In 10g it is
only possible to enable table TDE for particular columns
in tables. This made it difficult to analyze an
application and keep an overview over all relevant columns
with sensitive personal data.
%
Transparent (Tablespace) Encryption is
part of the extra cost Advanced
Security Option
Starting
with Oracle Database 11g it is possible to encrypt entire
tablespaces. This makes it much easier to make sure that
all relevant data is encrypted because everything you put
into such a tablespace gets encrypted automatically.
In order to
use encrypted tablespaces you need to create a master
encryption key for tablespaces. This is a different master
form the one used for TDE. The syntax to create the
master key for tablespace encryption is the same as for
the creation of the TDE master key:
LUTZ AS SYSDBA @ orcl
SQL> ALTER SYSTEM SET ENCRYPTION KEY <my_key>;
This command
creates a master key for column encryption with TDE as
well as a master key for tablespace encryption in an
external encrypted wallet. This wallet is the same wallet
which is used for the TDE master keys.
The status
of the wallet can be viewed using the view
v$encryption_wallet:
LUTZ AS SYSDBA @ orcl
SQL> SELECT * FROM v$encryption_wallet;
WRL_TYPE
WRL_PARAMETER
STATUS
-------- ------------------
---------
file
/etc/ORACLE/WALLETS/oracle/ OPEN
If you have
upgraded a 10g database which used TDE to 11g and you want
to use tablespace encryption after the upgrade, you must
reissue this command after setting the COMPATIBLE
parameter to 11.1. This will re-create the TDE master key
and add the tablespace master key to the wallet.
For the use
of a Hardware Security Module the tablespace encryption
master key must have been create first before the HSM is
configured (see above in
the HSM section).
Let’s have a
look at the syntax for encrypted tablespaces:
SQL> CREATE TABLESPACE encr_ts
DATAFILE '/u01/app/oracle/oradata/orcl/encr_ts_01.dbf' SIZE 100M
ENCRYPTION USING '3DES168'
DEFAULT STORAGE (ENCRYPT);
In the
encryption clause the algorithm to use is specified :
Valid values for the algorithms are 3DES168, AES128,
AES192, and AES256. The default is AES128.
The view
V$ENCRYPTED_TABLESPACES show in detail information
about the tablespace properties.
LUTZ AS SYSDBA @ orcl
SQL> DESC v$encrypted_tablespaces;
Name
Null? Type
---------------------------------------------------
-------- -----------------
TS#
NUMBER
ENCRYPTIONALG
VARCHAR2(7)
ENCRYPTEDTS
VARCHAR2(3)
Data from
encrypted tablespaces is protected on the temporary
tablespace during sort and join operations. This also
applies to undo and redo information for encrypted data.
It is not possible to transport
an encrypted tablespace cross platform
%
Re-keying is not supported for encrypted
tablespaces
%
Only permanent tablespaces can be
encrypted
%
Data stored outside the database namely BFILES
and External Tables cannot
be encrypted
%
Index range scans can be performed on data
in encrypted tablespaces
%
Encryption for tablespaces always is “salted”
Transparent Data
Encryption with Enterprise Manager
TDE is now
fully integrated into OEM.
You find the
interface to TDE in the SERVER pane.
Here it is
possible to change the wallet location and to
recreate the master key.
On the TDE
page you find links to all related functionalities such as
Export/Import, Tables and Tablespaces at the bottom.
