One of the new exciting security feature introduced in
Oracle 12cR2 is the ability to encrypt Tablespaces “online”.
In the past implementing TDE requires creating a new
encrypted tablespace and then moving the data from original tablespace to the
encrypted tablespace, which means a down time of your systems unless you use
active data guard which minimizes TDE conversion implementation.
The following are the
steps to be followed for online TDE.
o
Configuring a key store.
o
Creating a key store
o
Open the key store
o
Setup the TDE master encryption key
o
Encrypt your data
Key store is a container that stores the TDE master
encryption key in software key store (regular file system/ ASM file system/ ASM
disk group) or Hardware security module (HSM) or Oracle Key vault key store.
Oracle database checks the sqlnet.ora file on
the database server for the directory location of the keystore. Whether it is a
software/HSM/Oracle vault key store.
o
It attempts to use the keystore in the location
specified by the parameter (ENCRYPTION_WALLET_LOCATION) in the
sqlnet.ora file
o
If the ENCRYPTION_WALLET_LOCATION parameter is
not set, then it attempts to use the keystore in the location that is specified
by the parameter WALLET_LOCATION in the sqlnet.ora file
o
If the WALLET_LOCATION parameter is
also not set, then database look for the keystore in the default location available
in the V$ENCRYPTION_WALLET
demo@ORA12C> conn syskm/Password-1@ora12c as
SYSKM
Connected.
syskm@ORA12C> column wrl_parameter new_val f
syskm@ORA12C> select wrl_parameter from
v$encryption_wallet;
WRL_PARAMETER
--------------------------------------------------------------------------------------
D:\APP\VNAMEIT\VIRTUAL\ADMIN\ORA12C\WALLET
syskm@ORA12C> administer key management create
keystore '&f' identified by foobar;
old 1:
administer key management create keystore '&f' identified by foobar
new 1:
administer key management create keystore 'D:\APP\VNAMEIT\VIRTUAL\ADMIN\ORA12C\WALLET'
identified by foobar
administer key management create keystore
'D:\APP\VNAMEIT\VIRTUAL\ADMIN\ORA12C\WALLET' identified by foobar
*
ERROR at line 1:
ORA-46633: creation of a password-based
keystore failed
The wallet location doesn’t exists, so we need to create the
specific directories at that location.
syskm@ORA12C> $mkdir
D:\APP\VNAMEIT\VIRTUAL\admin\ORA12c\WALLET
syskm@ORA12C> administer key management create
keystore '&f' identified by foobar;
old 1: administer
key management create keystore '&f' identified by foobar
new 1:
administer key management create keystore
'D:\APP\VNAMEIT\VIRTUAL\ADMIN\ORA12C\WALLET' identified by foobar
keystore altered.
Then open the keystore and setup the master key in this
keystore.
syskm@ORA12C> administer key management set
keystore open identified by foobar;
keystore altered.
syskm@ORA12C> administer key management set key
identified by foobar WITH BACKUP;
keystore altered.
After you run these commands, the eWallet.p12
file, which is the keystore, appears in the keystore location.
syskm@ORA12C> $dir &f
Volume in
drive D is DATA
Volume Serial
Number is 50D3-A8AC
Directory of
D:\APP\VNAMEIT\VIRTUAL\ADMIN\ORA12C\WALLET
01/18/2018
05:50 PM <DIR> .
01/18/2018
05:50 PM <DIR> ..
01/18/2018
05:50 PM 3,848
ewallet.p12
01/18/2018
05:50 PM 2,400
ewallet_2018011812204795.p12
2 File(s) 6,248 bytes
2 Dir(s) 228,193,591,296 bytes
free
With this keystore defined, we are ready to test our
Encryption process.
First let’s create the tablespace with no Encryption
defined, and grant the tablespace quota to application schema.
syskm@ORA12C> conn rajesh/oracle@ora12c
Connected.
rajesh@ORA12C> create tablespace ts_clear
2 datafile
'D:\APP\VNAMEIT\VIRTUAL\ORADATA\ORA12C\ts_clear_01.dbf' size 100M ,
3
'D:\APP\VNAMEIT\VIRTUAL\ORADATA\ORA12C\ts_clear_02.dbf' size 100M;
Tablespace created.
rajesh@ORA12C> alter user demo quota unlimited on
ts_clear;
User altered.
Now let’s create a couple of objects on this newly created
tablespace.
rajesh@ORA12C> conn demo/demo@ora12c
Connected.
demo@ORA12C> create table t
2 tablespace ts_clear
3 as
4 select * from all_users;
Table created.
demo@ORA12C> create index t_idx on t(lower(username))
2 tablespace ts_clear;
Index created.
Since this new tablespace is not yet encrypted, we could see
the data remain in clear piece of text in their data files.
demo@ORA12C> conn rajesh/oracle@ora12c
Connected.
rajesh@ORA12C> alter system checkpoint;
System altered.
rajesh@ORA12C> $find /I "scott"
D:\APP\VNAMEIT\VIRTUAL\ORADATA\ORA12C\ts_clear_*.dbf
----------
D:\APP\VNAMEIT\VIRTUAL\ORADATA\ORA12C\TS_CLEAR_01.DBF
♣SCOTT♥┬☻
♣scott♠☻Ç
----------
D:\APP\VNAMEIT\VIRTUAL\ORADATA\ORA12C\TS_CLEAR_02.DBF
Now the interesting part is online Tablespace encryption
conversion: we can run the below ALTER TABLESPACE command to encrypt an
existing tablespace.
rajesh@ORA12C> alter tablespace ts_clear
2 encryption ONLINE
3 using 'AES192'
4 encrypt
file_name_convert=('ts_clear_01.dbf','ts_clear_enc_01.dbf',
5 'ts_clear_02.dbf','ts_clear_enc_02.dbf') ;
Tablespace altered.
Once encrypted no more clear piece of text in their data
files.
rajesh@ORA12C> $find /I "scott"
D:\APP\VNAMEIT\VIRTUAL\ORADATA\ORA12C\ts_clear_*.dbf
----------
D:\APP\VNAMEIT\VIRTUAL\ORADATA\ORA12C\TS_CLEAR_ENC_01.DBF
----------
D:\APP\VNAMEIT\VIRTUAL\ORADATA\ORA12C\TS_CLEAR_ENC_02.DBF
rajesh@ORA12C>
No comments:
Post a Comment