6. 66
Transparent Data Encryption
How to Install tde on database.
Sqlnet.ora needs following line
ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA =
(DIRECTORY = /u01/app/oracle/admin/$ORACLE_UNQNAME/tde_wallet)))
Only oracle access to directory
chmod 600 ewallet.p12
Avoding deleting TDE wallet
chattr +i ewallet.p12
chattr +i cwallet.cso
7. 77
Transparent Data Encryption
How to Install tde on database.
Auto logging versus local logging
Opening the wallet is a manual operation and must be performed to make the
master encryption key available to the database
$ orapki wallet create –wallet <wallet location> -auto_login
Creates file ewallet.cso
$ orapki wallet create –wallet <wallet location> -auto_login_local
local auto-open wallet can be created, starting with Oracle Database 11.1.0.7; it
does not open on any machine other than the one it was created on.
9. 99
Transparent Data Encryption
HOW?
• The encryption is done at the operating system
level, where data is stored
OWNER_EVL@TEST1_1 SQL> select * from SECURE_CUSTOMER_INFO;
NAME ACCOUNT_NR
------------------------------ ----------
Semira 123456789
Mehrdad 223456789
Geert 323456789
$ strings testelvd |grep -i Geert
Geert
10. 1010
Transparent Data Encryption
HOW?
• The encryption is done at the operating system
level, where data is stored
OWNER_ABC@TEST1_1 SQL> select * from SECURE_CUSTOMER_INFO;
NAME ACCOUNT_NR
------------------------------ ----------
Semira 123456789
Mehrdad 223456789
Geert 323456789
NewCstmer 123456777
$ strings testtablespaceABCD |grep -i Geert
11. 1111
Transparent Data Encryption
The way to encrypt
• Tablespace level
Better performance
You can’t find all columns with sensitive data
Data type/data length not supported by column encryption
Sensitive column is foreign key
Index type is other then b-tree
Range scan search through an index
12. 1212
Transparent Data Encryption
Migration Tablespace level
• Existing data must be move to encrypted tablespace.
• Can be done online or offline..
• Using dataguard trasient logical standby
Downtime < 5 Minutes is the best way.
14. 1414
Transparent Data Encryption
RESTRICTIONS of TDE
• Only protects data stored on disk/media, not the data
in transit
• Decrease performance /Column only
• TDE can't be enabled on a SYS-owned table
• RMAN backups – not with image copies
18. 1818
Risk when using Transparent Data Encryption
LOST OF AUTOLOGIN WALLET
Deleted the file cwallet.sso (the autologin wallet) on the o.s.-level.
Result:
SQL> select * from emp; –> no problem reading the data, as expected, it’s just
the auto-login wallet.
- Shutdown , startup database: no problem with starting the database
- SQL> select * from emp; ---> ORA-28365: wallet is not open.
- SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED
BY “<password>”;
- SQL> select * from emp; --> works again.
19. 1919
Risk when using Transparent Data Encryption
LOST OF WALLET WITH MASTER KEY.
Deleted the ewallet.p12 too.
Result:
SQL> select * from emp; --> No problem in reading the data, key is read from
the database (but when will I find out I’ve lost my wallet?).
- SQL> Shutdown , startup database: --> No problem to startup. No errors in
alert-file also.
- SQL> select * from emp; –> This gives ORA-28365: wallet is not open
20. 2020
Risk when using Transparent Data Encryption
LOST OF WALLET WITH MASTER KEY.
Backup is done of ewallet.p12 by OS Backup
Backup is done every day.
So Restore can be done.
Backup is done of cwallet.sso.
Separated from ewallet.p12
So Restore can be done.
21. 2121
Appendix A
Physical standby database
• Yes it works
• As long as the wallet is available on standby site. After creating wallet for primary
database redo apply on standby stops immediately. You see the following in the
alert file of the standby database.
Apply redo for database master key re-key failed: new master key does not exist in the keystore
MRP0: Background Media Recovery terminated with error 28374
Errors in file /u01/app/oracle/diag/rdbms/test1_01/TEST1_1/trace/TEST1_1_pr00_8912.trc:
ORA-28374: typed master key not found in wallet
Mon May 09 16:32:17 2016
Managed Standby Recovery not using Real Time Apply
Recovery interrupted!
solution: copy wallet to standby site’s
22. 2222
Appendix B
Rekey Wallet
-- How do I change (rotate, re-key) the encryption keys?
. First copy the current wallet files to backup directory
. change wallet password
$ orapki wallet change_pwd -wallet /u01/app/oracle/admin/TEST1_02/tde_wallet
Oracle PKI Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
New password:
. Now change the master key
SYS@TEST1_1 SQL> alter system set encryption key identified by "Secret";
System altered.
. Now copy wallet files to other nodes for Rac or candidate servers for Rac-One.
23. 2323
Appendix B
Rekey Wallet
-- How do I change (rotate, re-key) the encryption keys?
. Now use orapki wallet display -wallet to validate the new password
$ orapki wallet display -wallet /u01/app/oracle/admin/ADBA1_02/tde_wallet
Oracle PKI Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
Subject: CN=oracle
User Certificates:
Oracle Secret Store entries:
ORACLE.SECURITY.DB.ENCRYPTION.ARdWiPlpNk//v21yGHOQSCIAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.ASI051MIg0+tv2umfj9rUiMAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.ATWs+inFQ09Fv7JneP6xBrwAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
ORACLE.SECURITY.TS.ENCRYPTION.BTks5HXDwpxFD/olKnblkckCAwAAAAAAAAAAAAAAAAAAAAAAAAAA
Trusted Certificates:
The red line is the new password for the wallet.
24. 2424
Appendix B
Rekey Wallet
-- How do I change (rotate, re-key) the encryption keys?
Physical standby database
After rekey wallet for primary database redo apply on standby stops immediately.
You see the following in the alert file of the standby database.
Apply redo for database master key re-key failed: new master key does not exist in the keystore
MRP0: Background Media Recovery terminated with error 28374
Errors in file /u01/app/oracle/diag/rdbms/test1_01/TEST1_1/trace/TEST1_1_pr00_8912.trc:
ORA-28374: typed master key not found in wallet
Mon May 09 16:32:17 2016
Managed Standby Recovery not using Real Time Apply
Recovery interrupted!
solution: copy wallet to standby site’s