SlideShare une entreprise Scribd logo

Oracle Transparent Data Encryption (TDE) 12c

N
Nabeel Yoosuf

This presentation provides an introduction to Oracle Transparent Data Encryption technology in 12c. It is provided as part of Oracle Advanced Security.

Technologie
1  sur  23
Oracle Transparent Data Encryption (TDE) 12c Prepared by @nabeelxy 8/30/2014
Typical Deployment of Databases Users Applications DBA DB server DB files
Attack Surface Users Applications DBA DB server DB files
Direct Access to Data Users Applications DBA DB server DB files
What is TDE? • An Oracle advanced security feature that allows to encrypt data-at-rest completely transparent to applications • It is not an access control mechanism for Oracle database users • Notice that the data is encrypted only at rest – when the database server processes the data in the SQL layer, data records are decrypted and processed
Why TDE/Encryption? • If attackers can gain access to the operating system as a powerful user (e.g. root or oracle), they can bypass the database and have direct access to data. Encryption can protect database files stored in the disk • Also, many regulatory compliance requires encrypting data at rest
Encryption Options Available • DBMS_CRYTO – client side encryption • TDE – Column encryption (10gR2 onwards) – Tablespace encryption (11gR1 onwards) • In this presentation, we only look at TDE
TDE Setup Name Salary Position #$%34dfa*(a x9@#!3 Manager *#%!@sx*da A#&2uz Engineer $23%&T&df %x!9zTu Analyst ^31%&T*z9a Xy&*x90 Engineer Master key Oracle Data Dictionary Oracle Wallet emp table hr tablespace table1 table2 index 1 seq1 Oracle database
TDE Workflow 1. Setup wallet and master key 2. Identify – Tables with sensitive columns – Tablespaces with sensitive tables 3. Open wallet 4. Encrypt – The identified columns – The identified tablespaces 5. Close wallet
Oracle Wallet • A PKCS#12 formatted file residing outside of the database (residing in the file system) • Encrypted using password based encryption as defined in PKCS#5 • Holds the TDE master key • It is a good practice to setup the wallet outside of the $ORACLE_BASE and grant minimal privileges to the wallet folder
Setting up Oracle Wallet • Specify wallet location using the sqlnet.ora ENCRYPTION_WALLET_LOCATION: ENCRYPTION_WALLET_LOCATION= (SOURCE=(METHOD=FILE)(METHOD_DATA= (DIRECTORY=/etc/orcl/keystore))) • Initialize and create the master key in SQL*PLUS in CDB$ROOT: ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/etc/orcl/keystore’ IDENTIFIED BY password; • This creates a file called ewallet.p12 in the wallet folder
Opening the Wallet • Once the wallet is open, the master key becomes available to the database ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY chia_123 CONTAINER = ALL; • Once the wallet is open, you can perform TDE operations – Column encryption – Tablespace encryption • v$encryption_wallet view shows the wallet status
Opening the Wallet • select wrl_parameter, status, con_id from v$encryption_wallet; WRL_PARAMETER STATUS CON_ID ------------------ ---------- ------ /etc/orcl/keystore OPEN 0 • In order to exercise least privilege and separation of duty constraints, it is recommended to use a SYSKM user instead of a SYSDBA to perform wallet management
Two-Tier Key Architecture • Master key is stored in an Oracle Wallet (keystore) • Tablespace or table (column) keys are stored in the database itself in the Oracle data dictionary – they are encrypted using the master key • If HSM is used for the Oracle Wallet, master key is not fetched to the database to decrypt the tablespace/table keys
TDE Column Encryption • Allows to encrypt one or more columns of a table • Each column is assigned a unique symmetric key • The symmetric keys are stored encrypted using the master key in the Oracle data dictionary (in sys.enc$ table)
TDE Column Encryption • Create encemp table with two encrypted columns create table encemp ( name varchar2(128) encrypt, salary number(6) encrypt, position varchar2(32) ); • user_encrypted_columns view shows the encrypted columns TABLE_NAME COLUMN_NAME ENCRYPTION_ALG --------------- --------------- ------------------ ENCEMP NAME AES 192 bits key ENCEMP SALARY AES 192 bits key
TDE Column Encryption • Can change encryption parameters, encrypt, or decrypt table columns later using ALTER TABLE statement. • Can change both master key and table keys – If master key is changed, no change to the encrypted columns – If table keys are changed, encrypted columns are re-encrypted with the new keys
Limitations of Column Encryption • Higher overhead than tablespace encryption • Supports only B-tree indexes • Foreign key columns cannot be encrypted • Cannot perform range scans over encrypted data • Requires more storage
Tablespace Encryption • Every object in the tablespace is encrypted • Specify encryption parameters at the time of tablespace creation create tablespace encts logging datafile '?/dbs/encts.dbf' size 32m autoextend on next 32m maxsize 2048m default storage(encrypt) • Note that you cannot encrypt existing tablespaces
Tablespace Encryption • You can view the encrypted tablespaces using the dba_tablespaces view TABLESPACE_NAME ENCRYPTED --------------- --------- SYSTEM NO SYSAUX NO TEMP NO SYSEXT NO ENCTS YES • Use v$encrypted_tablespaces table to see the encryption options set for encrypted tablespaces
Re-Key Support Release Column Encryption Tablespace Encryption Master Key Table keys Master key Table keys 10gR2 Yes Yes N/A N/A 11gR1 Yes Yes No No 11gR2 Yes* Yes Yes* No 12cR1 Yes* Yes Yes* No * Unified master key where both column and tablespace encryption uses the same master key
Column vs. Tablespace Encryption Column Encryption Tablespace Encryption Column encryption is expensive; so, use it only if less than 5% of all the application table needs encryption Use when most of the application data are sensitive Does not support hardware crypto acceleration Supports hardware crypto acceleration Supports only B-tree indexes Does not have such a restriction Support rekeying of data Does not support rekeying of data Can encrypt existing tables Cannot encrypt existing tablespaces
References • http://docs.oracle.com/database/121/ASOAG /asotrans.htm

