测试目的:
Oracle 11g表空间加密
测试环境:
Oracle 11.2.0.3单实例,红旗linux6.1
说明:以下配置操作,如果未特别说明,默认都为oracle用户操作
透明数据加密简介
透明数据加密包括列加密和表空间加密,它是oracle高级安全组件的一部分;通常,oracle11g企业版默认安装时会安装上oracle高级安全组件,oracle声称这是一个单独另外收费的组件,作为商业用途使用如果没有付费意味着侵权。
为了使用TDE表空间加密,必须运行oracle 11.1或更高版本。如果从较早版本升级,数据库的兼容性参数必须被设置为11.0.0或更高。在oracle11.2版本中,要使用增强的表空间加密特性,数据库的兼容性参数必须被设置为11.2或更高。
表空间加密的一些特点:
加密整个表空间,该表空间里创建的对象加密和自动解密;
利用批量加密和缓存来提高性能,对应用性能估计有5%到8%的影响;
加密支持内部大对象,如BLOB和CLOB等,不支持外部对象如BFILE;
加密表空间里的所有数据以加密的格式被存储在磁盘上;
有必要的权限来查看或修改的授权用户可以透明解密数据;
磁盘或备份介质被盗,数据不会受到损害。
TDE表空间加密使用两层、关键基础架构透明加密和解密表空间;
TDE的主密钥存储在外部安全模块(Oracle Wallet中或HSM)。这TDE主密钥用于加密TDE表空间加密密钥,而这又是用来加密和解密数据表空间。
以下为详细测试配置步骤:
1、查看oracle数据库安装了哪些组件
SQL>select * from v$option;
看一下,当前的数据库是否安装了oracle高级安全组件,oracle是否安装了相应的加密算法。
$adapters
2、指定钱包存放位置
在目录$ORACLE_HOME/network/admin下找到文件sqlnet.ora,添加如下内容:
#Oracle Advanced Security Transparent Data Encryption
ENCRYPTION_WALLET_LOCATION=
(SOURCE=(METHOD=FILE)(METHOD_DATA=
(DIRECTORY=/u01/app/oracle/product/11.2/network/admin/encryption_wallet)))
注意:如果是RAC环境,oracle建议将钱包位置放置共享存储上,以便各个节点共享访问。
3、创建目录:
$cd /u01/app/oracle/product/11.2/network/admin/
$mkdirencryption_wallet
4、创建主加密键(万能密钥)
SQL> select * from v$encryption_wallet;
WRL_TYPEWRL_PARAMETERSTATUS
--------------------------------------------------------
file/u01/app/oracle/product/11.2/network/admin/encryption_wallet
CLOSED
SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "Test123456";
System altered.
SQL> select * from v$encryption_wallet;
WRL_TYPEWRL_PARAMETERSTATUS
--------------------------------------------------------
file/u01/app/oracle/product/11.2/network/admin/encryption_wallet
OPEN
SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "Test123456";
以上命令如果指定的目录下没有钱包,则创建一个加密的钱包(ewallet.p12)并且被打开,而且TDE的主加密键被创建或重建;
如果指定的目录下有钱包,则打开钱包,而且TDE的主加密键被创建或重建;
注意:
主加密键应当只被创建一次,除非你想要用一个新的加密键来重新加密数据;
只有alter system权限的用户才能创建主加密键或打开钱包。
密码设置建议最少10位字母和数字的组合。
钱包加密密码和万能密钥密码不是一回事,是两个不同的密码。
5、打开钱包(第一次设置万能密钥会自动打开钱包)
每次数据库被关闭,钱包也关闭。在加密或解密之前必须确保钱包被打开。可以配置自动登录打开(后面第10节内容有讲到)。
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "Test123456";
在Open wallet之前,数据库必须处于mount状态。
(关闭钱包:ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY"Test123456";)
6、创建表空间
创建普通表空间:
SQL> CREATE TABLESPACE test1 DATAFILE '/oradata/test1/test01.dbf' SIZE 200M autoextend on maxsize unlimited;
创建加密表空间:
使用ENCRYPTION选项,通过USING选项指定加密算法,默认使用AES128算法。注意,storage选项必须指定ENCRYPT。
注意:存在在加密表空间里的数据,我们不能直接通过HEX的编辑器或者strings命令直接查看数据文件里的内容。而如果是普通的数据文件,可以直接在操作系统层面查看数据文件里的内容。
SQL> CREATE TABLESPACE secure DATAFILE '/oradata/test1/secure01.dbf' SIZE 200M autoextend on maxsize unlimited ENCRYPTION DEFAULT STORAGE(ENCRYPT);
--查看表空间加密情况:
SQL> SELECT tablespace_name, encrypted FROM dba_tablespaces;
--创建和检查记录:
SQL> CREATE TABLESPACE secure DATAFILE '/oradata/test1/secure01.dbf' SIZE 200M autoextend on maxsize unlimited ENCRYPTION DEFAULT STORAGE(ENCRYPT);
Tablespace created.
