This presentation provides an introduction to Oracle Transparent Data Encryption technology in 12c. It is provided as part of Oracle Advanced Security.
5. What is TDE?
• An Oracle advanced security feature that
allows to encrypt data-at-rest completely
transparent to applications
• It is not an access control mechanism for
Oracle database users
• Notice that the data is encrypted only at rest –
when the database server processes the data
in the SQL layer, data records are decrypted
and processed
6. Why TDE/Encryption?
• If attackers can gain access to the operating
system as a powerful user (e.g. root or oracle),
they can bypass the database and have direct
access to data. Encryption can protect
database files stored in the disk
• Also, many regulatory compliance requires
encrypting data at rest
7. Encryption Options Available
• DBMS_CRYTO – client side encryption
• TDE
– Column encryption (10gR2 onwards)
– Tablespace encryption (11gR1 onwards)
• In this presentation, we only look at TDE
8. TDE Setup
Name Salary Position
#$%34dfa*(a x9@#!3 Manager
*#%!@sx*da A#&2uz Engineer
$23%&T&df %x!9zTu Analyst
^31%&T*z9a Xy&*x90 Engineer
Master key
Oracle Data Dictionary
Oracle Wallet
emp table
hr tablespace
table1
table2
index
1
seq1
Oracle database
9. TDE Workflow
1. Setup wallet and master key
2. Identify
– Tables with sensitive columns
– Tablespaces with sensitive tables
3. Open wallet
4. Encrypt
– The identified columns
– The identified tablespaces
5. Close wallet
10. Oracle Wallet
• A PKCS#12 formatted file residing outside of
the database (residing in the file system)
• Encrypted using password based encryption
as defined in PKCS#5
• Holds the TDE master key
• It is a good practice to setup the wallet
outside of the $ORACLE_BASE and grant
minimal privileges to the wallet folder
11. Setting up Oracle Wallet
• Specify wallet location using the sqlnet.ora
ENCRYPTION_WALLET_LOCATION:
ENCRYPTION_WALLET_LOCATION=
(SOURCE=(METHOD=FILE)(METHOD_DATA=
(DIRECTORY=/etc/orcl/keystore)))
• Initialize and create the master key in SQL*PLUS
in CDB$ROOT:
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE
'/etc/orcl/keystore’ IDENTIFIED BY password;
• This creates a file called ewallet.p12 in the wallet
folder
12. Opening the Wallet
• Once the wallet is open, the master key
becomes available to the database
ADMINISTER KEY MANAGEMENT
SET KEYSTORE OPEN IDENTIFIED BY chia_123
CONTAINER = ALL;
• Once the wallet is open, you can perform TDE
operations
– Column encryption
– Tablespace encryption
• v$encryption_wallet view shows the wallet
status
13. Opening the Wallet
• select wrl_parameter, status, con_id from
v$encryption_wallet;
WRL_PARAMETER STATUS CON_ID
------------------ ---------- ------
/etc/orcl/keystore OPEN 0
• In order to exercise least privilege and separation
of duty constraints, it is recommended to use a
SYSKM user instead of a SYSDBA to perform
wallet management
14. Two-Tier Key Architecture
• Master key is stored in an Oracle Wallet
(keystore)
• Tablespace or table (column) keys are stored
in the database itself in the Oracle data
dictionary – they are encrypted using the
master key
• If HSM is used for the Oracle Wallet, master
key is not fetched to the database to decrypt
the tablespace/table keys
15. TDE Column Encryption
• Allows to encrypt one or more columns of a
table
• Each column is assigned a unique symmetric
key
• The symmetric keys are stored encrypted
using the master key in the Oracle data
dictionary (in sys.enc$ table)
16. TDE Column Encryption
• Create encemp table with two encrypted
columns
create table encemp (
name varchar2(128) encrypt,
salary number(6) encrypt,
position varchar2(32)
);
• user_encrypted_columns view shows
the encrypted columns
TABLE_NAME COLUMN_NAME ENCRYPTION_ALG
--------------- --------------- ------------------
ENCEMP NAME AES 192 bits key
ENCEMP SALARY AES 192 bits key
17. TDE Column Encryption
• Can change encryption parameters, encrypt,
or decrypt table columns later using ALTER
TABLE statement.
• Can change both master key and table keys
– If master key is changed, no change to the
encrypted columns
– If table keys are changed, encrypted columns are
re-encrypted with the new keys
18. Limitations of Column Encryption
• Higher overhead than tablespace encryption
• Supports only B-tree indexes
• Foreign key columns cannot be encrypted
• Cannot perform range scans over encrypted
data
• Requires more storage
19. Tablespace Encryption
• Every object in the tablespace is encrypted
• Specify encryption parameters at the time of
tablespace creation
create tablespace encts
logging
datafile '?/dbs/encts.dbf'
size 32m
autoextend on
next 32m maxsize 2048m
default storage(encrypt)
• Note that you cannot encrypt existing
tablespaces
20. Tablespace Encryption
• You can view the encrypted tablespaces using
the dba_tablespaces view
TABLESPACE_NAME ENCRYPTED
--------------- ---------
SYSTEM NO
SYSAUX NO
TEMP NO
SYSEXT NO
ENCTS YES
• Use v$encrypted_tablespaces table to see the
encryption options set for encrypted
tablespaces
21. Re-Key Support
Release Column Encryption Tablespace Encryption
Master Key Table keys Master key Table keys
10gR2 Yes Yes N/A N/A
11gR1 Yes Yes No No
11gR2 Yes* Yes Yes* No
12cR1 Yes* Yes Yes* No
* Unified master key where both column and tablespace encryption
uses the same master key
22. Column vs. Tablespace Encryption
Column Encryption Tablespace Encryption
Column encryption is expensive; so, use it
only if less than 5% of all the application
table needs encryption
Use when most of the application data
are sensitive
Does not support hardware crypto
acceleration
Supports hardware crypto acceleration
Supports only B-tree indexes Does not have such a restriction
Support rekeying of data Does not support rekeying of data
Can encrypt existing tables Cannot encrypt existing tablespaces
Database eco-system involves more that the database server itself. When you consider security you have to look at all access points. Your database server may be hardened but the access points may not be. Attackers won’t go and break a bolted front-door, they will go through an open window. Security is as good as your weakest link in the system.
An attacker could launch an attack from any of the attack surface above.
The highlighted attackers have direct access to data bypassing database access controls.
Make sure you harden the OS where the DB is running. Hardening the DB alone is not sufficient.
Oracle wallet is called keystore in 12c. The keystore could be software or hardward (HSM). In this presentation we are looking only at the software keystore.