Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Oracle Transparent Data 
Encryption (TDE) 12c 
Prepared by @nabeelxy 
8/30/2014
Typical Deployment of Databases 
Users Applications 
DBA 
DB server DB files
Attack Surface 
Users Applications 
DBA 
DB server DB files
Direct Access to Data 
Users Applications 
DBA 
DB server DB files
What is TDE? 
• An Oracle advanced security feature that 
allows to encrypt data-at-rest completely 
transparent to applic...
Why TDE/Encryption? 
• If attackers can gain access to the operating 
system as a powerful user (e.g. root or oracle), 
th...
Encryption Options Available 
• DBMS_CRYTO – client side encryption 
• TDE 
– Column encryption (10gR2 onwards) 
– Tablesp...
TDE Setup 
Name Salary Position 
#$%34dfa*(a x9@#!3 Manager 
*#%!@sx*da A#&2uz Engineer 
$23%&T&df %x!9zTu Analyst 
^31%&T...
TDE Workflow 
1. Setup wallet and master key 
2. Identify 
– Tables with sensitive columns 
– Tablespaces with sensitive t...
Oracle Wallet 
• A PKCS#12 formatted file residing outside of 
the database (residing in the file system) 
• Encrypted usi...
Setting up Oracle Wallet 
• Specify wallet location using the sqlnet.ora 
ENCRYPTION_WALLET_LOCATION: 
ENCRYPTION_WALLET_L...
Opening the Wallet 
• Once the wallet is open, the master key 
becomes available to the database 
ADMINISTER KEY MANAGEMEN...
Opening the Wallet 
• select wrl_parameter, status, con_id from 
v$encryption_wallet; 
WRL_PARAMETER STATUS CON_ID 
------...
Two-Tier Key Architecture 
• Master key is stored in an Oracle Wallet 
(keystore) 
• Tablespace or table (column) keys are...
TDE Column Encryption 
• Allows to encrypt one or more columns of a 
table 
• Each column is assigned a unique symmetric 
...
TDE Column Encryption 
• Create encemp table with two encrypted 
columns 
create table encemp ( 
name varchar2(128) encryp...
TDE Column Encryption 
• Can change encryption parameters, encrypt, 
or decrypt table columns later using ALTER 
TABLE sta...
Limitations of Column Encryption 
• Higher overhead than tablespace encryption 
• Supports only B-tree indexes 
• Foreign ...
Tablespace Encryption 
• Every object in the tablespace is encrypted 
• Specify encryption parameters at the time of 
tabl...
Tablespace Encryption 
• You can view the encrypted tablespaces using 
the dba_tablespaces view 
TABLESPACE_NAME ENCRYPTED...
Re-Key Support 
Release Column Encryption Tablespace Encryption 
Master Key Table keys Master key Table keys 
10gR2 Yes Ye...
Column vs. Tablespace Encryption 
Column Encryption Tablespace Encryption 
Column encryption is expensive; so, use it 
onl...
References 
• http://docs.oracle.com/database/121/ASOAG 
/asotrans.htm
Upcoming SlideShare
Loading in …5
×

Oracle Transparent Data Encryption (TDE) 12c

6,763 views

Published on

This presentation provides an introduction to Oracle Transparent Data Encryption technology in 12c. It is provided as part of Oracle Advanced Security.

