- a master encryption key - this is the encryption key used to encrypt secondary keys used for column encryption and tablespace encryption.
- one or more table and/or tablespace keys - these are the keys that are used to encrypt one or more specific columns or the keys used to encrypt tablespaces. There is only one table key regardless of the number of encrypted columns in a table and it will be stored in the data dictionary. The tablespace key is stored in the header of each datafile of the encrypted tablespace.
The table and tablespace keys are encrypted using the master key. The master key is stored in an external security module (ESM) that can be one of the following:
- an Oracle Wallet - a secure container outside of the database. It is encrypted with a password.
- a Hardware Security Module (HSM) - a device used to secure keys and perform cryptographic operations.
To start using TDE the following operations have to be performed:
1.) Make sure that the wallet location exists. If a non default wallet location must be used then specify it in the sqlnet.ora file :
(SOURCE = (METHOD = FILE)
(DIRECTORY = C:\app\neerajs\admin\orcl\wallet)
2.) Generate a master key :
SQL> alter system set encryption key identified by "wallet_password" ;
This command will do the following :
To see the status of an wallet run the following query:
SQL> select * from v$encryption_wallet;
WRL_TYPE WRL_PARAMETER STATUS
----------- ------------------------------ -----------
file C:\app\neerajs\admin\orcl\wallet OPEN
3.) Enable encryption for a column or for an entire tablespace:
3.1) Create a table by specifying the encrypt option:
SQL> create table test(col1 number, col2 varchar2(100) encrypt using 'AES256' NO SALT) ;
3.2) Encrypt the column(s) of an existing table :
SQL> alter table test modify( col2 encrypt SALT ) ;
- We specify the encryption algorithm – in this case ‘AES256′. If we do not specify this, it will default to ‘AES128′. At the time of tablespace creation specify the encryption and default storage clause.
- The DEFAULT STORAGE (ENCRYPT) clause.
Immediately after creating it.
1. When regenerating the master key
2. When backing up the database. Make sure that the wallet backup is not stored in the same location with the database backup
3. Before changing the wallet password
Make sure that the wallet password is complex but at the same time easy to remember. When it is possible split knowledge about wallet password .If needed, the wallet password can be changed within Oracle Wallet Manager or with the following command using orapki (starting from 18.104.22.168):
c:\> orapki wallet change_pwd -wallet <wallet_location>
we can identify encrypted tablespaces in the database by using the below query :
SQL>SELECT ts.name, es.encryptedts, es.encryptionalg FROM v$tablespace ts
INNER JOIN v$encrypted_tablespaces es ON es.ts# = ts.ts# ;
The following are supported with encrypted tablespaces
- Move table back and forth between encrypted tablespace and non-encrypted tablespace .
- Datapump is supported to export/import encrypted content/tablespaces.
- Transportable tablespace is supported using datapump.
- Tablespace encryption cannot be used for SYSTEM, SYSAUX, UNDO and TEMP tablespaces .
- Existing tablespace cannot be encrypted .
- Traditional export/import utilities for encrypted content.