By: Cheryl Lei Bryll, OCPSenior Oracle DBA
Mobile: [email protected]
http://www.onshoresolutions.net
Transparent Data Encryption
Why there is a need for Transparent Data Encryption
What does Transparent Data Encryption address in the security model
When to use Transparent Data Encryption
How to implement Transaction Data Encryption
Why there is a need for Transparent Data Encryption
Security threatsExternal threats - backup tapes
Internal threats – privileged users\outsourcing
U.S laws - regulatory compliance issuesPCI DSS
FIPS 140-2
SOX Act of 2002
HIPPA
International regulations
Security threats are an ever growing concern
Findings from 2009 IOUG Data Security report :
50 percent increase in data breaches since last year
Managers see internal threats more pressing than external threats
Outsourcing of database administration, development and testing functions
Close to half of organizations employ actual production data within non-production environments
corporate management is still complacent about data security. Management commitment needed
The PCI – Payment Card Industry
PCI DSS is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment.
Created by Visa, MasterCard, Discover card, JCB and American Express
Protect Cardholder Data - requirement 3
SOX - Sarbanes-Oxley requirement
Sets standards for public companies
Information technology governance for financials
Section 404Assessment of internal controls
Most costly to implement2007 showed avg. $1.9 -1.3 million to comply
External auditors to access compliance
Focused on ‘write events’ (tampering)
HIPAA - Health Insurance Portability and Accountability Act
Includes privacy protection provisions for personal health information
Compliance has been required since 2005
Includes a privacy rule and a security rule
What does Transparent Data Encryption address?
Preventing privacy and identity theft
Protecting data at rest, meaning data on the disks (in datafiles) or in backup media
Protecting against unauthorized access by use of encryption keys
Allows for an easy to implement solution to data protection
Protecting data at rest with Transaction Data Encryption
The encryption is done at the operating system level, where data is stored
Encryption keys are stored external of the database
Table columns or entire tablespaces are encrypted
The datafiles, archive logs, redo logs and backup media contain these objects in encrypted format
Strong encryption algorithms are used
Transparent Data Encryption addresses strong encryption
The need for stronger data security standards with strong encryption is a growing concern …
Need for strong encryption techniques
PCI defines ‘strong encryption’ The ‘KEY’ determines the strength of an encryption algorithm. At a minimum 80 bits.
FIPS (Federal Information Processing Standards)
140-2 defines strong encryption algorithms
NIST (National Institute of Standards and Technology)
Special publication 800-57 - Recommendation for Key Management
Encryption techniques
Symmetric ciphers – same key for both decryption and encryption
DES,3DES,AES
The NSA (National Security) has approved to use the AES 192 or 256 key length algorithms for top secret data
Asymmetric ciphers – different keys for both encryption and decryption
RSA/DSA
Hashing algorithms - One way encryptionMD5
Protects against unauthorized access
For each encrypted table column or tablespace a key is created
The table and tablespace keys are encrypted with a master database key
The master database key is stored external to the database (external security module)
The external security module is the Oracle wallet
Oracle 11g supports the Hardware Storage Module
Allows for an easy to implement solution to data protection
Before Transparent Data EncryptionOracle 8i API for data encryption called DBMS_OBFUSCATION_TOOLKIT package
Oracle 9i provided support for the 3DES algorithm
Oracle 10g the package DBMS_CRYPTO package was added
With Transparent Data encryptionOracle 10g rel.2 introduced TDE– with encryption at the column level
Oracle 11g further enhances Transparent Data Encryption with tablespace encryption and support for HSM
When to use Transparent Data Encryption
When ‘data at rest’ needs to be protected
When only certain data needs encryption
When you need to adhere to regulatory standards
When used as a contributing ‘component’ of the overall security solution
How to use Transparent Data Encryption
Oracle 10g column level encryption
Oracle 11g tablespace level encryption
Key management
Backups & Exports
Replication
Troubleshooting
Transparent Data Encryption –10g rel.2 Restrictions
Transparent Data Encryption is not included in Standard Edition
Transparent Data Encryption is an add-on product bundled with Oracle-net server or Oracle net client
Transparent Data Encryption is only available in Oracle 10g rel. 2 and higher
Indexes – b-tree only
TDE cannot be used in foreign key constraints
TDE can't be enabled on a SYS-owned table
TDE cannot be used in standard export and import
The COMPATIBLE initialization parameter must be at least 10.2.x.x.
