http://www.oracle.com/webfolder/technetwork/tutorials/obe/db/11g/r1/prod/security/tde/tde.htm
Using Transparent Database Encryption in Oracle Database 11g
Purpose
This tutorial describes how you can use Transparent Database Encryption to encrypt data stored on disk using Enterprise Manager Database Control in Oracle Database 11g.
Note: This OBE was tested on production software however some of the screenshots may still refer to the beta software.
Time to Complete
30 minutes
Topics
This tutorial covers the following topics:
Viewing Screenshots
Place the cursor over this icon to load and view all the screenshots for this tutorial. (Caution: This action loads all screenshots simultaneously, so response time may be slow depending on your Internet connection.)
Note: Alternatively, you can place the cursor over each individual icon in the following steps to load and view only the screenshot associated with that step.
Overview
Transparent data encryption enables you to encrypt individual table columns or an entire tablespace. When a user inserts data into an encrypted column, transparent data encryption automatically encrypts the data. When users select the column, the data is automatically decrypted. After the selection, the data is reencrypted.
Transparent data encryption helps protect data stored on media in the event that the storage media or data file gets stolen, because it stores the encryption keys in a security module (that is, a wallet) external to the database. Protecting data from this type of theft is required for most compliance regulations. The benefit to using transparent data encryption is that it requires little coding and is quick and easy to implement.
In Oracle Database 11g, you can use Enterprise Manager to manage transparent data encryption.
Before starting this tutorial, you should:
1. | Install Oracle Database 11g |
Preparing the Database for Encryption
In this section, you change the location of the wallet and open it with Enterprise Manager Database Control. Perform the following steps:
1. | Open your browser and enter the following URL. https://<hostname>:1158/em Login as the system user.
|
|
2. | Select the Server tab.
|
|
3. | Under Security, click Transparent Data Encryption.
|
|
4. | To change the wallet location to a location outside of the Oracle installation (to avoid that it ends up on a backup tape together with encrypted data), click Change.
|
|
5. | Since the directory that you want to change to doesn't exist yet, you need to create it. Open a terminal window and execute the following commands to create the directory and change the owner to the oracle user: cd /etc su <root> mkdir ORACLE cd ORACLE mkdir WALLETS cd WALLETS mkdir oracle chown oracle:oinstall /etc/ORACLE/WALLETS/oracle
|
|
6. | Now that the directory is created, switch back to Enterprise Manager. Select Network Profile from the list under Administer and click Go.
|
|
7. | Login with your Oracle software owner Username and Password and click Login.
|
|
8. | Expand Advanced Security Options.
|
|
9. | Select Wallet Location.
|
|
10. | Copy and paste the default /etc/ORACLE/WALLETS/oracle location into the Encryption Wallet Location field and click OK.
|
|
12. | It takes some time for the system to pick up the change; to force the update, logout and log back in. Click Logout.
|
|
13. | Click Login.
|
|
14. | Login as system again.
|
|
15. | Select the Server tab.
|
|
16. | Under Security, click Transparent Data Encryption.
|
|
17. | Notice that the directory name has changed. Enter a strong password that protects the Wallet and click OK. Optionally, this password can be known only to a Security DBA, enforcing separation of duty. The password is not stored anywhere, so it can under no circumstances be recovered.
|
|
18. | Your wallet is now open.
|
Encrypting a Column in an Existing Table
In this tutorial, you encrypt a column in the OE.CUSTOMERS table. Perform the following steps:
1. | Under Related Links, click Tables.
|
|
2. | Enter OE in the Schema field and click Go.
|
|
3. | Select the radio button in front of CUSTOMERS and click Edit.
|
|
4. | You can specify a different encryption algorithm and the key seed to be used for all encrypted columns in this table. Click Encryption Options.
|
|
5. | Review the options and click Continue.
|
|
6. | Select the checkbox in the Encryption column for CREDIT_LIMIT and click Apply.
|
|
7. | A job was submitted to encrypt the column. Click the link to the job.
|
|
8. | The job succeeded. Click the Database breadcrumb.
