Transparent Data Encryption (TDE) relays on the database kernel mechanism and does not require additional programming. The key management is performed automatically by the database. From an architectural point of view, it was designed to protect the data from physical theft and it does not provide data access protection. The encryption is performed at storage level, and the column decryption occurs at data access. Therefore, the data will be visible for anyone with select privileges on tables containing encrypted columns with TDE. Being a feature provided by Oracle Advanced Security (OAS), you must purchase the OAS pack license to use this capability.
In this recipe, we will encrypt the employees
table's columns, salary
and commission_pct
, using various options available for TDE column encryption.
oracle
user, create a directory for the encryption wallet (be sure to secure the filesystem permissions as described in Chapter 1, Operating System Security):mkdir –p /security/wallets/tde chmod 600 /security/wallets/tde
ENCRYPTION_WALLET_PARAMETER
. Backup sqlnet.ora and add the path to directory created in the previous step to ENCRYPTION_WALLET_LOCATION
parameter as follows:ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /security/wallets/tde) ) )
system
user and create the encryption wallet by executing the following statement:SQL> conn system Enter password: Connected. SQL>SQL> alter system set encryption key identified by "UYio71+^ZaPO";
HR
and modify the employees
table's salary
and commission_pct
columns, and encrypt the employees
table's fields by executing the following statements:SQL> conn HR Enter password: Connected. Table altered. SQL> alter table hr.employees modify (salary encrypt ); Table altered. SQL> alter table employees modify (commission_pct encrypt ); Table altered.
USER_ENCRYPTED_COLUMNS
dictionary view at user-level and in the DBA_ENCRYPTED_COLUMNS
system dictionary view at database-level:AES192
. If you want to change the encryption algorithm, for example to AES256
, issue the following command:SQL> alter table hr.employees rekey using 'AES256'; Table altered.
SQL> alter table hr.employees rekey; Table altered
SQL> alter table hr.employees modify (salary encrypt no salt ); Table altered. SQL> alter table hr.employees modify (commission_pct encrypt no salt); Table altered.
SQL> alter table hr.employees modify (salary decrypt); Table altered. SQL> alter table hr.employees modify (commission_pct decrypt); Table altered. SQL>
The data is encrypted at storage level. This means that the transactions from redo logs, undo, and temp segments will contain these columns in encrypted format. The column data is encrypted also at buffer cache level being protected in this way against different memory read techniques. The columns' encryption keys are stored in the ENC$
dictionary table in encrypted form. The column-level keys are encrypted using the master key that has an external placement configured in sqlnet.ora
, using the ENCRYPTION_WALLET_LOCATION
or WALLET_LOCATION
parameter. The master key value is generated randomly at its definition by TDE. Using the salt default option, the column will be prefixed with randomly generated strings. This method makes statistical attacks and hash matching difficult.
By default, the columns are encrypted using salt and MAC options. The default algorithm used is AES192
and the MAC is implemented using SHA1.
Information about encrypted columns can be found in the following dictionary views:
ALL_ENCRYPTED_COLUMNS
USER_ENCRYPTED_COLUMNS
DBA_ENCRYPTED_COLUMNS
There are some limitations regarding column encryption, recommendations to be made, and some performance implications by using column encryption.
The following are performance implications caused by using the column encryption:
The following are the limitations caused by using the column encryption:
The datatypes that can be encrypted with TDE column encryption are:
BINARY_DOUBLE
BINARY_FLOAT
CHAR
DATE
INTERVAL DAY TO SECOND
INTERVAL YEAR TO MONTH
LOBs
(Internal LOBs and SECUREFILE LOBs Only)NCHAR
NUMBER
NVARCHAR2
RAW
TIMESTAMP
(includes TIMESTAMP WITH TIME ZONE
and TIMESTAMP WITH LOCAL TIME ZONE
)VARCHAR2
Do not encrypt columns used in index range scans, the optimizer will not take into consideration the index anymore. The default MAC option will add an additional 20 bytes overhead per encrypted value. Also MAC induces performance overhead due to integrity checking performed at data access. Using NOMAC option will reduce space and performance penalties considerably. Also by using salt there will be an additional 16 bytes overhead per encrypted data. Consider using nosalt option to reduce storage space. The downside of suppressing MAC and salt is that you will end up with weaker security per encrypted column. To save space you can use the NOMAC
option. After the columns are encrypted, there can remain portions of data in cleartext format that belonged to columns before encryption. Therefore, it is recommended to move the tables containing encrypted columns to other tablespaces.
Also, there could be situations when the unencrypted data chunks may remain in the swap area, and it is possible to be read by unauthorized users. A solution for this phenomenon may be to use a large page allocation for the database and sessions, or use encrypted swap filesystems. For example, eCryptfs
provides encryption at filesystem-level for swap, and can be used on Linux.
18.220.174.191