Oracle TDE transparent data encryption technology

Oracle TDE transparent data encryption technology

From ORALE 10GR2, Transparent Data Encryption technology (TDE) emerged ).

TDE is used to encrypt data. Generally, the application logic executed by SQL statements does not need to be changed and can still run normally. In other words, an application can insert data into an application table using the same syntax, And the Oracle database will automatically encrypt the data before writing the information to the disk. The subsequent selection operation transparently decrypts the data, so the application continues to run normally. This is important because the current application typically expects unencrypted application data. Displaying encrypted data may at least confuse application users and even damage existing applications.

Set the encryption key:
 
Oracle transparent data encryption provides the key management infrastructure necessary for encryption. The principle of encryption is to transmit plaintext data and secrets (called keys) to the encryption program. The encryption program uses the provided key to encrypt plaintext data and then returns encrypted data. In the past, tasks for creating and maintaining keys were completed by applications. Oracle transparent data encryption solves this problem by automatically generating a 10 thousand-key pair for the entire database. When starting an Oracle database, the Administrator must use a password different from the system password or DBA password to open an Oracle Wallet object. Then, the Administrator initializes the universal database key. The universal key is automatically generated.
 
Prepare the database for encryption

Add an ENCRYPTED_WALLET_LOCATION entry to sqlnet. ora in $ ORACLE_HOME/network/admin.
ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY =/u01/oracle/product/11.2.0.1.0/wallet /)))
Go to the database and execute the following statements
Alter system set key identified by "welcome"
If the following error is prompted, the wallet is not automatically created, probably because the wallet directory needs to be manually created.
ORA-28368: cannot auto-create wallet
 
Manually create the wallet directory and grant the oracle user access permission.
Alter system set key identified by "welcome ";
SQL> conn hr/hr
SQL> create table test (id number, credit_card_number varchar2 (16) ENCRYPT NO SALT );
SQL> insert into test values (1, '20140901 ');
1 row created.
SQL> insert into test values (2, '20140901 ');
SQL> commit;
Commit complete.
SQL> select * from test;

At this time, you can see the encrypted data. After the restart, You can query the encrypted data again. In this case, you need to enable wallet to view the encrypted data.
Alter system set wallet open identified by "welcome1 ";

Sys User table cannot be encrypted