Data encryption with Oracle Advanced Security Option
}Oracle TDE(Transparent Data Encryption)
}Oracle ASO features
}Advanced Security offers the following 3 main options:
◦Transparent Data Encryption
◦Network Encryption
◦Strong authentication
–
–
}Risks
}Datafile data viewable using hex editor
}strings users.dbf | grep SSN
}Access to memory dump
}Lost or stolen backups cannot be viewed for privacy data without the master key
}Lack of compliance from auditing perspective.
}Why TDE?
}To protect data files, Oracle Database provides transparent data encryption. Transparent data encryption encrypts sensitive table data stored in data files. To prevent unauthorized decryption, transparent data encryption stores the encryption keys in a security module external to the database
}No application changes reqd.
}TDE Overview
}Key based access control system
}Wallet file reside outside the db – has password
}Wallet file holds master key – no relationship to wallet password
}Table keys stored in data dictionary
}TDE not used for access control
}Encryption Algorithms
}3DES168 - (DES – Data Encryption Standard)
}AES128 - (AES – Advanced Encryption Standard)
}AES192 - Default
}AES256
}Encryption Levels
}Tablespace level
Create tablespace…encryption using..
Better performance
}Column level
◦ALTER TABLE employees MODIFY (salary ENCRYPT);
◦ALTER TABLE employees MODIFY (salary ENCRYPT USING 'AES256');
◦ALTER TABLE employees MODIFY(salary DECRYPT);
}
}Key Management ways
◦
}HSM(Hardware Security Modules)
◦HSM provides storage for master key
◦Avoids usage of memory for all cryptographic operations
◦Advanced Security Network Encryption Option recommended to encrypt the traffic between the database server and the HSM
◦A Hardware Security Module cannot be used for tablespace encryption, encrypted exports and encrypted RMAN backups
◦
}Filesystem
◦Regular filesystem/ACFS for key management
◦
}
}What is SALT?
}TDE by default applies a salt.
}Salt is added to the data that makes the encrypted value different even if the input data is same.
}Adding Salt to an Encrypted Column
◦ALTER TABLE employees MODIFY (salary ENCRYPT SALT);
}Performance Considerations
}
}Affects preformance only when selecting or inserting into encrypted column while no reduction of performance occurs for such operations on other columns, even in a table containing encrypted columns.
}If indexes are used on encrypted column, searches with exatch match can only benefit from index whereas if the query instead uses a LIKE predicate full table scan occurs.
}The redo log impact of a full table update on a large table should also be kept in mind. If transparent data encryption is being enabled on a very large table, then the redo log size might need to be increased to accommodate the operation.
}
}Using datapump
}If user wants to create/read dump of export in data pump directory it will need read/write permissions on the directory.
}ORA-39173: Encrypted data has been stored unencrypted in dump file set.
}strings export.dmp | grep sensitive
}Use encryption_password parameter for export dump to keep data in export dump encrypted.
}Use above flag while doing import
}Backups
}Use “set encryption on” to encrypt backups as well
}With encryption : Datafiles of encrypted tablespaces are passed on without change
}Without encryption : Backups decrypted, compressed and re-encrypted
}Tablespace encryption:
}Encrypted columns are treated as if they are not encrypted. Double encryption happens
}Oracle Virtual Private Database
}Enables us to create security policies to control database access
}Fine level of granularity directly on database objects
}Bring security, simplicity and flexibility
}Columns and rows will display NULL values where data is not to be seen
}Create policies and attach to objects – Done!
No comments:
Post a Comment