Recommandé

Transparent Data Encryption
Transparent Data EncryptionTransparent Data Encryption
Transparent Data EncryptionJohn Magnabosco
 
Oracle Database Vault
Oracle Database VaultOracle Database Vault
Oracle Database VaultMarco Alamanni
 
Data Guard Architecture & Setup
Data Guard Architecture & SetupData Guard Architecture & Setup
Data Guard Architecture & SetupSatishbabu Gunukula
 
Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Protect Sensitive Data: Implementing Fine-Grained Access Control in OracleProtect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Protect Sensitive Data: Implementing Fine-Grained Access Control in OracleNelson Calero
 
Maximum Availability Architecture - Best Practices for Oracle Database 19c
Maximum Availability Architecture - Best Practices for Oracle Database 19cMaximum Availability Architecture - Best Practices for Oracle Database 19c
Maximum Availability Architecture - Best Practices for Oracle Database 19cGlen Hawkins
 
Nabil Nawaz Oracle Oracle 12c Data Guard Deep Dive Presentation
Nabil Nawaz Oracle Oracle 12c Data Guard Deep Dive PresentationNabil Nawaz Oracle Oracle 12c Data Guard Deep Dive Presentation
Nabil Nawaz Oracle Oracle 12c Data Guard Deep Dive PresentationNabil Nawaz
 
Row-level security and Dynamic Data Masking
Row-level security and Dynamic Data MaskingRow-level security and Dynamic Data Masking
Row-level security and Dynamic Data MaskingSolidQ
 
Privilege Analysis with the Oracle Database
Privilege Analysis with the Oracle DatabasePrivilege Analysis with the Oracle Database
Privilege Analysis with the Oracle DatabaseMarkus Flechtner
 

Recommandé

Transparent Data Encryption
Transparent Data EncryptionTransparent Data Encryption
Transparent Data EncryptionJohn Magnabosco
 
Oracle Database Vault
Oracle Database VaultOracle Database Vault
Oracle Database VaultMarco Alamanni
 
Data Guard Architecture & Setup
Data Guard Architecture & SetupData Guard Architecture & Setup
Data Guard Architecture & SetupSatishbabu Gunukula
 
Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Protect Sensitive Data: Implementing Fine-Grained Access Control in OracleProtect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Protect Sensitive Data: Implementing Fine-Grained Access Control in OracleNelson Calero
 
Maximum Availability Architecture - Best Practices for Oracle Database 19c
Maximum Availability Architecture - Best Practices for Oracle Database 19cMaximum Availability Architecture - Best Practices for Oracle Database 19c
Maximum Availability Architecture - Best Practices for Oracle Database 19cGlen Hawkins
 
Nabil Nawaz Oracle Oracle 12c Data Guard Deep Dive Presentation
Nabil Nawaz Oracle Oracle 12c Data Guard Deep Dive PresentationNabil Nawaz Oracle Oracle 12c Data Guard Deep Dive Presentation
Nabil Nawaz Oracle Oracle 12c Data Guard Deep Dive PresentationNabil Nawaz
 
Row-level security and Dynamic Data Masking
Row-level security and Dynamic Data MaskingRow-level security and Dynamic Data Masking
Row-level security and Dynamic Data MaskingSolidQ
 
Privilege Analysis with the Oracle Database
Privilege Analysis with the Oracle DatabasePrivilege Analysis with the Oracle Database
Privilege Analysis with the Oracle DatabaseMarkus Flechtner
 