RMAN backups – not with image copies
Materialized view logs
Transportable tablespaces
External large objects (BFILE)
Steps for using column-level Transparent Data Encryption:
1.Set compatibility parameter
2.Set up wallet location
3.Create wallet
4.Add ‘encrypt’ to column
5.Indexing encrypted columns
6.Closing wallet
7.Restarting database instance
Steps for using column-level Transparent Data Encryption:
Set compatibility parameter
– Compatibility level of 10.2 or higher
Steps for using column-level Transparent Data Encryption:
Set up wallet locationsearch order for wallet location
1. If exists, the wallet location specified by the parameter in the sqlnet.ora file ENCRYPTION_WALLET_LOCATION
2. If exists, the wallet location specified by the parameter in the sqlnet.ora file WALLET_LOCATION
3. The default location for the wallet ($ORACLE_BASE/admin/$ORACLE_SID/wallet)
mkdir /app/oracle/admin/test/encryption_wallet
Steps for using column-level Transparent Data Encryption:
Create the wallet to hold the encryption key and open the wallet
1. Must have ‘alter system’ privilege
2. Password is case sensitive, must use quotes
3. The command will create a wallet file (ewallet.p12)
4. Opens the wallet
5. Generates database server’s master encryption key
Steps for using column-level Transparent Data Encryption:
Add ‘encrypt’ to column
1. Include the ENCRYPT clause to specific columns
2. You can specify the encryption method using
ENCRYPT USING ‘<AES192>‘
3. An encryption key for the table is created
4. See all columns in your database that are encrypted
SELECT * FROM DBA_ENCRYPTED_COLUMNS;
CREATE TABLE tde_private (
id NUMBER(10) primary key,
info VARCHAR2(50) ENCRYPT USING 'AES192'
)
TABLESPACE transtable;
Demo –10g Column level
carCard_num
-------------------715088606525
carCard_num
-------------------X!wp#!9r4@ee
Steps for using column-level Transparent Data Encryption:
Indexing encrypted columns
index columns cannot contain a salted encryption so be sure to create those columns as 'no salt‘
Only b-tree indexes
Do not use an encrypted column on an index used in range scans
Steps for using column-level Transparent Data Encryption:
Foreign key columns cannot be encrypted
This is because every table has a unique column encryption key
Steps for using column-level Transparent Data Encryption:
Salt1. By default all columns have
salt added
2. Salt adds an extra layer of randomness
3. You can turn salt off
alter table cust_info modify (cust_last encrypt no salt);
SQL> desc DBA_ENCRYPTED_COLUMNS;
Name Null? Type
----------------------------------------- -------- ----------------------------
OWNER NOT NULL VARCHAR2(30)
TABLE_NAME NOT NULL VARCHAR2(30)
COLUMN_NAME NOT NULL VARCHAR2(30)
ENCRYPTION_ALG VARCHAR2(29)
SALT VARCHAR2(3)
SQL> COLUMN table_name format a15;
SQL> COLUMN column_name format a15;
SQL> SELECT table_name,column_name,salt FROM DBA_ENCRYPTED_COLUMNS;
TABLE_NAME COLUMN_NAME SALT--------------- --------------- ---------TDE_TEST DATA YESTDE_DOCTOR DOC_FIRST YESTDE_DOCTOR DOC_LAST YESTDE_TEST_2 DATA YESTDE_PRIVATE INFO YESCUST_INFO SSN YESCUST_INFO DOB YESCUST_INFO CUST_LAST NO
Steps for using column-level Transparent Data Encryption:
Closing the wallet
Encrypted columns cannot be accessed
Restarting the database
The wallet must be manually opened
ALTER SYSTEM SET WALLET CLOSE;
ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY “<password>“;
How to prove encryption is working?
SQL> conn cust_admin/<password>
Connected.
SQL> create table my_secrets (
v_special varchar2(100)) tablespace tde_ts;
Table created.
SQL> insert into my_secrets values ('TOP_SECRET');
1 row created.
SQL> COMMIT;
Commit complete.
Hacker on the OS can see data in your physical files
Without encryption the redo logs show cleartext of
your DML
bash-3.2$ pwd
/app/oracle/oradata/test
bash-3.2$ strings redo02.log | grep TOP_SECRET
TOP_SECRET
Hacker on the OS can see data in your physical files
With encryption the datafiles and redo logs do NOT show cleartext of your DML
Implementation steps
Implementation Steps:
1. Identify columns that require data protection
credit cards, ssn, medical info
2. Verify supported datatype
no bfiles
3. Verify column is not part of a foreign key
query the data dictionary to find this information
4. Encrypt existing and new data
a. may want to do a 'move' of tablespace to remove ghost copies
b. perform the ddl
c. alter tables
d. backup database and wallet !