Published in: Technology
  • Be the first to comment

Oracle Transparent Data Encryption (TDE) 12c

  1. 1. Oracle Transparent Data Encryption (TDE) 12c Prepared by @nabeelxy 8/30/2014
  2. 2. Typical Deployment of Databases Users Applications DBA DB server DB files
  3. 3. Attack Surface Users Applications DBA DB server DB files
  4. 4. Direct Access to Data Users Applications DBA DB server DB files
  5. 5. What is TDE? • An Oracle advanced security feature that allows to encrypt data-at-rest completely transparent to applications • It is not an access control mechanism for Oracle database users • Notice that the data is encrypted only at rest – when the database server processes the data in the SQL layer, data records are decrypted and processed
  6. 6. Why TDE/Encryption? • If attackers can gain access to the operating system as a powerful user (e.g. root or oracle), they can bypass the database and have direct access to data. Encryption can protect database files stored in the disk • Also, many regulatory compliance requires encrypting data at rest
  7. 7. Encryption Options Available • DBMS_CRYTO – client side encryption • TDE – Column encryption (10gR2 onwards) – Tablespace encryption (11gR1 onwards) • In this presentation, we only look at TDE
  8. 8. TDE Setup Name Salary Position #$%34dfa*(a x9@#!3 Manager *#%!@sx*da A#&2uz Engineer $23%&T&df %x!9zTu Analyst ^31%&T*z9a Xy&*x90 Engineer Master key Oracle Data Dictionary Oracle Wallet emp table hr tablespace table1 table2 index 1 seq1 Oracle database
  9. 9. TDE Workflow 1. Setup wallet and master key 2. Identify – Tables with sensitive columns – Tablespaces with sensitive tables 3. Open wallet 4. Encrypt – The identified columns – The identified tablespaces 5. Close wallet
  10. 10. Oracle Wallet • A PKCS#12 formatted file residing outside of the database (residing in the file system) • Encrypted using password based encryption as defined in PKCS#5 • Holds the TDE master key • It is a good practice to setup the wallet outside of the $ORACLE_BASE and grant minimal privileges to the wallet folder
  11. 11. Setting up Oracle Wallet • Specify wallet location using the sqlnet.ora ENCRYPTION_WALLET_LOCATION: ENCRYPTION_WALLET_LOCATION= (SOURCE=(METHOD=FILE)(METHOD_DATA= (DIRECTORY=/etc/orcl/keystore))) • Initialize and create the master key in SQL*PLUS in CDB$ROOT: ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/etc/orcl/keystore’ IDENTIFIED BY password; • This creates a file called ewallet.p12 in the wallet folder
  12. 12. Opening the Wallet • Once the wallet is open, the master key becomes available to the database ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY chia_123 CONTAINER = ALL; • Once the wallet is open, you can perform TDE operations – Column encryption – Tablespace encryption • v$encryption_wallet view shows the wallet status
  13. 13. Opening the Wallet • select wrl_parameter, status, con_id from v$encryption_wallet; WRL_PARAMETER STATUS CON_ID ------------------ ---------- ------ /etc/orcl/keystore OPEN 0 • In order to exercise least privilege and separation of duty constraints, it is recommended to use a SYSKM user instead of a SYSDBA to perform wallet management
  14. 14. Two-Tier Key Architecture • Master key is stored in an Oracle Wallet (keystore) • Tablespace or table (column) keys are stored in the database itself in the Oracle data dictionary – they are encrypted using the master key • If HSM is used for the Oracle Wallet, master key is not fetched to the database to decrypt the tablespace/table keys
  15. 15. TDE Column Encryption • Allows to encrypt one or more columns of a table • Each column is assigned a unique symmetric key • The symmetric keys are stored encrypted using the master key in the Oracle data dictionary (in sys.enc$ table)
  16. 16. TDE Column Encryption • Create encemp table with two encrypted columns create table encemp ( name varchar2(128) encrypt, salary number(6) encrypt, position varchar2(32) ); • user_encrypted_columns view shows the encrypted columns TABLE_NAME COLUMN_NAME ENCRYPTION_ALG --------------- --------------- ------------------ ENCEMP NAME AES 192 bits key ENCEMP SALARY AES 192 bits key
  17. 17. TDE Column Encryption • Can change encryption parameters, encrypt, or decrypt table columns later using ALTER TABLE statement. • Can change both master key and table keys – If master key is changed, no change to the encrypted columns – If table keys are changed, encrypted columns are re-encrypted with the new keys
  18. 18. Limitations of Column Encryption • Higher overhead than tablespace encryption • Supports only B-tree indexes • Foreign key columns cannot be encrypted • Cannot perform range scans over encrypted data • Requires more storage
  19. 19. Tablespace Encryption • Every object in the tablespace is encrypted • Specify encryption parameters at the time of tablespace creation create tablespace encts logging datafile '?/dbs/encts.dbf' size 32m autoextend on next 32m maxsize 2048m default storage(encrypt) • Note that you cannot encrypt existing tablespaces
  20. 20. Tablespace Encryption • You can view the encrypted tablespaces using the dba_tablespaces view TABLESPACE_NAME ENCRYPTED --------------- --------- SYSTEM NO SYSAUX NO TEMP NO SYSEXT NO ENCTS YES • Use v$encrypted_tablespaces table to see the encryption options set for encrypted tablespaces
  21. 21. Re-Key Support Release Column Encryption Tablespace Encryption Master Key Table keys Master key Table keys 10gR2 Yes Yes N/A N/A 11gR1 Yes Yes No No 11gR2 Yes* Yes Yes* No 12cR1 Yes* Yes Yes* No * Unified master key where both column and tablespace encryption uses the same master key
  22. 22. Column vs. Tablespace Encryption Column Encryption Tablespace Encryption Column encryption is expensive; so, use it only if less than 5% of all the application table needs encryption Use when most of the application data are sensitive Does not support hardware crypto acceleration Supports hardware crypto acceleration Supports only B-tree indexes Does not have such a restriction Support rekeying of data Does not support rekeying of data Can encrypt existing tables Cannot encrypt existing tablespaces
  23. 23. References • http://docs.oracle.com/database/121/ASOAG /asotrans.htm

×