Oracle TDE Encryption 10g or 11g |
1):
select * from v$encryption_wallet;
sqlnet.ora
ENCRYPTION_WALLET_LOCATION=
(SOURCE =
(METHOD = FILE)
(METHOD_DATA = (DIRECTORY = /u01/oracle/ora11.203/dbs/wallets/${ORACLE_SID})))
# chmod -R 700 /u01/oracle/ora11.203/dbs/wallets/${ORACLE_SID}
-- or for windows
ENCRYPTION_WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = E:\oracle\%ORACLE_UNQNAME%)))
# If the wallet location is not defined in sqlnet.ora, then looking the following default location
$ORACLE_BASE/admin/DB_UNIQUE_NAME/wallet
$ORACLE_HOME/admin/DB_UNIQUE_NAME/wallet
-- Find your current wallet location using the following query
SELECT * FROM V$ENCRYPTION_WALLET;
|
-- create and open wallet
-- 10g ALTER SYSTEM SET ENCRYPTION KEY AUTHENTICATED BY "mypassword";
-- 11g ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "mypassword";
# This will create a wallet file ewallet.p12 and will also add the TDE master key to it.
# if it doesn't already exist in the location specified in the local sqlnet.ora file
notes 1: for security reason, you can change the permission on the wallet file
chmod 600 ewallet.p12
notes 2: Using the following command to change the wallet password
orapki wallet change_pwd -wallet
-- Find your current wallet location and status using the following query
SELECT * FROM V$ENCRYPTION_WALLET;
|
-- create encrypted tablespace
CREATE TABLESPACE usersenc DATAFILE '/u01/app/oracle/oradata/orcl/orclusersenc01.dbf' SIZE 100M
ENCRYPTION DEFAULT STORAGE (ENCRYPT);
-- or
create tablespace usersenc datafile '/u03/oracle/data/orcl/orclusersenc01.dbf' size 1M
autoextend on next 1M encryption using 'AES128' default storage (encrypt);
-- verify encryption is on for this tablespace
select TABLESPACE_NAME,ENCRYPTED from dba_tablespaces where TABLESPACE_NAME = 'USERSENV';
-- list tablespace name which has encryption turned on
select TABLESPACE_NAME,ENCRYPTED from dba_tablespaces where ENCRYPTED = 'YES';
|
-- Test 1: for table data
create table test_users tablespace usersenc as select username from dba_users;
select * from test_users
-- when the wallet is not open
1): select status from v$encryption_wallet; ( Will show closed )
2): select * from test_users; ( will show error )
|
-- Test 2: TDE can also be used for rman backup
RMAN> connect target /
RMAN> set encryption on;
RMAN> backup [as compressed backupset] database;
|
-- Manually Close and/or Reopen the Wallet
# close the wallet
ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "orcl_test1234";
# reopen
ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY "orcl_test1234";
# error when putting the wrong password
alter system set wallet open identified by "orcl_test_wrong_password";
--> ORA-28353: failed to open wallet
|
2):
-- Setup Autologin Wallet
cd /u01/oracle/ora11.203/dbs/wallets/${ORACLE_SID}
orapki wallet create -wallet "/u01/oracle/ora11.203/dbs/wallets/${ORACLE_SID}"
orapki wallet create -wallet "/u01/oracle/ora11.203/dbs/wallets/${ORACLE_SID}" -auto_login_local
# or put the password in command line
orapki wallet create -wallet "/u01/oracle/ora11.203/dbs/wallets/${ORACLE_SID}" -pwd "mypassword" -auto_login_local
-- It will create auto the cwallet.sso file, in addition to the existing ewallet.p12 file
3): reopen a wallet
-- 10g: ALTER SYSTEM SET ENCRYPTION WALLET OPEN AUTHENTICATED BY "myPassword";
-- 11g: ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "mypassword";
-- close a wallet: ALTER SYSTEM SET ENCRYPTION WALLET CLOSE;
4): view wallet
# normal time, should not use password:
orapki wallet display -wallet /u01/oracle/ora11.203/dbs/wallets/${ORACLE_SID}
orapki wallet display -wallet "/u01/oracle/ora11.203/dbs/wallets/${ORACLE_SID}" -pwd "mypassword"
5):
sudo chattr -i *wallet* <== to unlock (mutable - able to change)
orapki wallet create -wallet "/u01/oracle/ora11.203/dbs/wallets/${ORACLE_SID}" -pwd "mypassword" -auto_login_local
sudo chattr +i *wallet* <== to lock (immutable) - not changeable)
6):
lsattr *wallet*
sudo chattr -i *wallet* <== to unlock (mutable - able to change)
sudo chown oracle:dba *wallet*
sudo chattr +i *wallet* <== to lock (immutable) - not changeable)
7):
change wallet password: ( need XWindow)
owm
8):
SET LINESIZE 100
COLUMN owner FORMAT A15
COLUMN tble_name FORMAT A15
COLUMN column_name FORMAT A15
SELECT * FROM dba_encrypted_columns;
|