Experience: is what you get soon after you need it.

Experience: is what you get soon after you need it.

Rasul Allah (sal Allahu alaihi wa sallam) said: "Restore the trusts of those who trust you, and deal not falsely with him who deals falsely with you." [Abu Dawud, Tirmidhi]

Search This Blog

Friday, August 14, 2015

Oracle how to encrypt tablespaces


How to Encrypt OracleTablespace



Set the Tablespace Master Encryption Key before you can encrypt or decrypt the tablespaces, you must generate or set a master encryption key.

The tablespace master encryption key is stored in an external security module and is used to encrypt the TDE tablespace encryption keys. Check to ensure that the ENCRYPTION_WALLET_LOCATION (or WALLET_LOCATION) parameter in the sqlnet.ora file points to the correct software wallet location.


ENCRYPTION_WALLET_LOCATION= (SOURCE=(METHOD=FILE)(METHOD_DATA= (DIRECTORY=/app/wallet)))

Unified Master Encryption Key or the master encryption key for transparent tablespace encryption and transparent column encryption are now combined to one unified master encryption key. Combining these keys enables transparent re-key operations for both of these transparent data encryption features, regardless of whether the master encryption key is stored in the Oracle Wallet or in one of the certified Hardware Security Modules offered by RSA, SafeNet, Thales (including nCipher), and Utimaco.


Create the directory for the wallet:

[oracle@collabn1 ~]$ mkdir -p /u01/app/oracle/admin/wallet

Add the wallet details in the sqlnet.ora file:

[oracle@collabn1 ~]$ vi $TNS_ADMIN/sqlnet.ora
ENCRYPTION_WALLET_LOCATION= (SOURCE=(METHOD=FILE)(METHOD_DATA= (DIRECTORY=/u01/app/oracle/admin/wallet)))

Verify the sqlnet.ora

[oracle@collabn1 ~]$ cat /u01/app/oracle/product/11.2.0.2/SHAIKPROD/network/admin/sqlnet.ora
ENCRYPTION_WALLET_LOCATION= (SOURCE=(METHOD=FILE)(METHOD_DATA= (DIRECTORY=/u01/app/oracle/admin/wallet)))

Create the master encryption key & wallet:


NAME      OPEN_MODE
--------- --------------------
ORCL      READ WRITE


When you create the master encryption key using the ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "password" command, TDE checks to see if a wallet exists in the default or specified location. If no wallet exists, then a wallet is created automatically.


SQL> alter system set encryption key identified by "secretpass";

System altered.

Verify the wallet file is created:

SQL> !ls /u01/app/oracle/admin/wallet
ewallet.p12


Create the tablespace with the encryption:

Here: algorithm can have one of the following values:
■ 3DES168
■ AES128
■ AES192
■ AES256

SQL> create tablespace securetbs datafile '+DATA2' size 10m autoextend on next 1m
     encryption using 'AES256'
     default storage(encrypt);

Tablespace created.

Verify whether the tablespace encryption is enabled or not:

SQL> select tablespace_name,status,encrypted from dba_tablespaces;

TABLESPACE_NAME            STATUS     ENC
------------------------------ --------- ---
SYSTEM                  ONLINE     NO
SYSAUX                  ONLINE     NO
UNDOTBS1                  ONLINE     NO
TEMP                  ONLINE     NO
USERS                  ONLINE     NO
EXAMPLE                   ONLINE     NO
HR_TEST                   ONLINE     NO
TT_TEMP_SALES              ONLINE     NO
SECURETBS              ONLINE     YES

9 rows selected.

How to open/close the wallet:


SQL> alter system set encryption wallet close identified by "secretpass";

System altered.


SQL> alter system set encryption wallet open identified by "secretpass";

System altered.


Enable oracle Wallet auto_login:

You can create an auto login wallet with Oracle Wallet Manager or the orapki command-line utility. The auto login wallet allows convenient access to encrypted data across database instance restarts.

[oracle@collabn1 ~]$ which orapki
/u01/app/oracle/product/11.2.0.2/SHAIKPROD/bin/orapki


[oracle@collabn1 ~]$ orapki wallet create -wallet /u01/app/oracle/admin/wallet/ewallet.p12 -auto_login
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:           

[oracle@collabn1 ~]$ ls -lrt /u01/app/oracle/admin/wallet/
total 8
-rw-r--r-- 1 oracle dba      1573 Aug 14 02:21 ewallet.p12
-rw------- 1 oracle oinstall     1651 Aug 14 03:01 cwallet.sso

After the auto_login you don’t have to worry about opening and closing the wallet manually.


Took sometime to figure out What is HSM ?= (Hardware Security Module)

source: http://docs.oracle.com/cd/E11882_01/network.112/e40393/toc.htm

No comments: