Upload
allen-bell
View
240
Download
1
Embed Size (px)
Citation preview
DEMODEMOTransparent Data Encryption
Demo For TDEDemo For TDEColumn Encryption (Oracle 10g,
11g)TableSpace Encrytion (Oracle
11g)
Column EncryptionColumn EncryptionCreate a Wallet:Open sqlnet.ora file in: …\product\
11.2.0\dbhome_1\NETWORK\ADMINAdd to sqlnet.ora file this code:
ENCRYPTION_WALLET_LOCATION = (SOURCE= (METHOD=file) (METHOD_DATA=
(DIRECTORY=C:\oracle\product\10.2.0\db_1\NETWORK\ADMIN\tde_wallet)))
SQLNET.ORASQLNET.ORA
Edit File sqlnet.oraEdit File sqlnet.ora
Create A Master KeyCreate A Master KeyCreate a Master Key:Run script in isqlplus:alter system set encryption key authenticated
by "ImOracle"; This command creates a wallet at the
location defined in the sqlnet.ora, sets the password for it. A Master Key will be automatically generated by TDE and store in wallet secured by password. This Master Key is used by TDE to encrypt column key of each table.
Set PassWord To WalletSet PassWord To Wallet
TDE In Oracle 11gTDE In Oracle 11gIn Oracle 11g, after login as
DBAs, in tab server, you can click to link Transparent Data Encryption to view wallet status:
TDE In Oracle 11gTDE In Oracle 11g
Wallet StatusWallet Status
Wallet ManagerWallet ManagerYou can use Wallet Manager to
manage Oracle Wallet.
Open Wallet ManagerOpen Wallet Manager
Wallet MangerWallet Manger
Wallet ManagerWallet ManagerSet Autologin to Wallet:You can set auto login to Wallet
(after creating password for it) to Oracle open wallet automatically when starting. You must use Wallet Management to do this.
Set Auto Login To WalletSet Auto Login To Wallet
Column EncryptionColumn EncryptionCreate tablespace for encrypted
tables:CREATE TABLESPACE ts_tdeDATAFILE 'C:\ts_tde.dbf'SIZE 20m autoextend ON NEXT 5mExtent management localsegment space management auto;CREATE USER tde_test identified by test default tablespace ts_tdequota unlimited on ts_tde;GRANT connect,resource to tde_test;
Go to folder specified, you will see created table space
Column EncryptionColumn Encryption
Column EncryptionColumn EncryptionCreate an unencrypted table and
insert data:CREATE TABLE tde_test (
id NUMBER(10),
data VARCHAR2(50)
)TABLESPACE ts_tde;
INSERT INTO tde_test (id, data) VALUES (1, 'This is a secret!');
COMMIT;
Column EncryptionColumn EncryptionOpen ts_tde.dbf with notepad
and search data
Search Data In Clear Text Search Data In Clear Text FormForm
Search Data In Clear Text Search Data In Clear Text FormFormIt can be seen that the sensitive
data is written in the data files as clear text.
Since the data is in clear text format in the datafile so it is in the archived redo log files, backup sets etc.
Any one who has access to your backup tapes can easily steal your backups, restore it somewhere and see all of your data.
Search Data In Clear Text Search Data In Clear Text FormForm
Create An Encrypted Create An Encrypted TableTableCreate an encrypted table and
insert data:CREATE TABLE tde_test (
id NUMBER(10),
data VARCHAR2(50) ENCRYPT
)TABLESPACE ts_tde;
INSERT INTO tde_test (id, data) VALUES (1, 'This is a secret!');
You can use select command to view what columns encrypted: SELECT table_name, column_name, encryption_alg, salt from user_encrypted_columns;
View Encrypted ColumnsView Encrypted Columns
View Encrypted DataView Encrypted DataYou can’t also search data in
clear text:
Tablespace EncryptionTablespace EncryptionCreate wallet, set password to
wallet like in column encryption.After openning wallet, we create
an encrypted tablespace:CREATE TABLESPACE secure_space
DATAFILE 'c:/secure_space.dbf' SIZE 150M ENCRYPTION USING '3DES168' DEFAULT STORAGE(ENCRYPT);
◦Algorithm used: '3DES168’
Create an Encrypted Create an Encrypted TablespaceTablespace
Tablespace EncryptionTablespace EncryptionCreate another encrypted
tablespace:CREATE TABLESPACE secure_space3
DATAFILE 'c:/secure_space3.dbf' SIZE 150M ENCRYPTION DEFAULT STORAGE(ENCRYPT);
◦Default encryption algorithm is: AES128
Create an Encrypted Create an Encrypted TablespaceTablespace
Thanks For Your Attention