Oracle 11g Transparent Data encryption security characteristics analysis

The key reason for upgrading a large object (Large object, LOB) storage capability is the increasing demand for data security in Oracle 11g, which focuses on expanding transparent data encryption for LOB and tablespace (transparent data encryption, TDE) features to improve data security and explain how these features protect complex, unstructured data, such as medical Digital Image communication (Digital Imaging for communication of medical information, dicom Object

Oracle 11g New Securefile features are focused primarily on data compression and data deduplication, primarily to conserve space for LOB objects, and of course, in terms of security features, Oracle 11g is not only two, All of these security features are also very much in line with the recently elected President Barack Obama's agenda, and the White House's technical direction clearly identifies the new management plan:

Increased investment in electronic information technology systems to reduce the cost of health care, use of health information technology to reduce the cost of health care, invest $10 billion a year, and five years later expand the health care system in the United States into standards-based e-health information systems, including electronic health records.

Cryptographic LOB: putting security into Securefile

Oracle 11g now places sensitive information in the Securefile lob at a very important strategic location in order to demonstrate the role of transparent data encryption (TDE) in Oracle 10GR2, TDE provides an automated encryption algorithm that complies with industry standards at the column level ( such as 3des168,aes128,aes192 and AES256).

1, open transparent data encryption

Before you start using the transparent Data encryption feature, you need to flip the settings in the database, and fortunately, this setting is very simple in the Oracle 11g database, because now you just need to add the appropriate configuration directory to the database's network configuration file, and in the previous Oracle version, The easiest way to do this is to set up this "Wallet" file through Oracle Wallet Manager utility, and to see how the previous version enabled transparent data encryption, refer to my previous article "How to implement transparent data encryption in Oracle 10g R2."

Listing 1 shows what I added in the Sqlnet.ora network configuration file to create the default TDE PKI key file Ewallet.p12 in the directory I specified, and then I use the ALTER SYSTEM SET encryption key command to open the "Wallet" and turn on the encryption feature.

Listing 1 Open Transparent data encryption

To add parameter settings to the Sqlnet.ora network profile to open transparent data encryption for Oracle 11g databases

ENCRYPTION_WALLET_LOCATION　=

(SOURCE=
(METHOD=FILE)
(METHOD_DATA=
(DIRECTORY=/u01/app/oracle/admin/orcl/wallet))

Then, turn on wallet and set encryption key password to activate Oracle 11g cryptographic capabilities

SQL>　ALTER　SYSTEM　SET　ENCRYPTION　KEY　IDENTIFIED　BY　"r3aL1y!T16ht";

SQL>　ALTER　SYSTEM　SET　ENCRYPTION　WALLET　OPEN　IDENTIFIED　BY　"r3aL1y!T16ht";

2, Control Securefile encryption

After the TDE setting is complete, it is relatively easy to turn on Securefile LOB encryption, which is similar to opening other types of encryption in an Oracle table, encrypt tells Oracle to apply TDE encryption on an existing securefile lob. You can also tell Oracle to remove the encryption attribute from the Securefile lob by decrypt.

3, change securefile encryption algorithm or cryptographic key

As with other Oracle data types, the ALTER TABLE rekey command can be used to modify the current cryptographic algorithm, such as the default encryption algorithm AES192 changed to AES256,TDE PKI key changes, The rekey command can also be used to encrypt an existing securefile LOB. Oracle will encrypt at the block level to ensure that the encryption is performed more efficiently.

Note, however, that the corresponding Securefile LOB segment under the same partition can only be modified to enable or disable encryption, such as a lob segment that cannot be rekey because the Oracle 11g uses the same encryption algorithm for all Securefile lobs within the same LOB partition.