Use of oracle Wallet

 

Use of oracle Wallet (that is, internal Encryption technology TDE (Transparent Data Encryption ))

1. TDE is a new feature introduced in Oracle10gR2. Ensure that the Oracle version is 10gR2 or later.

-- View the oracle version:

Select * from v $ version;

2. Create a new directory and define it as the Wallet directory

D: \ oracle \ product \ 10.2.0 \ admin \ ora10 \ ora_wallet

3. Set the wallet directory. In the parameter file sqlnet. ora, add information in the following format:

ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = FILE)

(METHOD_DATA = (DIRECTORY = D: \ oracle \ product \ 10.2.0 \ admin \ ora10 \ ora_wallet )))

4. Create a master key file, specify the wallet password, log on to the system using the SYS user, and create an encrypted file.

SQL> alter system set encryption key identified by "wallet ";

System altered

-- When the password "wallet" is not enclosed in quotation marks, no quotation marks are required for subsequent use.

In this case, an additional file of the Personal Information Exchange type is stored in the Set Directory, which is equivalent to the master key file we generated. D: \ oracle \ product \ 10.2.0 \ admin \ ora10 \ ora_wallet \ ewallet. p12

5. Start and close Wallet

SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "wallet ";

Alter system set encryption wallet open identified by "wallet"

ORA-28354: wallet opened

 

SQL> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE; -- CLOSE

System altered

 

SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "wallet"; -- OPEN

System altered

At this point, the Wallet is successfully configured and the master key is created.

The following describes how to use TDE for data encryption:

Encrypted data column:

Data column encryption is a common feature of TDE. It is often necessary to encrypt a sensitive data of a table in the database to leak information.

First, ENCRYPT is used to label data columns (or modify data columns) in a data table. Indicates that this field is an important dictionary protected by encryption.

-- Create a temporary table:

Create table t_tmp_emplorey

As

Select * from emplorey t

-- ENCRYPT the data column. The ENCRYPT flag is used to ENCRYPT the field and the default encryption configuration is used.

Alter table scott. t_tmp_emplorey modify (sal encrypt );

Note: If this parameter is not specified by default, Oracle performs salt on the plaintext before encryption. The so-called salt processing is a method to strengthen data encryption. Add a random string in the encryption text to enhance the encryption level to prevent dictionary attacks and other types of cracking operations. If you do not need to perform salt processing, add No Salt to ENCRYPT.

-- Example: alter table scott. t_tmp_emplorey modify (sal encrypt no salt );

 

-- Specify the encryption algorithm

Alter table scott. t_tmp_emplorey modify (sal encrypt using '3des168 ');

-- If you want To unencrypt a data column that has been encrypted, use alter table... And DECRYPT keywords.

SQL> alter table scott. t_tmp_emplorey modify (sal DECRYPT );

Table altered

-- After encryption is disabled and Wallet is disabled, the queried data is not affected.

6. Impact on queries and indexes:

The query results seem to be the same as the general query results, but what if the decryption Wallet is disabled?

SQL> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE;

System altered

-- An error is returned when the query is performed again.

Select * from scott. t_tmp_emplorey t;

ORA-28365: Wallet not open

-- The number can be found.

Select count (1) from scott. t_tmp_emplorey t;

-- Impact on the index. If salt is used for column encryption, an error is returned when this column is indexed. :

SQL> create index ind_t_tmp_emplorey on t_tmp_emplorey (sal );

Create index ind_t_tmp_emplorey on t_tmp_emplorey (sal );

ORA-28338: failed to encrypt index columns with salt value

SQL> create index ind_t_tmp_emplorey on t_tmp_emplorey (EMPNO );

Index created

-- Indexes can be created for columns without encryption.

 

This article is from the "srsunbing" blog