Transparent Data Encryption deploys quickly and encrypts individual application table columns, application tablespaces, or entire databases. TDE is transparent to applications because the encryption and decryption processes do not require any application changes, and application users do not have to directly deal with encrypted data. TDE’s built-in two-tier encryption key management provides full key lifecycle management, tracking the keys across their lifetime with helpful metadata attributes, and assisted encryption key rotation, switching to a new master key with no downtime.
TDE is integrated with complementary technologies such as Oracle Advanced Compression, Oracle Real Application Clusters (RAC), Oracle Recovery Manager (RMAN), Oracle Multitenant, Oracle GoldenGate, and Oracle Active Data Guard.
TDE column encryption can be used to encrypt specific data in application tables such as credit card numbers and US Social Security numbers. This approach is useful when the database tables are large, only a small number of columns must be encrypted, and the columns are known.
TDE tablespace encryption protects entire application tables by encrypting the underlying tablespaces. It encrypts application tablespaces regardless of the data sensitivity and irrespective of the data type. Tablespace encryption simplifies the encryption process because there is no need to identify specific database columns. This approach is useful when the database contains a large amount of sensitive data to be encrypted and the columns are in many different locations.
The protection provided by TDE follows common standards for strong encryption.
Encryption Algorithms Hashing Algorithms (optional) Advanced Encryption Standard (AES) Key length: 128, 192, 256 bits Secure Hash Algorithm 1 (SHA-1) Digest length: 160 bits Triple Data Encryption Standard (TDES) Key length: 168 bits
The high-level steps for enabling TDE in an Oracle database:
Create encryption keystore location
Edit the sql.net ora file with location of encryption keystore
Create keystore
Set encryption key
(optional) Create auto_login wallet
User Authentication is the first step to protecting data, means verifying that a resource (user, program, another machine) trying to connect to your database is authorized to do so.
A Password Profile is a mechanism in the database that forces a user to follow guidelines when creating or changing passwords. Is a combination of resource usage and password complexity. For example, limits the number of times a password can be reused; limits the amount of time before a password can be reused; limits failed login attempts.
Password verify function is a program written in PL/SQL that examines passwords when they’re chosen and accepts or rejects them based on criteria. If you have special password requirements, you can write your own password verify function and assign to a profile by using the PASSWORD_VERIFY_FUNCTION attribute of the profile.
System Privileges are the first privileges any user needs. The first privilege a user needs CREATE SESSION in order to connect to the database. WITH ADMIN OPTION allows for granting a system privilege to allow the user to grant the privilege to someone else.
Object Privileges control data access and modification. Whatever schema owns the object ultimately controls that object’s privileges.
Auditing allows for protection of data by analyzing what users are doing in the database. Auditing can be turned on for users; objects, system privileges; or a combination of users, objects, and system privileges to accomplish auditing needs.
Auditing can cost in terms of CPU, storage, and personnel for viewing and analyzing the auditing information – especially for very large databases with lots of users.
Comments