Transparent data encryption for the Production Mapping workspace in Oracle (Production Mapping)

Вы можете принять некоторые меры предосторожности для защиты базы данных, такие как проектирование безопасной системы, шифрование конфиденциальных активов, а также создание сетевого экрана (firewall) вокруг серверов баз данных. Однако в случае, когда физические носители (такие как диски и ленты с резервными копиями) украдены, злоумышленник может восстановить или подключиться к базе данных и просматривать эти данные. Одним из решений является шифрование конфиденциальных данных в базе данных и защита ключей, используемых для шифрования данных с помощью сертификатов. Это предотвращает использования данных лицами без ключей, но этот вид защиты должен быть спланирован заранее.

Transparent Data Encryption (TDE) enables you to encrypt sensitive data, such as credit card numbers, stored in tables and tablespaces. Encrypted data is transparently decrypted for a database user or application that has access to data. TDE helps protect data stored on media in the event that the storage media or data file is stolen. Oracle uses authentication, authorization, and auditing mechanisms to secure data in the database but not in the operating system data files where data is stored. To protect these data files, Oracle provides TDE. TDE encrypts sensitive data stored in data files. To prevent unauthorized decryption, TDE stores the encryption keys in a security module external to the database.

With Oracle, new tablespaces can be defined as encrypted. Defining a tablespace as encrypted means the physical data files created on the operating system will be encrypted. Any tables, indexes, and other objects defined in the new tablespace will be encrypted by default, with no additional storage space requirements. Data is automatically encrypted when it is written to disk and automatically decrypted when accessed by the application.

Benefits of using TDE:

• As a security administrator, you can be sure that sensitive data is safe in case the storage media or data file is stolen.
• Implementing TDE helps you address security-related regulatory compliance issues.
• You do not need to create triggers or views to decrypt data for the authorized user or application. Data from tables is transparently decrypted for the database user and application.
• Database users and applications need not be aware that the data they are accessing is stored in encrypted form. Data is transparently decrypted for the database users and applications.
• Applications need not be modified to handle encrypted data. Data encryption and decryption are managed by the database.
• Key management operations are automated. The user or application does not need to manage encryption keys.

See Oracle documentation for more information on configuring TDE tablespace encryption.

To use TDE, follow one of these methods.

Configuring TDE Oracle Enterprise Manager

The following steps show how to configure TDE using Oracle Enterprise Manager (OEM).

Примечание:

Copying and pasting the examples may cause syntax errors.

Шаги:

1. Create the wallet folder.

   mkdir C:\oracle\admin\wallets
   
   OEM > login as sys / sysdba
   
   OEM > Server > Transparent Data Encryption
   
   Advanced Options > Change Location
   
   	Host Credentials
   	Username: <DOMAIN>\dbs_ora
   	Password: xxxxxxx
   
   	Configuration Method: File System
   	
   	Encryption Wallet Directory: C:\oracle\admin\wallets
   
   	OK
   
   Create Wallet > Local Auto-Open Wallet > Create
   
   	Host Credentials
   	Username: <DOMAIN>\dbs_ora
   	Password: xxxxxxx
   
   	Wallet Password:  walletadmin
   
   	Continue
   

2. Back up the wallet folder.

   cd C:\oracle\admin
   
   zip -r wallets wallets
   

Configure TDE manually

The following steps show how to manually configure TDE.

Примечание:

Copying and pasting the examples may cause syntax errors.

Шаги:

1. From the command window, create the wallet folder.

   mkdir C:\oracle\admin\wallets
   

2. Add the wallet location to the sqlnet.ora file.

   ENCRYPTION_WALLET_LOCATION =
     (SOURCE =
       (METHOD = FILE)
       (METHOD_DATA =
         (DIRECTORY = C:\oracle\admin\wallets\$ORACLE_SID)
   

   Примечание:

   The default encryption wallet location is $ORACLE_BASE/admin/<global_db_name>/wallet. If you want to allow Oracle to manage a wallet in the default location, there is no need to set the ENCRYPTION_WALLET_LOCATION parameter in the sqlnet.ora file.

3. Using Oracle SQL Plus or Oracle SQL Developer, generate a master key.

   alter system set encryption key identified by "walletadmin";
   

4. Using Oracle SQL Plus or Oracle SQL Developer, verify the status of the wallet.

   select * from "v$encryption_wallet";
   

5. From the command window, set the wallet to auto login.

   set ORACLE_SID=pmdb
   
   orapki wallet create -wallet C:\oracle\admin\wallets -auto_login -pwd walletadmin
   

6. From the command window, back up the wallet folder.

   cd C:\oracle\admin
   
   zip -r wallets wallets