Oracle 10G: Transparent Data encryption Technology (TDE)

In Oracle's latest version of 10g R2, the most timely technology should be transparent data encryption technology (transparent data encryption,tde).

TDE is used to encrypt data, usually the application logic executed by SQL does not need to be changed to function properly. In other words, the application can use the same syntax to insert data into the application table, and the Oracle database will automatically encrypt the data before it is written to disk. The subsequent selection will transparently decrypt the data, so the application will continue to function normally. This is important because the current application typically expects unencrypted application data. Displaying encrypted data can at least confuse application users and even destroy existing applications.

To set the encryption key:

Oracle Transparent Data encryption provides the critical management infrastructure necessary to implement encryption. Encryption works by passing plaintext data and secrets (called keys) to the cryptographic program. The cryptographic program encrypts the plaintext data using the provided key, and then returns the encrypted data. In the past, the task of creating and maintaining a key was completed by an application. Oracle Transparent Data encryption solves this problem by automatically generating a universal key for the entire database. When you start an Oracle database, an administrator must open an Oracle Wallet object using a password different from the system password or the DBA password. The administrator then initializes the database universal key. The universal key is generated automatically.

Performance:

Because the index data is not encrypted, encryption typically affects existing application indexes. Oracle Transparent Data encryption encrypts the index values associated with a given application table. This means that an equality search in an application has little or no impact on performance. For example, suppose an application card_id an index, and the application executes the following statement:

Sql> Select cash from credit_card where card_id = ' 1025023590 ';

The Oracle database will use an existing application index, although the card_id information is already encrypted in the database.

To prepare a database for encryption:

In this section, you will update Sqlnet.ora, create an encrypted wallet (EWALLET.P12), open this wallet, and create a universal key for TDE. Perform the following actions:

1. You need to update the Sqlnet.ora file to include a encrypted_wallet_location entry. Open a terminal window and enter the following command:

CD $ORACLE _home/network/admin

Gedit Sqlnet.ora

Add the following entries to the end of the file:

Encryption_wallet_location= (Source= (Method=file) (Method_data= (directory=/opt/oracle/admin/test97/wallet/))

If you do not add this item, you will be prompted with the following error:

SQL> alter system set key identified by "hurray"
　　 2 ;
　　 alter system set key identified by "hurray"
　　 *
　　 ERROR at line 1:
　　 ORA-28368: cannot auto-create wallet

The/opt/oracle/admin/test97/wallet/directory is used to store the generated wallet.

You can select any directory for the encrypted wallet, but the path should not point to the standard fuzzy wallet (Cwallet.sso) that was created during the database installation process.