SQL> SELECT tablespace_name, encrypted FROM dba_tablespaces;
TABLESPACE_NAMEENC
------------------------------ ---
SYSTEMNO
SYSAUXNO
UNDOTBS1NO
TEMPNO
USERSNO
TEST1NO
SECUREYES
7 rows selected.
7、创建用户
普通用户test1,默认表空间为普通非加密表空间
SQL>create user test1 identified by test1 default tablespace test1;
SQL>grant dba to test1;
SQL> conn / as sysdba
Connected.
SQL> create user test1 identified by test1 default tablespace test1;
User created.
SQL> grant dba to test1;
Grant succeeded.
普通用户test2,默认表空间为加密表空间:
SQL>create user test2 identified by test2 default tablespace secure;
SQL>grant dba to test2;
SQL> conn / as sysdba
Connected.
SQL> create user test2 identified by test2 default tablespace secure;
User created.
SQL> grant dba to test2;
Grant succeeded.
8、在表空间中创建表
普通非加密表空间:
SQL>create table test1 as select * from all_objects;
Table created.
SQL> select count(*) from test1;
COUNT(*)
----------
71928
加密表空间:
SQL> create table test2 as select * from test1.test1;
Table created.
SQL> select count(*) from test2;
COUNT(*)
----------
71928
9、测试创建索引,验证加密和非加密表空间
--验证创建索引
SQL> CREATE INDEX idx_objectid ON test2(OBJECT_ID)TABLESPACE secure;
Index created.
--验证加密表空间和非加密表空间
SQL> conn test2/test2
SQL> CREATE TABLE test (id NUMBER(10),data VARCHAR2(50));
SQL> INSERT INTO test (id, data) VALUES(1, 'This is a secret!');
SQL> COMMIT;
SQL> select * from test;
ID DATA
------------------------------------------------------------
1 This is a secret!
--flush buffer cache,确保数据刷入到数据文件:
SQL> ALTER SYSTEM FLUSH BUFFER_CACHE;
--当数据存放在加密的表空间之后,使用HEX editor,如UltraEdit,则不会显示data,而普通表空间是可以直接查看的:
$strings secure01.dbf|grep "secret"
--这里返回为空。
--验证非加密表空间:
SQL>conn test1/test1
SQL> CREATE TABLE test (id NUMBER(10),data VARCHAR2(50));
SQL> INSERT INTO test (id, data) VALUES(1, 'This is a secret!');
SQL> COMMIT;
SQL> select * from test;