The Oracle RAC Family of Solutions - Presentation
The Oracle RAC Family of Solutions - PresentationThe Oracle RAC Family of Solutions - Presentation
The Oracle RAC Family of Solutions - PresentationMarkus Michalewicz
 
Oracle data guard for beginners
Oracle data guard for beginnersOracle data guard for beginners
Oracle data guard for beginnersPini Dibask
 
01 oracle architecture
01 oracle architecture01 oracle architecture
01 oracle architectureSmitha Padmanabhan
 
Oracle_Multitenant_19c_-_All_About_Pluggable_D.pdf
Oracle_Multitenant_19c_-_All_About_Pluggable_D.pdfOracle_Multitenant_19c_-_All_About_Pluggable_D.pdf
Oracle_Multitenant_19c_-_All_About_Pluggable_D.pdfSrirakshaSrinivasan2
 
What to Expect From Oracle database 19c
What to Expect From Oracle database 19cWhat to Expect From Oracle database 19c
What to Expect From Oracle database 19cMaria Colgan
 
What's new in Oracle 19c & 18c Recovery Manager (RMAN)
What's new in Oracle 19c & 18c Recovery Manager (RMAN)What's new in Oracle 19c & 18c Recovery Manager (RMAN)
What's new in Oracle 19c & 18c Recovery Manager (RMAN)Satishbabu Gunukula
 
Dataguard presentation
Dataguard presentationDataguard presentation
Dataguard presentationVimlendu Kumar
 
Oracle Security Presentation
Oracle Security PresentationOracle Security Presentation
Oracle Security PresentationFrancisco Alvarez
 
Oracle RAC 19c: Best Practices and Secret Internals
Oracle RAC 19c: Best Practices and Secret InternalsOracle RAC 19c: Best Practices and Secret Internals
Oracle RAC 19c: Best Practices and Secret InternalsAnil Nair
 
Rac questions
Rac questionsRac questions
Rac questionsparvezsigan
 
Oracle Database: Checklist Connection Issues
Oracle Database: Checklist Connection IssuesOracle Database: Checklist Connection Issues
Oracle Database: Checklist Connection IssuesMarkus Flechtner
 
Oracle Client Failover - Under The Hood
Oracle Client Failover - Under The HoodOracle Client Failover - Under The Hood
Oracle Client Failover - Under The HoodLudovico Caldara
 
Why oracle data guard new features in oracle 18c, 19c
Why oracle data guard new features in oracle 18c, 19cWhy oracle data guard new features in oracle 18c, 19c
Why oracle data guard new features in oracle 18c, 19cSatishbabu Gunukula
 
Exploring Oracle Multitenant in Oracle Database 12c
Exploring Oracle Multitenant in Oracle Database 12cExploring Oracle Multitenant in Oracle Database 12c
Exploring Oracle Multitenant in Oracle Database 12cZohar Elkayam
 
Oracle Key Vault Overview
Oracle Key Vault OverviewOracle Key Vault Overview
Oracle Key Vault OverviewTroy Kitch
 
Step by Step Restore rman to different host
Step by Step Restore rman to different hostStep by Step Restore rman to different host
Step by Step Restore rman to different hostOsama Mustafa
 
Oracle ACFS High Availability NFS Services (HANFS)
Oracle ACFS High Availability NFS Services (HANFS)Oracle ACFS High Availability NFS Services (HANFS)
Oracle ACFS High Availability NFS Services (HANFS)Anju Garg
 
Introducing Oracle Audit Vault and Database Firewall
Introducing Oracle Audit Vault and Database FirewallIntroducing Oracle Audit Vault and Database Firewall
Introducing Oracle Audit Vault and Database FirewallTroy Kitch
 
Oracle Data Guard for Beginners
Oracle Data Guard for BeginnersOracle Data Guard for Beginners
Oracle Data Guard for BeginnersPini Dibask
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data RedactionIvica Arsov
 
unit-ii.pptx
unit-ii.pptxunit-ii.pptx
unit-ii.pptxNilamHonmane
 
xjtrutdctrd5454drxxresersestryugyufy6rythgfytfyt
xjtrutdctrd5454drxxresersestryugyufy6rythgfytfytxjtrutdctrd5454drxxresersestryugyufy6rythgfytfyt
xjtrutdctrd5454drxxresersestryugyufy6rythgfytfytWrushabhShirsat3
 

Contenu connexe

Tendances

The Oracle RAC Family of Solutions - Presentation
The Oracle RAC Family of Solutions - PresentationThe Oracle RAC Family of Solutions - Presentation
The Oracle RAC Family of Solutions - PresentationMarkus Michalewicz
 
