "or a transparent encrpted backup, ou cannot restore that

backup.

Option 3:This option is incorrect. Cecause the Oracle ke management

in"rastructure archives all previous master kes in the wallet, changing or resetting

the current database master ke does not a""ect our abilit to restore encrpted

backups per"ormed using an older master ke.

Option 4:This option is correct. When M-# reads encrpted backup pieces, it

tries each password in the list until it "inds the correct one to decrpt that backup

piece. -n error is signaled i" none o" the speci"ied kes are correct.

Correct ans$er,s-+

&! TheSET

DECRYPTION

command is used to specify decryption passwords

! 1hen 5+A9 reads encrypted backup pieces, it tries each password in the list

until it finds the correct one

There are certain considerations for 5+A9-encrypted backups!

Any 5+A9 backups created as backup sets can be encrypted! 2owever, imae copy

backups cannot be encrypted!

The ?RMAN_ENCRYPTION_ALORITHMSview contains a list of encryption alorithms

supported by 5+A9! f no encryption alorithm is specified, the default encryption

alorithm is &:M-bit AES!


33/40

". Data ump encryption

Every file that could contain sensitive data should be protected in some wayC the dump

file produced by Data $ump E'port is no e'ception! n Oracle Database &&g, Data $ump

E'port can encrypt the dump file!

Data $ump file encryption requires that Oracle Advanced Security, commonly known as

ASO, be installed! The ##process receives the data unencrypted from the database,

even if the data is encrypted in the database with Transparent Data Encryption,

abbreviated as TDE!

)ote

The #process cannot decrpt data that has been encrpted with application

encrption, such as D4MS_CRYPTOprocedures.

Data may be e'ported across network connections! f the ##process connects to the

database usin a service name, the data may be encrypted if ASO network encryption is

specified between the client /where ##is e'ecutin0 and the server!

The ##process may also connect usin a database link specified with the

NETWORK_LINKparameter! The data will be sent across this link in clear te't unless the

database link has been confiured to use network encryption!

The ENCRYPTIONparameter determines the scope of the encryption ? that is, which data

elements are encrypted! The ENCRYPTION_MODEparameter determines the type of

encryption used ? that is, the type of key used! The ENCRYPTION_PASSWORDinteracts

with both the other parameters!

%rapic

-n example o" a service name is hr0IIIIJH;$C.

*uestion

dentify the features of Data $ump encryption!

Options+

&! t requires that ASO be installed

:! The ENCRYPTION_MODEparameter determines the scope of the encryption

;! The ##process receives the data unencrypted from the database

! Data cannot be e'ported across network connections


34/40


35/40

The NONEsettin is the default! f ENCRYPTION_PASSWORDis set and ENCRYPTIONis not

set, ENCRYPTIONdefaults to ALL!

The ENCRYPTION_PASSWORDparameter may be used by itself in the command line or

the parameter file! ENCRYPTION_PASSWORDspecifies a key for re-encryptin encrypted

table columns so that they are not written as clear te't in the dump file set!

f the e'port operation involves encrypted table columns, but an encryption password is

not supplied, the encrypted columns will be written to the dump file set as clear te't, and

a warnin will be issued!

There is no connection or dependency between the key specified with the Data $ump

ENCRYPTION_PASSWORDparameter and the key specified with the ENCRYPTkeyword

when the table with encrypted columns was initially created! )or e'ample, suppose a

table is created with an encrypted column whose key is 3%!

Code

CREATE TA4LE # (."'"% NUM4ER(8B2) ENCRYPT IDENTIFIED 4Y

3%)7

1hen you e'port the EMPtable, you can supply any arbitrary value for

ENCRYPTION_PASSWORD! t does not have to be 3%! $asswords should never be used

in a command line!

As a best practice, you should place the ENCRYPTION_PASSWORDparameter in a

parameter file!

)or network e'ports, the ENCRYPTION_PASSWORDparameter is not supported with user-

defined e'ternal tables that have encrypted columns! The table will be skipped and an

error messae will be displayed, but the "ob will continue!