ID DATA
------------------------------------------------------------
1 This is a secret!
--flush buffer cache,确保数据刷入到数据文件:
SQL> ALTER SYSTEM FLUSH BUFFER_CACHE;
--注意:这里对非加密表空间而言,可以直接查看加密的数据:
$strings test01.dbf|grep "secret"
验证加密成功:
[oracle@oracle-test1 admin]$ cd /oradata/
[oracle@oracle-test1 oradata]$ cd test1/
[oracle@oracle-test1 test1]$ ll
total 409624
-rw-r----- 1 oracle oinstall 209723392 Jun7 15:59 secure01.dbf
-rw-r----- 1 oracle oinstall 209723392 Jun7 16:01 test01.dbf
drwxr-x--- 2 oracle oinstall4096 Jun7 15:43 test1
[oracle@oracle-test1 test1]$ pwd
/oradata/test1
[oracle@oracle-test1 test1]$ strings secure01.dbf|grep "secret"
[oracle@oracle-test1 test1]$ strings test01.dbf|grep "secret"
This is a secret!
[oracle@oracle-test1 test1]$
以上表明:
表空间加密配置成功;使用表空间加密,存储在磁盘上的数据被加密了。
10、配置自动打开钱包(可选)
默认情况下,每次数据库被关闭,钱包也关闭。在加密或解密之前必须确保钱包被打开。
可以配置自动打开
[oracle@oracle-test1 admin]$ cd encryption_wallet/
[oracle@oracle-test1 encryption_wallet]$ ll
total 4
-rw-r--r-- 1 oracle oinstall 1573 Jun7 15:50 ewallet.p12
[oracle@oracle-test1 encryption_wallet]$ pwd
/u01/app/oracle/product/11.2/network/admin/encryption_wallet
图形化显示方式下,以oracle用户运行owm,打开钱包管理工具;
找到存放钱包的路径,输入正确的密码,打开钱包;
然后从菜单栏里选中"Auto Login",表示自动登录打开;
配置完成后保存退出,钱包存放目录下会生成一个新文件cwallet.sso
说明:
什么是钱夹?
钱夹是一个容器,用于存储认证和签名证书,包括TDE万能密钥、PKI私钥、许可证和SSL需要的信托证书。借助TDE,可以在服务器上使用钱夹来保护TDE万能密钥。此外,Oracle要求在SSL上通信的实体包含一个钱夹。除Diffie-Hellman外,该钱夹应当含有X.509版本3许可证、私钥、信托证书列表。
Oracle提供两种类型钱夹:加密钱夹和自动打开的钱夹。我们为TDE推荐加密钱夹(文件名为ewallet.p12)。数据库启动后和访问TDE加密数据前,需手动打开该钱夹。如果未打开该钱夹,查询受TDE保护的数据时数据库将返回错误。自动打开的钱夹(文件名是cwallet.sso)在数据库启动时会自动打开。因此它适用于无人值守的Data Guard环境,在该环境中加密后的列会传送到二级站点。
如何创建自动打开的钱夹?
自动打开的钱夹('cwallet.sso')需要利用现有的加密钱夹('ewallet.p12')创建,这样万能密钥就能在自动打开的钱夹中使用了。
您可以在Oracle Wallet Manager (OWM)中打开加密钱夹,选中“Auto Login”复选框,然后选择“Save”将自动打开的钱夹写到磁盘上,也可以使用命令行工具“orapki”:
orapki wallet create -wallet -auto_login
两种情况都要求提供钱夹口令。
最重要的,wallet是一次性的,即便使用相同的密码和文件路径,每次建立的证书都是不一样的,经过试验,建立包含加密列的表,然后关闭WALLET,并删除WALLET证书文件,然后用相同的密码建立的wallet证书,再打开WALLET,访问同一张表,系统报错"master key not found".将证书复原重新打开WALLET后恢复正常。所以证书文件一定要备份。因为它是一次性的。如果丢失证书文件(或者误删除),即便用相同的密码再生成一次证书也是无效的。一切都晚了。
检验是否自动打开
SQL> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> startup;
ORACLE instance started.