Oracle data guard for beginners
Oracle data guard for beginnersOracle data guard for beginners
Oracle data guard for beginnersPini Dibask
 
Oracle_Multitenant_19c_-_All_About_Pluggable_D.pdf
Oracle_Multitenant_19c_-_All_About_Pluggable_D.pdfOracle_Multitenant_19c_-_All_About_Pluggable_D.pdf
Oracle_Multitenant_19c_-_All_About_Pluggable_D.pdfSrirakshaSrinivasan2
 
What to Expect From Oracle database 19c
What to Expect From Oracle database 19cWhat to Expect From Oracle database 19c
What to Expect From Oracle database 19cMaria Colgan
 
What's new in Oracle 19c & 18c Recovery Manager (RMAN)
What's new in Oracle 19c & 18c Recovery Manager (RMAN)What's new in Oracle 19c & 18c Recovery Manager (RMAN)
What's new in Oracle 19c & 18c Recovery Manager (RMAN)Satishbabu Gunukula
 
Dataguard presentation
Dataguard presentationDataguard presentation
Dataguard presentationVimlendu Kumar
 
Oracle Security Presentation
Oracle Security PresentationOracle Security Presentation
Oracle Security PresentationFrancisco Alvarez
 
Oracle RAC 19c: Best Practices and Secret Internals
Oracle RAC 19c: Best Practices and Secret InternalsOracle RAC 19c: Best Practices and Secret Internals
Oracle RAC 19c: Best Practices and Secret InternalsAnil Nair
 
Oracle Database: Checklist Connection Issues
Oracle Database: Checklist Connection IssuesOracle Database: Checklist Connection Issues
Oracle Database: Checklist Connection IssuesMarkus Flechtner
 
Oracle Client Failover - Under The Hood
Oracle Client Failover - Under The HoodOracle Client Failover - Under The Hood
Oracle Client Failover - Under The HoodLudovico Caldara
 
Why oracle data guard new features in oracle 18c, 19c
Why oracle data guard new features in oracle 18c, 19cWhy oracle data guard new features in oracle 18c, 19c
Why oracle data guard new features in oracle 18c, 19cSatishbabu Gunukula
 
Exploring Oracle Multitenant in Oracle Database 12c
Exploring Oracle Multitenant in Oracle Database 12cExploring Oracle Multitenant in Oracle Database 12c
Exploring Oracle Multitenant in Oracle Database 12cZohar Elkayam
 
Oracle Key Vault Overview
Oracle Key Vault OverviewOracle Key Vault Overview
Oracle Key Vault OverviewTroy Kitch
 
Step by Step Restore rman to different host
Step by Step Restore rman to different hostStep by Step Restore rman to different host
Step by Step Restore rman to different hostOsama Mustafa
 
Oracle ACFS High Availability NFS Services (HANFS)
Oracle ACFS High Availability NFS Services (HANFS)Oracle ACFS High Availability NFS Services (HANFS)
Oracle ACFS High Availability NFS Services (HANFS)Anju Garg
 
Introducing Oracle Audit Vault and Database Firewall
Introducing Oracle Audit Vault and Database FirewallIntroducing Oracle Audit Vault and Database Firewall
Introducing Oracle Audit Vault and Database FirewallTroy Kitch
 
Oracle Data Guard for Beginners
Oracle Data Guard for BeginnersOracle Data Guard for Beginners
Oracle Data Guard for BeginnersPini Dibask
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data RedactionIvica Arsov
 

Tendances (20)

The Oracle RAC Family of Solutions - Presentation
The Oracle RAC Family of Solutions - PresentationThe Oracle RAC Family of Solutions - Presentation
The Oracle RAC Family of Solutions - Presentation
 
Oracle data guard for beginners
Oracle data guard for beginnersOracle data guard for beginners
Oracle data guard for beginners
 
01 oracle architecture
01 oracle architecture01 oracle architecture
01 oracle architecture
 
Oracle_Multitenant_19c_-_All_About_Pluggable_D.pdf
Oracle_Multitenant_19c_-_All_About_Pluggable_D.pdfOracle_Multitenant_19c_-_All_About_Pluggable_D.pdf
Oracle_Multitenant_19c_-_All_About_Pluggable_D.pdf
 
What to Expect From Oracle database 19c
What to Expect From Oracle database 19cWhat to Expect From Oracle database 19c
What to Expect From Oracle database 19c
 
What's new in Oracle 19c & 18c Recovery Manager (RMAN)
What's new in Oracle 19c & 18c Recovery Manager (RMAN)What's new in Oracle 19c & 18c Recovery Manager (RMAN)
What's new in Oracle 19c & 18c Recovery Manager (RMAN)
 
Dataguard presentation
Dataguard presentationDataguard presentation
Dataguard presentation
 
