Why ?
As clarified
by Oracle ,“Transparent Data Encryption (TDE) enables you to encrypt
sensitive data that you store in tables and tablespaces” . Below are a
quick note using oracle document for both versions 19c or lower versions (11g
or 12c).
How ?
1- Set
the Software Keystore Location in the sqlnet.ora File . For 11g or 12.1 or 12.2c .
ENCRYPTION_WALLET_LOCATION=
(SOURCE=
(METHOD=FILE)
(METHOD_DATA=
(DIRECTORY=/etc/ORACLE/WALLETS/orcl)))
For 19c, it is recommended to use spfile parameters as below :
ALTER SYSTEM SET
WALLET_ROOT = '$ORACLE_BASE/ADMIN/ORCL/WALLET' SCOPE = SPFILE SID = '*';
ALTER SYSTEM SET
TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" SCOPE = BOTH SID =
'*';
2- Create
the Software Keystore:
ADMINISTER KEY MANAGEMENT
CREATE KEYSTORE '/etc/ORACLE/WALLETS/orcl' IDENTIFIED BY password;
You
may create an auto login to avoid re-entering the wallet password every time:
ADMINISTER KEY MANAGEMENT
CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '/etc/ORACLE/WALLETS/orcl' IDENTIFIED
BY password;
3-
Open the Software Keystore ## In case autologin not configured:
ADMINISTER KEY MANAGEMENT
SET KEYSTORE OPEN IDENTIFIED BY password;
4- Set the Software TDE Master Encryption Key:
ADMINISTER KEY MANAGEMENT
SET KEY IDENTIFIED BY keystore_password WITH BACKUP USING 'key_backup';
5- Encrypt Your Data:
CREATE TABLESPACE encrypt_ts
DATAFILE '$ORACLE_HOME/dbs/encrypt_df.dbf'
SIZE 1M
ENCRYPTION USING 'AES256'
DEFAULT STORAGE (ENCRYPT);
6- Convert exist Tablespace, for prior 12.2c it
is offline only , for 12.2 and later version , both offline and online can be
used:
## offline
ALTER TABLESPACE users
OFFLINE NORMAL;
ALTER TABLESPACE users
ENCRYPTION OFFLINE USING 'AES256' ENCRYPT;
ALTER TABLESPACE users
ONLINE;
##
online
ALTER TABLESPACE users
ENCRYPTION ONLINE USING 'AES256' ENCRYPT FILE_NAME_CONVERT = ('users.dbf',
'users_enc.dbf');
No comments:
Post a Comment