Total System Global Area 1152450560 bytes
Fixed Size2227704 bytes
Variable Size385876488 bytes
Database Buffers754974720 bytes
Redo Buffers9371648 bytes
Database mounted.
Database opened.
SQL> select * from v$encryption_wallet;
WRL_TYPEWRL_PARAMETERSTATUS
----------------------------------------------------------------------------------------------------------------------
file/u01/app/oracle/product/11.2/network/admin/encryption_walletOPEN
注意
经常备份钱夹(备份到与加密数据不同的位置)
11、普通表空间和加密表空间测试查询返回时间
创建普通表空间test1和用户test1
SQL> create tablespace test1 datafile '/oradata/test1/test01.dbf' size 200m autoextend on maxsize unlimited;
Tablespace created.
SQL> create user test1 identified by test1 default tablespace test1;
User created.
SQL> conn / as sysdba
Connected.
SQL> grant dba to test1;
Grant succeeded.
SQL> conn test1/test1
Connected.
SQL> create table test1 as select * from all_objects;
Table created.
SQL> select count(*) from test1;
COUNT(*)
----------
71928
加密表空间测试查询返回时间
SQL> conn / as sysdba
Connected.
SQL> create user test2 identified by test2 default tablespace secure;
User created.
SQL> grant dba to test2;
Grant succeeded.
SQL> conn test2/test2
Connected.
SQL> create table test2 as select * from test1.test1;
Table created.
SQL> select count(*) from test2;
COUNT(*)
----------
71928
测试脚本内容:
[oracle@oracle-test1 ~]$ more testOracle.sh
#!/bin/bash
if (($# != 2));
then
printf "使用方法:$0最大次数时间间隔(秒)\n\n最大次数为-1表示无限,时间间隔可以为0.1\n"
exit 0
fi
iMaxCount=$1
fTime=$2
iCount=0
while ((iCount != iMaxCount))
do
((iCount=$iCount+1))
printf "第%d次执行\n" $iCount
printf "set timing on;\nselect * from test1;\nquit;\n" | sqlplus test1/test1 | egrep "已用时间|Elapsed"
sleep $fTime
printf "\n"
done
[oracle@oracle-test1 ~]$./testOracle.sh -1 0
加密表空间查询测试返回时间
查询表名称改为test2,用户名和密码都为test2
测试结论:
初步测试,加密后查询时间平均增加5%左右。
官方说法:
被加密的数据文件,临时表空间、undo表空间和redo日志、内存中的数据都是被保护的。
官方文档,5%-8%的性能下降。
In addition, TDE tablespace encryption takes advantage of bulk encryption and caching to provide enhanced performance. While the actual performance impact on applications can vary, the performance overhead is roughly estimated to be in between 5% and 8%.
12.官方文档配置例子:
Encryption and TDE Tablespace Encryption
This section uses a tutorial approach to help you get started with TDE column
encryption and TDE tablespace encryption. We illustrate the following tasks using
sample scenarios:
■Prepare the Database for Transparent Data Encryption
■Create a Table with an Encrypted Column
■Create an Index on an Encrypted Column
■Alter a Table to Encrypt an Existing Column
■Create an Encrypted Tablespace
■Create a Table in an Encrypted Tablespace
3.3.1Prepare the Database for Transparent Data Encryption
In order to start using Transparent Data Encryption (TDE), let us first prepare the
database by specifying an Oracle wallet location and setting the master encryption
key. The following steps prepare the database to use TDE:
1.Specify an Oracle Wallet Location in the sqlnet.ora File
2.Create the Master Encryption Key
3.Open the Oracle Wallet
Specify an Oracle Wallet Location in the sqlnet.ora File
Open thesqlnet.orafile located in$ORACLE_HOME/network/admin. Enter the
following line at the end of the file:
ENCRYPTION_WALLET_LOCATION=
(SOURCE=(METHOD=FILE)(METHOD_DATA=
(DIRECTORY=/app/wallet)))
Save the changes and close the file.