Code

CREATE TA4LE # (."'"% NUM4ER(8B2) ENCRYPT IDENTIFIED 4Y

3%)7

*uestion

1hich statements most accurately describe the ENCRYPTION_PASSWORD

parameter@

Options+


36/40

&! t may be used by itself in the command line

:! t specifies a key for re-encryptin encrypted table columns

;! t is supported with user-defined e'ternal tables that have encrypted columns

! There is a dependency between the key specified with this parameter and the key

specified with the ENCRYPTkeyword at table creation

Ans$er

Option 1:This option is correct. The ENCRYPTION_PASSWORDparameter ma be

used b itsel" in the command line or the parameter "ile.

Option 2:This option is correct. ENCRYPTION_PASSWORDspeci"ies a ke "or re/

encrpting encrpted table columns so that the are not written as clear text in the

dump "ile set.

Option 3:This option is incorrect. %or network exports, the

ENCRYPTION_PASSWORDparameter is not supported with user/de"ined external

tables that have encrpted columns.

Option 4:This option is incorrect. There is no connection or dependenc between

the ke speci"ied with the $ata (ump ENCRYPTION_PASSWORDparameter and

the ke speci"ied with the ENCRYPTkeword when the table with encrpted

columns was initiall created.

Correct ans$er,s-+

&! t may be used by itself in the command line

:! t specifies a key for re-encryptin encrypted table columns

The ENCRYPTION_MODEparameter sets the method of obtainin the key for encryptin

the dump file! The ENCRYPTIONor ENCRYPTION_PASSWORDparameter must also be set

when specifyin the ENCRYPTION_MODEparameter!

f the encryption wallet is confiured and TRANSPARENTis specified, the dump file is

encrypted with no intervention by the D(A required! The ENCRYPTION_PASSWORD

parameter is not needed, and the ##process will return an error if

ENCRYPTION_PASSWORDis specified!

A dump file e'ported in transparent mode may be imported transparently if the encryption

wallet is available! These dump files should be imported to the same database that they

e'ported from!

1hen PASSWORDmode is specified, the password is not stored, but must be specified on

import! Dump files created in password mode are best suited for cases where the file will

be imported offsite where the encryption wallet is not available!


37/40

ENCRYPTION_PASSWORDmust be specified when usin this mode! To import the dump

file, the same password must be specified, and the taret table must have the same

encryption attributes as the source table /the same columns must be declared as

ENCRYPTor NOENCRYPT0!

Dual mode allows the dump file to be imported transparently where the encryption wallet

is available, or with a password where the wallet is not available!

TDE allows you to protect your database data files and imae backups by encryptin the

data of sensitive columns!

Data $ump E'port allows you to e'port that data into a dump file or an e'ternal table that

is created in >+% format! (y default, the data in the dump file is in clear te't! n the

e'ample, you can encrypt only the data, or you can encrypt the entire dump file! This

e'ample uses transparent mode!

Code

## % TA4LES=#'$.

DIRECTORY="*"_##_:% DUMPFILE=%_#+#

ENCRYPTION_MODE=TRANSPARENT

ENCRYPTION=DATA_ONLY

1hen you want to encrypt in the dump file, only the columns that are encrypted in the

database, use ENCRYPTION=ENCRYPTED_COLUMNS_ONLY ! ENCRYPTION_PASSWORD

must be specified! Therefore, ENCRYPTION_MODEmust be PASSWORD!

This e'ample uses password mode to enerate the key! t also uses the encryption

password on the command line! $asswords should never be placed on the command

line! =se PARFILEwith ##or :##to specify ENCRYPTION_PASSWORD!

Code

## $ TA4LES=&.*_#"*_:


38/40

#sing 7'A) 6ac!up :ile Encryption

Learning Objective


create and recover backups

E(ercise overvie$


39/40

E>A+$%E tablespace to 7home7oracle7backup7e'ampleHH&!bck! Set *"; =

*%".#"%*so that it can be specified in the restore command! nclude the format and

ta clauses on separate lines!

Steps list

/nstructions

&! Type ," *",'.#"& "#'and press Enter

:! Type


40/40

Steps list

/nstructions

&! Type RESTORE TA4LESPACE "#' FROM TA *%".#"%*7and press Enter

:! Type SET DECRYPTION IDENTIFIED 4Y #"..-$%17and press Enter

;! Type RESTORE TA4LESPACE "#' FROM TA #"..-$%7and press Enter

oracle database 11g transparent data encryption

Documents