Oracle Security Presentation
Oracle Security PresentationOracle Security Presentation
Oracle Security Presentation
 
Oracle RAC 19c: Best Practices and Secret Internals
Oracle RAC 19c: Best Practices and Secret InternalsOracle RAC 19c: Best Practices and Secret Internals
Oracle RAC 19c: Best Practices and Secret Internals
 
Rac questions
Rac questionsRac questions
Rac questions
 
Oracle Database: Checklist Connection Issues
Oracle Database: Checklist Connection IssuesOracle Database: Checklist Connection Issues
Oracle Database: Checklist Connection Issues
 
Oracle Client Failover - Under The Hood
Oracle Client Failover - Under The HoodOracle Client Failover - Under The Hood
Oracle Client Failover - Under The Hood
 
Why oracle data guard new features in oracle 18c, 19c
Why oracle data guard new features in oracle 18c, 19cWhy oracle data guard new features in oracle 18c, 19c
Why oracle data guard new features in oracle 18c, 19c
 
Exploring Oracle Multitenant in Oracle Database 12c
Exploring Oracle Multitenant in Oracle Database 12cExploring Oracle Multitenant in Oracle Database 12c
Exploring Oracle Multitenant in Oracle Database 12c
 
Oracle Key Vault Overview
Oracle Key Vault OverviewOracle Key Vault Overview
Oracle Key Vault Overview
 
Step by Step Restore rman to different host
Step by Step Restore rman to different hostStep by Step Restore rman to different host
Step by Step Restore rman to different host
 
Oracle ACFS High Availability NFS Services (HANFS)
Oracle ACFS High Availability NFS Services (HANFS)Oracle ACFS High Availability NFS Services (HANFS)
Oracle ACFS High Availability NFS Services (HANFS)
 
Introducing Oracle Audit Vault and Database Firewall
Introducing Oracle Audit Vault and Database FirewallIntroducing Oracle Audit Vault and Database Firewall
Introducing Oracle Audit Vault and Database Firewall
 
Oracle Data Guard for Beginners
Oracle Data Guard for BeginnersOracle Data Guard for Beginners
Oracle Data Guard for Beginners
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data Redaction
 

Similaire à Oracle Transparent Data Encryption (TDE) 12c

xjtrutdctrd5454drxxresersestryugyufy6rythgfytfyt
xjtrutdctrd5454drxxresersestryugyufy6rythgfytfytxjtrutdctrd5454drxxresersestryugyufy6rythgfytfyt
xjtrutdctrd5454drxxresersestryugyufy6rythgfytfytWrushabhShirsat3
 
Aioug vizag oracle12c_new_features
Aioug vizag oracle12c_new_featuresAioug vizag oracle12c_new_features
Aioug vizag oracle12c_new_featuresAiougVizagChapter
 
Scaling MySQL Strategies for Developers
Scaling MySQL Strategies for DevelopersScaling MySQL Strategies for Developers
Scaling MySQL Strategies for DevelopersJonathan Levin
 
Geek Sync I Need for Speed: In-Memory Databases in Oracle and SQL Server
Geek Sync I Need for Speed: In-Memory Databases in Oracle and SQL ServerGeek Sync I Need for Speed: In-Memory Databases in Oracle and SQL Server
Geek Sync I Need for Speed: In-Memory Databases in Oracle and SQL ServerIDERA Software
 
An Introduction To Oracle Database
An Introduction To Oracle DatabaseAn Introduction To Oracle Database
An Introduction To Oracle DatabaseMeysam Javadi
 
Steve Jones - Encrypting Data
Steve Jones - Encrypting DataSteve Jones - Encrypting Data
Steve Jones - Encrypting DataRed Gate Software
 
Data Warehousing with Amazon Redshift
Data Warehousing with Amazon RedshiftData Warehousing with Amazon Redshift
Data Warehousing with Amazon RedshiftAmazon Web Services
 
data loading and unloading in IBM Netezza by www.etraining.guru
data loading and unloading in IBM Netezza by www.etraining.gurudata loading and unloading in IBM Netezza by www.etraining.guru
data loading and unloading in IBM Netezza by www.etraining.guruRavikumar Nandigam
 
MySQL Data Encryption at Rest
MySQL Data Encryption at RestMySQL Data Encryption at Rest
MySQL Data Encryption at RestMydbops
 
Oracle forensics 101
Oracle forensics 101Oracle forensics 101
Oracle forensics 101fangjiafu
 
An overview of snowflake
An overview of snowflakeAn overview of snowflake
An overview of snowflakeSivakumar Ramar
 
