[Oracle] Transparent Data Encryption Technology - TDE
The full name of Oracle TDE is Transparent Data Encryption, which supports column-based encryption since 10gr2 and tablespace-based encryption since 11g. Its advantages are that it is transparent to applications, easy to manage, and does not require application settings, but it also has the following limitations:
– Only B-Tree indexes can be used
– Encrypted columns cannot perform rang scan operations on indexes .
– external objects
– Transportable tablespaces
– exp/imp operation
TDE - Column Based Encryption
Thanks to Oracle's TDE-column-based encryption, all you have to do is define the columns that need to be encrypted, and Oracle will create a secret secure encryption key for the table containing the encrypted column, and then encrypt the specified column with the encryption algorithm you specify plaintext data.
The encryption algorithms supported by TDE are:
3DES168 AES128 AES192 AES256
Specific demo
1. Enter the listening directory to create the sqlnet.ora file ( refer to: Net Services Reference-> 5 Parameters for the sqlnet.ora File )
WALLET_LOCATION=
(SOURCE=
(METHOD=file)
(METHOD_DATA= (DIRECTORY=/u01/app/oracle/product/11.2.0/dbhome_1/network/admin/wallet)))
Before creating, create a directory
2. Create a password ( Reference : SQL->alter system )
SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "welcome1";
Enter the directory to see if the file is generated
[oracle@node1 wallet]$ ll
total 4
-rw-r--r-- 1 oracle oinstall 1573 Apr 22 17:55 ewallet.p12
3. 创建 tablespace (参考: SQL Language Reference->create tablespace)
CREATE TABLESPACE test_en
DATAFILE '/u01/app/oracle/oradata/orcl/test_en01.dbf' SIZE 100M
ENCRYPTION
DEFAULT STORAGE (ENCRYPT);
4. Verify
Create a user, create a table with this user
SQL> create user test_en identified by oracle default tablespace test_en;
User created.
SQL> grant dba to test_en;
Grant succeeded.
SQL> conn test_en/oracle
Connected.
SQL> create table tb1 as select * from scott.dept;
Table created.
SQL> select * from tb1;
DEPTNO DNAME LOC
---------- -------------- -------------
10 ACCOUNTING NEW YORK
20 RESEARCH DALLAS
30 SALES CHICAGO
40 OPERATIONS BOSTON
关闭
SQL> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "welcome1";
在使用创建的用户查看表
SQL> select * from tb1;
select * from tb1
*
ERROR at line 1:
ORA-28365: wallet is not open
wallet 打开
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "welcome1";
再次进行查看
SQL> select * from tb1;
DEPTNO DNAME LOC
---------- -------------- -------------
10 ACCOUNTING NEW YORK
20 RESEARCH DALLAS
30 SALES CHICAGO
40 OPERATIONS BOSTON