Note:You can choose any directory for the encrypted wallet, but the path should not point to the standard obfuscated wallet (cwallet.sso) created during the database installation.
在sqlnet.ora文件中指定钱包位置
Create the Master Encryption Key
Next, we need to create the master encryption key, which is used to encrypt the table
keys. Enter the following commands to create the master encryption key:
SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "Easy2rem";
The preceding command achieves the following:
■If no encrypted wallet is present in the directory specified, an encrypted wallet is created (ewallet.p12), the wallet is opened, and the master encryption key for TDE is created/re-created.
■If an encrypted wallet is present in the directory specified, the wallet is opened, and the master encryption key for TDE is created/re-created.
Note:
■The master encryption key should only be created once, unless you want to reencrypt your data with a new encryption key.
■Only users with theALTER SYSTEMprivilege can create a master encryption key or open the wallet.
创建主加密键
Open the Oracle Wallet
Every time the database is shut down, the Oracle wallet is closed. You can also explicitly close the wallet.
You need to make sure that the Oracle wallet is open before you can perform any encryption or decryption operation. Use the following command to open the wallet containing the master encryption key:
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "Easy2rem";
Note:The password used with the preceding command is the same that you used to create the master encryption key. This becomes the password to open the wallet and make the master encryption key accessible.
在执行加密或解密操作前使用创建主加密键时指定的密码打开钱包;或者配置自动打开
3.3.2 Create a Table with an Encrypted Column
CREATE TABLE cust_payment_info
(first_name VARCHAR2(11),
last_name VARCHAR2(10),
order_number NUMBER(5),
credit_card_number VARCHAR2(16) ENCRYPT NO SALT,
active_card VARCHAR2(3));
3.3.3 Create an Encrypted Tablespace
TDE tablespace encryption enables you to encrypt an entire tablespace. All data stored
in the tablespace is encrypted by default. Thus, if you create any table in an encrypted
tablespace, it is encrypted by default. You do not need to perform a granular analysis
of each table column to determine the columns that need encryption.
Let us create an encrypted tablespace to store encrypted tables. The following
command creates an encrypted tablespace calledsecurespace:
SQL> CREATE TABLESPACE securespace DATAFILE '/home/oracle/oracle3/product/11.1.0/db_1/secure01.dbf' SIZE 150M ENCRYPTION DEFAULT STORAGE(ENCRYPT);
Tablespace created.
3.3.4 Create a Table in an Encrypted Tablespace
If we create a table in an encrypted tablespace, then all data in the table is stored in
encrypted form on the disk. The following command creates a table called,
customer_info_paymentin an encrypted tablespace called,securespace.
SQL> CREATE TABLE customer_payment_info
2 (first_name VARCHAR2(11),
3 last_name VARCHAR2(10),
4 order_number NUMBER(5),
5 credit_card_number VARCHAR2(16),
6 active_card VARCHAR2(3))TABLESPACE securespace;
Table created.
附:统一的万能加密密钥
TDE表空间加密和TDE列加密的万能加密密钥现在组合成一个统一的万能加密密钥。这就可以对TDE表空间加密和TDE列加密进行透明的重新生成密钥操作。
Table 3–7 Transparent Data Encryption SQL Commands Quick Reference
Task SQL Command
Add encrypted
column to existing
table
ALTER TABLEtable_nameADD (column_name datatypeENCRYPT);
Create table and
encrypt column
CREATE TABLEtable_name(column_name datatypeENCRYPT);
Encrypt unencrypted
existing column
ALTER TABLEtable_nameMODIFY (column_nameENCRYPT);
Master encryption key:
set or reset
ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "password";
Master encryption key:
set or reset to use PKI
certificate
ALTER SYSTEM SET ENCRYPTION KEY "certificate_ID" IDENTIFIED BY"password";
Wallet: open to access
master encryption key
ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "password";
扫一扫
540
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