Data Warehousing in the Era of Big Data
Data Warehousing in the Era of Big DataData Warehousing in the Era of Big Data
Data Warehousing in the Era of Big DataAmazon Web Services
 
database-stucture-and-space-managment.ppt
database-stucture-and-space-managment.pptdatabase-stucture-and-space-managment.ppt
database-stucture-and-space-managment.pptsubbu998029
 
database-stucture-and-space-managment.ppt
database-stucture-and-space-managment.pptdatabase-stucture-and-space-managment.ppt
database-stucture-and-space-managment.pptIftikhar70
 

Similaire à Oracle Transparent Data Encryption (TDE) 12c (20)

unit-ii.pptx
unit-ii.pptxunit-ii.pptx
unit-ii.pptx
 
xjtrutdctrd5454drxxresersestryugyufy6rythgfytfyt
xjtrutdctrd5454drxxresersestryugyufy6rythgfytfytxjtrutdctrd5454drxxresersestryugyufy6rythgfytfyt
xjtrutdctrd5454drxxresersestryugyufy6rythgfytfyt
 
Aioug vizag oracle12c_new_features
Aioug vizag oracle12c_new_featuresAioug vizag oracle12c_new_features
Aioug vizag oracle12c_new_features
 
Scaling MySQL Strategies for Developers
Scaling MySQL Strategies for DevelopersScaling MySQL Strategies for Developers
Scaling MySQL Strategies for Developers
 
Geek Sync I Need for Speed: In-Memory Databases in Oracle and SQL Server
Geek Sync I Need for Speed: In-Memory Databases in Oracle and SQL ServerGeek Sync I Need for Speed: In-Memory Databases in Oracle and SQL Server
Geek Sync I Need for Speed: In-Memory Databases in Oracle and SQL Server
 
Database.pptx
Database.pptxDatabase.pptx
Database.pptx
 
An Introduction To Oracle Database
An Introduction To Oracle DatabaseAn Introduction To Oracle Database
An Introduction To Oracle Database
 
Steve Jones - Encrypting Data
Steve Jones - Encrypting DataSteve Jones - Encrypting Data
Steve Jones - Encrypting Data
 
Data Warehousing with Amazon Redshift
Data Warehousing with Amazon RedshiftData Warehousing with Amazon Redshift
Data Warehousing with Amazon Redshift
 
data loading and unloading in IBM Netezza by www.etraining.guru
data loading and unloading in IBM Netezza by www.etraining.gurudata loading and unloading in IBM Netezza by www.etraining.guru
data loading and unloading in IBM Netezza by www.etraining.guru
 
Deep Dive on Amazon Redshift
Deep Dive on Amazon RedshiftDeep Dive on Amazon Redshift
Deep Dive on Amazon Redshift
 
MySQL Data Encryption at Rest
MySQL Data Encryption at RestMySQL Data Encryption at Rest
MySQL Data Encryption at Rest
 
Oracle forensics 101
Oracle forensics 101Oracle forensics 101
Oracle forensics 101
 
An overview of snowflake
An overview of snowflakeAn overview of snowflake
An overview of snowflake
 
Fudcon talk.ppt
Fudcon talk.pptFudcon talk.ppt
Fudcon talk.ppt
 
Data Warehousing in the Era of Big Data
Data Warehousing in the Era of Big DataData Warehousing in the Era of Big Data
Data Warehousing in the Era of Big Data
 
database-stucture-and-space-managment.ppt
database-stucture-and-space-managment.pptdatabase-stucture-and-space-managment.ppt
database-stucture-and-space-managment.ppt
 
database-stucture-and-space-managment.ppt
database-stucture-and-space-managment.pptdatabase-stucture-and-space-managment.ppt
database-stucture-and-space-managment.ppt
 
Deep Dive on Amazon Redshift
Deep Dive on Amazon RedshiftDeep Dive on Amazon Redshift
Deep Dive on Amazon Redshift
 
Deep Dive on Amazon Redshift
Deep Dive on Amazon RedshiftDeep Dive on Amazon Redshift
Deep Dive on Amazon Redshift
 

Plus de Nabeel Yoosuf

Building RESTful Applications
Building RESTful ApplicationsBuilding RESTful Applications
Building RESTful ApplicationsNabeel Yoosuf
 
Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Nabeel Yoosuf
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Nabeel Yoosuf
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Nabeel Yoosuf
 
Introduction to Tokenization
Introduction to TokenizationIntroduction to Tokenization
Introduction to TokenizationNabeel Yoosuf
 
Privacy Preserving Access Control for Third Party Data Management Systems
Privacy Preserving Access Control for Third Party Data Management SystemsPrivacy Preserving Access Control for Third Party Data Management Systems
Privacy Preserving Access Control for Third Party Data Management SystemsNabeel Yoosuf
 
Efficient privacy preserving publish subscribe systems
Efficient privacy preserving publish subscribe systemsEfficient privacy preserving publish subscribe systems
Efficient privacy preserving publish subscribe systemsNabeel Yoosuf
 
