New Features of Oracle 10g R2 TDE

In the latest version of Oracle 10g R2, the most timely technology should be transparent data encryption technology (TDE ). This technology is included in Oracle Advanced Security Options. The cost per processor is USD 10,000, which is only available for Enterprise Edition users.

Compared with the hidden toolkit released earlier in Oracle, TDE is a huge leap. Although the toolkit is free, it is far from enough to meet the needs of users. Not only do you need to manually rewrite the code, but also modify the program code to call the encrypted API.

Transparent Data Encryption

Many users are deeply confused about encryption: they are both interested and cautious about the complexity of key management. Improper handling may lead to inefficient configuration. Encryption and decryption values also bring about performance overhead, which makes most application architects reluctant to accept the process. As a result, many system designs are not encrypted at all, but they build powerful peripheral protection, such as powerful passwords and appropriate authorization schemes.

However, imagine that if the entire server is stolen or even a disk is stolen, these disks can be assembled on servers with the same operating system, and the data will be destroyed. Or there is a DBA with bad conduct. In daily business activities, the DBA maliciously broke through the peripheral protection, and then all your important customer information was ranked out. In either case, if the business involved is in the state of California (probably later in another state in the United States ), they are legally responsible for notifying all affected customers of security vulnerabilities.

 

In the rare (but true) situations above, the authentication scheme has no practical significance. This is why transparent data encryption (TDE) is such a useful feature for those who take security as a top priority; it supports encryption, at the same time, the complexity of key management is handed over to the database engine for processing. At the same time, it allows DBAs to manage database tables without actually seeing the data.

 

In Oracle Database 10GWhen TDE is used in version 2nd, You can encrypt one or more columns in the table at any time. You only need to define columns as encrypted without writing code. Remember to use keys and algorithms to encrypt the input values. TDE generates separate keys for specific tables. This method facilitates key management but is more vulnerable to theft. Therefore, the database provides another key-universal key-which can be set at the database level. A table key is encrypted using a universal key. To obtain a table key, you need this universal key. Therefore, the universal key and table key are required for column decryption. (For more information about General encryption and the use of provisioning packages in Oracle, seeOracle magazineColumn "encrypt your data assets ".)

 

The universal key is stored in a place outside the database called a wallet. The default location is $ oracle_base/admin/$ oracle_sid/wallet. It is similar in concept.

 

 

After TDE is configured-or more specifically after a wallet and a universal key are configured-you can use it to protect data values. To encrypt a column of a table, use the following SQL:

create table accounts(acc_no       number       not null,first_name   varchar2(30) not null,last_name    varchar2(30) not null,SSN          varchar2(9)             ENCRYPT USING 'AES128',acc_type     varchar2(1)  not null,folio_id     number                  ENCRYPT USING 'AES128',sub_acc_type varchar2(30),acc_open_dt  date         not null,acc_mod_dt   date,acc_mgr_id   number)

Here, you use TDE on columns SSN and folio_id, which are stored in the table encrypted. However, when you select from the table, she can see the data in plaintext because the decryption has been completed during the search process. If the disk is stolen, the information contained in the table segment is still encrypted. The hacker needs a table key to view the encrypted value. However, to obtain a table key, the hacker needs a universal key, which is stored externally and therefore cannot be obtained.

 

Note that the clauses after the SSN and folio_id columns specifyEncryptUse the 128-bit Advanced Encryption Standard.

 

The database has a pre-configured wallet. To set a wallet password, run the following command:

alter system set encryption key authenticated BY "topSecret";

If you have not created a wallet, this command will first create a wallet, and then set the password to "topsecret" (case sensitive ). Then you can start to use encryption for column definitions during table creation and modification.

 

Encrypt External tables

 

In the preceding example, hash is used to encrypt columns. You can also use TDE on External tables. For example, if you want to generate a dump file containing accounts data so that it can be sent to different locations, you can use the simpleEncryptClause.

create table account_extorganization external(type oracle_datapumpdefault directory dump_dirlocation ('accounts_1_ext.dmp','accounts_2_ext.dmp','accounts_3_ext.dmp','accounts_4_ext.dmp'))parallel 4asselect ACC_NO,FIRST_NAME,LAST_NAME,SSN           ENCRYPT IDENTIFIED BY "topSecret",ACC_TYPE,FOLIO_ID      ENCRYPT IDENTIFIED BY "topSecret",SUB_ACC_TYPE,ACC_OPEN_DT,ACC_MOD_DTfrom accounts;

In the file accounts _ * _ Ext. DMP, the values of SSN and folio_id are not in plain text, but encrypted form. If you want to use these files as external tables, you must provideTopsecretAs a password to read these files.

Here you can see that TDE is an ideal supplement to access control (rather than an alternative ).