<<Back to Oracle DB Security Main Page
What is Oracle Transparent Data Encryption (TDE)
Transparent Data Encryption (TDE) enables you to encrypt data so that only an authorized recipient can read it. With Oracle TDE You can encrypt individual columns in a database table, or you can encrypt an entire tablespace. To use Transparent Data Encryption, you do not need to modify your applications. TDE enables your applications to continue working seamlessly as before, because oracle database take cares of encryption and decryption itself completely transparent with the application.TDE helps protect data stored on media (also called data at rest) in the event that the storage media or data file is stolen.
How Oracle Transparent Data Encryption (TDE) Works
TDE uses TDE encryption keys to encrypt and decrypt the data stored in the data file and the encryption keys are stored in external security module outside of the database, called a keystoreWhat Level of Transparent Data Encryption is Available
There are 2 types of TDE encryption available1> Column level
2> Tablespace level.
Both type of encryption uses the two-tiered key-based architecture to transparently encrypt and decrypt sensitive data.
The TDE master encryption key is stored in an external security module (called Keystores), which can be an Oracle software keystore or hardware keystore.
How Column Level Encryption Works
The TDE master encryption key (stored outside of database in hardware or software security module and accessible to only authorized users) encrypts and decrypts the TDE table key (stored in dictionary tables), which in turn encrypts and decrypts data in the table column.TDE uses a single TDE table key regardless of the number of encrypted columns in that table. Each TDE table key is individually encrypted with the TDE master encryption key and are located together in the colklc column of the ENC$ data dictionary table.
SQL> select MKEYID as MasterKey,colklc from enc$;
MASTERKEY | COLKLC |
Ae3sJ0HmGk+svxga/lc625EAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | 41774141414141414141414141414141414141414141434E614F564C6537 39334A464F423135573953452F756F764A54684378742B70397751486562 6C6A4A30564C6A5755396A5574724A6978546446584C53393431633D |
Ae3sJ0HmGk+svxga/lc625EAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | 417741414141414141414141414141414141414141414474784D76757951 6D465178572B696F5044545A4E53324D536D473732343832654A72653350 4859627372516E584256665769414230444763444137426F6271733D |
How Tablespace Level Encryption Works
Transparent Data Encryption (TDE) tablespace encryption enables you to encrypt an entire tablespace and all the objects created in an encrypted tablespace is encrypted automatically.
In Tablespace Encryption the TDE master encryption key (stored outside of the database(software or hardware keystore) is used to encrypt the TDE tablespace encryption key, which in turn is used to encrypt and decrypt data in the tablespace.
In Tablespace Encryption the TDE master encryption key (stored outside of the database(software or hardware keystore) is used to encrypt the TDE tablespace encryption key, which in turn is used to encrypt and decrypt data in the tablespace.
By Far we already know that the Master Encryption key is stored outside of the database in Keystores. Let us see what options we have for KeyStores to store the Master Encryption key for TDE
What are the Types TDE Keystores
There are two types of keystore. Software KeyStores and Hardware KeyStores
A Software KeyStore Can be one of the following type
Password-based software keystores:
Password-based software keystores are protected by using a password that you create. You must open this type of keystore before the keys can be retrieved or used
Auto-login software keystores:
Auto-login software keystores are protected by a system-generated password. Auto-login software keystores are automatically opened when accessed.
Local auto-login software keystores:
Local auto-login software keystores are auto-login software keystores that are local to the computer on which they are created. Local auto-login keystores cannot be opened on any computer other than the one on which they are created.
Software keystores can be stored on ASM disk groups or in a regular file system.
Hardware KeStore
Hardware Security Modules are physical devices that provide secure storage for
encryption keys, in hardware keystores.
Hardware Security Modules are physical devices that provide secure storage for
encryption keys, in hardware keystores.
Comments
Post a Comment