Access Control: Principles and Practice
Access Control: Principles and PracticeAccess Control: Principles and Practice
Access Control: Principles and PracticeNabeel Yoosuf
 
Efficient Filtering in Pub-Sub Systems using BDD
Efficient Filtering in Pub-Sub Systems using BDDEfficient Filtering in Pub-Sub Systems using BDD
Efficient Filtering in Pub-Sub Systems using BDDNabeel Yoosuf
 
Pub-Sub Systems and Confidentiality/Privacy
Pub-Sub Systems and Confidentiality/PrivacyPub-Sub Systems and Confidentiality/Privacy
Pub-Sub Systems and Confidentiality/PrivacyNabeel Yoosuf
 
A Structure Preserving Approach for Securing XML Documents
A Structure Preserving Approach for Securing XML DocumentsA Structure Preserving Approach for Securing XML Documents
A Structure Preserving Approach for Securing XML DocumentsNabeel Yoosuf
 

Plus de Nabeel Yoosuf (12)

Building RESTful Applications
Building RESTful ApplicationsBuilding RESTful Applications
Building RESTful Applications
 
Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1
 
API Façade Pattern
API Façade PatternAPI Façade Pattern
API Façade Pattern
 
Introduction to Tokenization
Introduction to TokenizationIntroduction to Tokenization
Introduction to Tokenization
 
Privacy Preserving Access Control for Third Party Data Management Systems
Privacy Preserving Access Control for Third Party Data Management SystemsPrivacy Preserving Access Control for Third Party Data Management Systems
Privacy Preserving Access Control for Third Party Data Management Systems
 
Efficient privacy preserving publish subscribe systems
Efficient privacy preserving publish subscribe systemsEfficient privacy preserving publish subscribe systems
Efficient privacy preserving publish subscribe systems
 
Access Control: Principles and Practice
Access Control: Principles and PracticeAccess Control: Principles and Practice
Access Control: Principles and Practice
 
Efficient Filtering in Pub-Sub Systems using BDD
Efficient Filtering in Pub-Sub Systems using BDDEfficient Filtering in Pub-Sub Systems using BDD
Efficient Filtering in Pub-Sub Systems using BDD
 
Pub-Sub Systems and Confidentiality/Privacy
Pub-Sub Systems and Confidentiality/PrivacyPub-Sub Systems and Confidentiality/Privacy
Pub-Sub Systems and Confidentiality/Privacy
 
A Structure Preserving Approach for Securing XML Documents
A Structure Preserving Approach for Securing XML DocumentsA Structure Preserving Approach for Securing XML Documents
A Structure Preserving Approach for Securing XML Documents
 

