Oracle Advanced Security TDE(Transparent Data Encryption透明数据加密)提供了业界先进的数据库加密解决方案。
TDE自动对写入到Oracle数据库中的数据进行加密,既可以对像信用卡号和社会保险号这样的个别应用程序表列进行加密,也可以加密整个表空间。
备份数据库时,加密的文件在目标介质上仍保持其加密状态,能保护其上的信息不会外泄。
11g的表空间加密依赖于oracle wallet以及wallet中的密钥,要先创建一个“wallet钱包”,这个钱包里面保存着密钥,Oracle就是通过这个密钥对表空间进行加密和解密。 既可以手动打开wallet (每次数据库启动以后,需要手动打开wallet),也可以自动打开wallet (每次数据库启动以后会自动打开)。
SQL> select * from v$encryption_wallet;
WRL_TYPE WRL_PARAMETER STATUS
-------------------- --------------------------------------- ------------------
file /u01/app/oracle/admin/dg01prmy/wallet CLOSED
SQL> alter system set encryption key identified by "welcome1";
alter system set encryption key identified by "welcome1"
*
ERROR at line 1:
ORA-28368: cannot auto-create wallet
$ ls /u01/app/oracle/admin/dg01prmy/wallet
ls: cannot access /u01/app/oracle/admin/dg01prmy/wallet: No such file or directory
$ mkdir /u01/app/oracle/admin/dg01prmy/wallet
SQL> alter system set encryption key identified by "welcome1";
System altered.
SQL> select * from v$encryption_wallet;
WRL_TYPE WRL_PARAMETER STATUS
-------------------- --------------------------------------- ------------------
file /u01/app/oracle/admin/dg01prmy/wallet OPEN
$ ls /u01/app/oracle/admin/dg01prmy/wallet
ewallet.p12
SQL> alter system set encryption wallet close identified by "welcome1";
System altered.
SQL> select * from v$encryption_wallet;
WRL_TYPE WRL_PARAMETER STATUS
-------------------- --------------------------------------- ------------------
file /u01/app/oracle/admin/dg01prmy/wallet CLOSED
SQL> alter system set encryption wallet open identified by "welcome1";
System altered.
SQL> select * from v$encryption_wallet;
WRL_TYPE WRL_PARAMETER STATUS
-------------------- --------------------------------------- ------------------
file /u01/app/oracle/admin/dg01prmy/wallet OPEN
SQL>
默认情况下,每次数据库被关闭,钱包也被关闭。 加密表空间与wallet的关系如下
1.Oracle表空间的加密与解密完全是基于wallet钱包中的密钥进行的。
2.如果wallet是open状态,可以使用其中的密钥,进行加密与解密。
3.如果wallet是close状态,此时加密表空间是不可用的,例如查询、修改都不允许
4.删除表是不需要密钥的,无论wallet是open或close状态,可直接删除。
创建加密表空间
使用ENCRYPTION 选项,通过USING 选项指定加密算法,默认使用AES128算法。
注意,storage 选项必须指定ENCRYPT。
SQL> CREATE TABLESPACE george_ts_encrypt DATAFILE '/u01/app/oracle/oradata/dg01prmy/ts_encrypt.dbf' SIZE 200M autoextend on maxsize unlimited ENCRYPTION DEFAULT STORAGE(ENCRYPT);
Tablespace created.
SQL> SELECT tablespace_name, encrypted FROM dba_tablespaces;
TABLESPACE_NAME ENC
------------------------------ ---
SYSTEM NO
SYSAUX NO
UNDOTBS1 NO
TEMP NO
USERS NO
GEORGE_TBS NO
GEORGE_TS_ENCRYPT YES
7 rows selected.
被加密的数据文件,临时表空间、undo表空间和redo日志、内存中的数据都是被保护的。
在执行加密或解密操作前钱包要打开;或者配置自动打开。
SQL> select * from v$encryption_wallet;
WRL_TYPE WRL_PARAMETER STATUS
-------------------- -------------------------------------------------------------------------------- ------------------
file /u01/app/oracle/admin/dg01prmy/wallet CLOSED
SQL> CREATE TABLE customer_payment
(first_name VARCHAR2(20),
last_name VARCHAR2(20),
amount NUMBER(10),
credit_card_number VARCHAR2(20)) TABLESPACE GEORGE_TS_ENCRYPT;
2 3 4 5
Table created.
SQL> insert into customer_payment values('George','Wang',2015,'123456790');
insert into customer_payment values('George','Wang',2015,'123456790')
*
ERROR at line 1:
ORA-28365: wallet is not open
SQL> alter system set wallet open identified by "welcome1";
System altered.
SQL> select * from v$encryption_wallet;
WRL_TYPE WRL_PARAMETER STATUS
-------------------- -------------------------------------------------------------------------------- ------------------
file /u01/app/oracle/admin/dg01prmy/wallet OPEN
SQL> insert into customer_payment values('George','Wang',2015,'123456790');
1 row created.
SQL> commit;
Commit complete.
SQL> select * from customer_payment;
FIRST_NAME LAST_NAME AMOUNT CREDIT_CARD_NUMB
----------- ---------- ------------ ----------------
George Wang 2015 123456790
SQL> alter system set wallet close identified by "welcome1";
System altered.
SQL> select * from customer_payment;
select * from customer_payment
*
ERROR at line 1:
ORA-28365: wallet is not open
来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/29960937/viewspace-1628848/,如需转载,请注明出处,否则将追究法律责任。
转载于:http://blog.itpub.net/29960937/viewspace-1628848/