DEMODEMOTransparent Data Encryption

Demo For TDEDemo For TDEColumn Encryption (Oracle 10g,

11g)TableSpace Encrytion (Oracle

11g)

Column EncryptionColumn EncryptionCreate a Wallet:Open sqlnet.ora file in: …\product\

11.2.0\dbhome_1\NETWORK\ADMINAdd to sqlnet.ora file this code:

ENCRYPTION_WALLET_LOCATION = (SOURCE= (METHOD=file) (METHOD_DATA=

(DIRECTORY=C:\oracle\product\10.2.0\db_1\NETWORK\ADMIN\tde_wallet)))

SQLNET.ORASQLNET.ORA

Edit File sqlnet.oraEdit File sqlnet.ora

Create A Master KeyCreate A Master KeyCreate a Master Key:Run script in isqlplus:alter system set encryption key authenticated

by "ImOracle"; This command creates a wallet at the

location defined in the sqlnet.ora, sets the password for it. A Master Key will be automatically generated by TDE and store in wallet secured by password. This Master Key is used by TDE to encrypt column key of each table.

Set PassWord To WalletSet PassWord To Wallet

TDE In Oracle 11gTDE In Oracle 11gIn Oracle 11g, after login as

DBAs, in tab server, you can click to link Transparent Data Encryption to view wallet status:

TDE In Oracle 11gTDE In Oracle 11g

Wallet StatusWallet Status

Wallet ManagerWallet ManagerYou can use Wallet Manager to

manage Oracle Wallet.

Open Wallet ManagerOpen Wallet Manager

Wallet MangerWallet Manger

Wallet ManagerWallet ManagerSet Autologin to Wallet:You can set auto login to Wallet

(after creating password for it) to Oracle open wallet automatically when starting. You must use Wallet Management to do this.

Set Auto Login To WalletSet Auto Login To Wallet

Column EncryptionColumn EncryptionCreate tablespace for encrypted

tables:CREATE TABLESPACE ts_tdeDATAFILE 'C:\ts_tde.dbf'SIZE 20m autoextend ON NEXT 5mExtent management localsegment space management auto;CREATE USER tde_test identified by test default tablespace ts_tdequota unlimited on ts_tde;GRANT connect,resource to tde_test;

Go to folder specified, you will see created table space

Column EncryptionColumn Encryption

Column EncryptionColumn EncryptionCreate an unencrypted table and

insert data:CREATE TABLE tde_test (

id NUMBER(10),

data VARCHAR2(50)

)TABLESPACE ts_tde;

INSERT INTO tde_test (id, data) VALUES (1, 'This is a secret!');

COMMIT;

Column EncryptionColumn EncryptionOpen ts_tde.dbf with notepad

and search data

Search Data In Clear Text Search Data In Clear Text FormForm

Search Data In Clear Text Search Data In Clear Text FormFormIt can be seen that the sensitive

data is written in the data files as clear text.

Since the data is in clear text format in the datafile so it is in the archived redo log files, backup sets etc.

Any one who has access to your backup tapes can easily steal your backups, restore it somewhere and see all of your data.

Search Data In Clear Text Search Data In Clear Text FormForm

Create An Encrypted Create An Encrypted TableTableCreate an encrypted table and

insert data:CREATE TABLE tde_test (

id NUMBER(10),

data VARCHAR2(50) ENCRYPT

)TABLESPACE ts_tde;

INSERT INTO tde_test (id, data) VALUES (1, 'This is a secret!');

You can use select command to view what columns encrypted: SELECT table_name, column_name, encryption_alg, salt from user_encrypted_columns;

View Encrypted ColumnsView Encrypted Columns

View Encrypted DataView Encrypted DataYou can’t also search data in

clear text:

Tablespace EncryptionTablespace EncryptionCreate wallet, set password to

wallet like in column encryption.After openning wallet, we create

an encrypted tablespace:CREATE TABLESPACE secure_space

DATAFILE 'c:/secure_space.dbf' SIZE 150M ENCRYPTION USING '3DES168' DEFAULT STORAGE(ENCRYPT);

◦Algorithm used: '3DES168’

Create an Encrypted Create an Encrypted TablespaceTablespace

Tablespace EncryptionTablespace EncryptionCreate another encrypted

tablespace:CREATE TABLESPACE secure_space3

DATAFILE 'c:/secure_space3.dbf' SIZE 150M ENCRYPTION DEFAULT STORAGE(ENCRYPT);

◦Default encryption algorithm is: AES128

Create an Encrypted Create an Encrypted TablespaceTablespace

Thanks For Your Attention