Dernier

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 

Dernier (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

Oracle Transparent Data Encryption (TDE) 12c

  • 1. Oracle Transparent Data Encryption (TDE) 12c Prepared by @nabeelxy 8/30/2014
  • 2. Typical Deployment of Databases Users Applications DBA DB server DB files
  • 3. Attack Surface Users Applications DBA DB server DB files
  • 4. Direct Access to Data Users Applications DBA DB server DB files
  • 5. What is TDE? • An Oracle advanced security feature that allows to encrypt data-at-rest completely transparent to applications • It is not an access control mechanism for Oracle database users • Notice that the data is encrypted only at rest – when the database server processes the data in the SQL layer, data records are decrypted and processed
  • 6. Why TDE/Encryption? • If attackers can gain access to the operating system as a powerful user (e.g. root or oracle), they can bypass the database and have direct access to data. Encryption can protect database files stored in the disk • Also, many regulatory compliance requires encrypting data at rest
  • 7. Encryption Options Available • DBMS_CRYTO – client side encryption • TDE – Column encryption (10gR2 onwards) – Tablespace encryption (11gR1 onwards) • In this presentation, we only look at TDE
  • 8. TDE Setup Name Salary Position #$%34dfa*(a x9@#!3 Manager *#%!@sx*da A#&2uz Engineer $23%&T&df %x!9zTu Analyst ^31%&T*z9a Xy&*x90 Engineer Master key Oracle Data Dictionary Oracle Wallet emp table hr tablespace table1 table2 index 1 seq1 Oracle database
  • 9. TDE Workflow 1. Setup wallet and master key 2. Identify – Tables with sensitive columns – Tablespaces with sensitive tables 3. Open wallet 4. Encrypt – The identified columns – The identified tablespaces 5. Close wallet
  • 10. Oracle Wallet • A PKCS#12 formatted file residing outside of the database (residing in the file system) • Encrypted using password based encryption as defined in PKCS#5 • Holds the TDE master key • It is a good practice to setup the wallet outside of the $ORACLE_BASE and grant minimal privileges to the wallet folder
  • 11. Setting up Oracle Wallet • Specify wallet location using the sqlnet.ora ENCRYPTION_WALLET_LOCATION: ENCRYPTION_WALLET_LOCATION= (SOURCE=(METHOD=FILE)(METHOD_DATA= (DIRECTORY=/etc/orcl/keystore))) • Initialize and create the master key in SQL*PLUS in CDB$ROOT: ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/etc/orcl/keystore’ IDENTIFIED BY password; • This creates a file called ewallet.p12 in the wallet folder
  • 12. Opening the Wallet • Once the wallet is open, the master key becomes available to the database ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY chia_123 CONTAINER = ALL; • Once the wallet is open, you can perform TDE operations – Column encryption – Tablespace encryption • v$encryption_wallet view shows the wallet status
  • 13. Opening the Wallet • select wrl_parameter, status, con_id from v$encryption_wallet; WRL_PARAMETER STATUS CON_ID ------------------ ---------- ------ /etc/orcl/keystore OPEN 0 • In order to exercise least privilege and separation of duty constraints, it is recommended to use a SYSKM user instead of a SYSDBA to perform wallet management
  • 14. Two-Tier Key Architecture • Master key is stored in an Oracle Wallet (keystore) • Tablespace or table (column) keys are stored in the database itself in the Oracle data dictionary – they are encrypted using the master key • If HSM is used for the Oracle Wallet, master key is not fetched to the database to decrypt the tablespace/table keys
  • 15. TDE Column Encryption • Allows to encrypt one or more columns of a table • Each column is assigned a unique symmetric key • The symmetric keys are stored encrypted using the master key in the Oracle data dictionary (in sys.enc$ table)
  • 16. TDE Column Encryption • Create encemp table with two encrypted columns create table encemp ( name varchar2(128) encrypt, salary number(6) encrypt, position varchar2(32) ); • user_encrypted_columns view shows the encrypted columns TABLE_NAME COLUMN_NAME ENCRYPTION_ALG --------------- --------------- ------------------ ENCEMP NAME AES 192 bits key ENCEMP SALARY AES 192 bits key
  • 17. TDE Column Encryption • Can change encryption parameters, encrypt, or decrypt table columns later using ALTER TABLE statement. • Can change both master key and table keys – If master key is changed, no change to the encrypted columns – If table keys are changed, encrypted columns are re-encrypted with the new keys
  • 18. Limitations of Column Encryption • Higher overhead than tablespace encryption • Supports only B-tree indexes • Foreign key columns cannot be encrypted • Cannot perform range scans over encrypted data • Requires more storage
  • 19. Tablespace Encryption • Every object in the tablespace is encrypted • Specify encryption parameters at the time of tablespace creation create tablespace encts logging datafile '?/dbs/encts.dbf' size 32m autoextend on next 32m maxsize 2048m default storage(encrypt) • Note that you cannot encrypt existing tablespaces
  • 20. Tablespace Encryption • You can view the encrypted tablespaces using the dba_tablespaces view TABLESPACE_NAME ENCRYPTED --------------- --------- SYSTEM NO SYSAUX NO TEMP NO SYSEXT NO ENCTS YES • Use v$encrypted_tablespaces table to see the encryption options set for encrypted tablespaces
  • 21. Re-Key Support Release Column Encryption Tablespace Encryption Master Key Table keys Master key Table keys 10gR2 Yes Yes N/A N/A 11gR1 Yes Yes No No 11gR2 Yes* Yes Yes* No 12cR1 Yes* Yes Yes* No * Unified master key where both column and tablespace encryption uses the same master key
  • 22. Column vs. Tablespace Encryption Column Encryption Tablespace Encryption Column encryption is expensive; so, use it only if less than 5% of all the application table needs encryption Use when most of the application data are sensitive Does not support hardware crypto acceleration Supports hardware crypto acceleration Supports only B-tree indexes Does not have such a restriction Support rekeying of data Does not support rekeying of data Can encrypt existing tables Cannot encrypt existing tablespaces

Notes de l'éditeur

  1. Database eco-system involves more that the database server itself. When you consider security you have to look at all access points. Your database server may be hardened but the access points may not be. Attackers won’t go and break a bolted front-door, they will go through an open window. Security is as good as your weakest link in the system.
  2. An attacker could launch an attack from any of the attack surface above.
  3. The highlighted attackers have direct access to data bypassing database access controls.
  4. Make sure you harden the OS where the DB is running. Hardening the DB alone is not sufficient.
  5. Oracle wallet is called keystore in 12c. The keystore could be software or hardward (HSM). In this presentation we are looking only at the software keystore.
  6. Underlying table is v$encrypted_tablespace