|
Creating an Encrypted Tablespace
In this section, you create a tablespace that is encrypted. Perform the following steps:
1. | From the Server tab in Enterprise Manager Database Control, under Storage, select Tablespaces.
|
|
2. | Click Create.
|
|
3. | Enter OBE for the name of the tablespace and click Add under Datafiles.
|
|
4. | Enter OBE for the File Name and click Continue.
|
|
5. | Tablespace encryption protects all the objects in a tablespace by storing data in encrypted format on disk. An Oracle wallet must exist and needs to be in open state. Click Encryption Options.
|
|
6. | Review the options and click Continue.
|
|
7. | Select the Encryption checkbox and click OK.
|
|
8. | Your tablespace was created successfully. Select the OBE link from the list of Tablespaces.
Note: If you receive an error, switch to a terminal window, login to sqlplus as system and execute the following command: CREATE TABLESPACE OBE DATAFILE '/u01/app/oracle/oradata/orcl/obe' SIZE 100M ENCRYPTION DEFAULT STORAGE (ENCRYPT);
|
|
9. | Notice that the Encryption option is set to YES. Click the Database breadcrumb.
|
Accessing Data Using an Index From an Encrypted Tablespace
In this section, you create a table in the encrypted tablespace, create an index on one of the columns in the table and then access the data in that column to see what execution plan is used. Perform the following steps:
1. | Open SQLDeveloper. On Linux, open a terminal window and execute the following commands: cd $ORACLE_HOME/sqldeveloper/sqldeveloper/bin ./sqldeveloper If you receive a message asking you if you want to migrate your previous connections, click No.
|
|
2. | Create a Connection. Right-click Connections and select New Connection.
|
|
3. | Enter OE for the Connection Name, Username and Password. Enter orcl for the SID and click Test.
|
|
4. | Your test was successful. Click Connect.
|
|
5. | You first want to create a copy of the CUSTOMERS table. From the SQL Worksheet, enter the following command and click Execute. CREATE TABLE customers_obe AS SELECT * FROM customers
|
|
6. | Now you can move the table into the OBE tablespace (that is encrypted). Expand Tables and right-clickCUSTOMERS_OBE and select Storage then Move Tablespace.
|
|
7. | Select the OBE tablespace from the list and click Apply.
|
|
8. | The table was moved to the OBE tablespace successfully. Click OK.
|
|
9. | Now you can create an index on the DATE_OF_BIRTH column. Enter the following command in the SQL Worksheet area and click Execute. CREATE INDEX customers_obe_idx ON customers_obe(date_of_birth)
|
|
10. | You can now select some data from the DATE_OF_BIRTH column. Enter the following command in the SQL Worksheet area and click Execute. SELECT cust_last_name, date_of_birth FROM customers_obe WHERE date_of_birth > '04-FEB-59' AND date_of_birth < '06-FEB-59'
The data is selected. So what explain plan did it use. Click the Explain Plan icon.
|
|
11. | Notice that it used the index and did an index(range scan) to retrieve the data rather than a full table scan.
|
Regenerating the Database Master Key
The database master key can be regenerated if it has been compromised. This procedure only regenerates the master keys used for encrypted columns; master keys for encrypted tablespaces cannot be re-keyed. If you need to regenerate the master key for an encrypted tablespace, you need to create a new encrypted tablespace and move all the content from the original encrypted tablespace to the new encrypted tablespace. Perform the following steps:
1. | From the Server tab in Enterprise Manager Database Control, under Security, select Transparent Data Encryption. .
|
|
2. | Click the + in front of Advanced Options.
|
|
3. | Under Regenerate Master Database Key, click Regenerate. Enter the same strong password you used when initially creating the wallet; both the old and new master keys are not related to the wallet password at all; click OK.
|
|
4. | Your Master Database Key was regenerated.
|
Summary
In this tutorial, you learned how to:
Prepare the database for encryption | ||
Encrypt a column in an existing table | ||
Create an encrypted tablespace | ||
Regenerate the database master key |