Transparent Data Encryption 11g
Tablespace encryptionNo more searching for columns to encrypt
Eliminates the foreign key limitation
Less of a performance impact
Oracle E-Biz 11i version 11.5.10.2 or higher
Support for SecureFiles
Support for hardware security modules (HSM)
Stores master key on separate hardware device
Share keys across servers
Steps for using tablespace Transparent Data Encryption:
Tablespace
No restriction on Foreign Key columns
Default algorithm is AES 128
Range scans are no longer a
problem
view v$encrypted_tablespaces
COMPATIBLE parameter to 11.1
Create tablespace securets datafile '/u99/app/oracle/oradata/fins/fins/securets_01.dbf' size 300M encryption using 'AES192' Default storage (encrypt);
Steps for SecureFile LOBsTransparent Data Encryption:SecureFile LOBs
COMPATIBLE parameter to 11.1
Block level encryption of LOBs
Cannot change encryption
algorithm, must do a rekey
CREATE TABLE lob_tab (
id NUMBER,
cmment_info VARCHAR2(300),
clob_data CLOB )
LOB(clob_data) STORE AS SECUREFILE encrypt_lob( ENCRYPT USING 'AES256' );
ALTER TABLE lob_tab MODIFY ( clob_data CLOB ENCRYPT USING '3DES168' );
*! DOES NOT WORK**
ALTER TABLE lob_tab REKEY USING 'AES192';
Transparent Data Encryption –support for HSM
Support for hardware security modules (HSM)
Allows master key to be stored in one place and used by many RAC nodes
A rekey operation is needed to change or upgrade to using HSM in 11g
Transparent Data Encryption –HSM
How does the Hardware security module work?
Basically a separate ‘tamper-resistant’ hardware is used to create, store and use cryptographic keys. The HSM device adds increased processing power for encryption\decryption of keys. And should meet the proper validation to ensure it meets industry standards such as FIPS 140-2.
Transparent Data Encryption –Implement HSM
Steps to implement the Hardware security module:
Modify sqlnet.ora parameter ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSM))
Configure PCKS#11 library/opt/oracle/extapi/[32,64]/hsm/{VENDOR}/{VERSION}/libapiname.ext
Configure HSM deviceCreate user/password
Create the master key in the databaseALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY
user_Id:password [MIGRATE USING wallet_password]
Open the wallet
Transparent Data Encryption –Key Management
Two-tier key architecture
Resetting keys
Backup and recovery of keys
Autologin
External security moduleHardware security module
Wallet
Transparent Data Encryption –Key Management
Two-tier key architectureMaster database key
Used to encrypt the column and tablespace keys
Stored in the Oracle wallet
Table \ tablespace key
Used to encrypt columns & indexes
Stored in the data dictionary in encrypted format
Transparent Data Encryption –Key Management
Reset master keyALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY <password>;
Rekeying the table keyALTER TABLE cust_info REKEY;
Rekeying to change encryption algorithmALTER TABLE cust_info REKEY USING '3DES168';
ALTER TABLE cust_info ENCRYPT USING ‘AES128’;
Transparent Data Encryption –Key Management
Backup of keysMust backup the ewallet.p12 file
Every time you reset the master you should backup the wallet file
Recovery of keysTo restore simply apply a backup copy of ewallet.p12 to the wallet location
If wallet is not the most recent master key, then you must perform a data recovery
Transparent Data Encryption –Key Management
AutologinImplicitly opens wallet
Set up using
mkwallet utility
Oracle Wallet Manager
Cannot have already ‘opened’ wallet
Not recommended for TDE (lessens security)
Transparent Data Encryption –Key Management
External security module – the storing of master keys outside of the database
Hardware security module (HSM)
Oracle Wallet
Default database wallet
Separate wallet
set in sqlnet.ora ENCRYPTION_WALLET_LOCATION
EXTERNAL SECURITY MODULE SUPPORT BY DATABASE VERSION
DATABASE VERSION MASTER KEY FOR … … IN ORACLE WALLET
… IN HSM
Oracle RDBMS 10gR2 Column Encryption Yes No
Oracle RDBMS 11gR1 Column Encryption
Yes Yes
(11.1.0.6)Tablespace Encryption Yes No
Oracle RDBMS 11gR1 Column Encryption Yes Yes
(11.1.0.7) Tablespace Encryption Yes Yes (no re-key)
Oracle Advanced Security Transparent Data Encryption Best Practices; August 2009 (version 11) Peter A. Wahl
Backups & Exports –RMAN
TDE encrypted columns will be encrypted a second time during the backup
RMAN Transparent mode is the default
No DBA intervention – no need to enter a password during daily backups
– RMAN> configure encryption for database on;
During recovery Oracle Wallet must be open
Demo –Data Pump
ENCRYPTION_PASSWORD= is the data pump password used andnot the wallet password. This password must be similarly entered during the import
Demo –Data Pump
Oracle Data Pump prohibits the export of an external table
ORA-39214: Data Pump does not support external tables with encrypted columns.
Cloning Production
It is important that the Oracle Wallet from the ‘source’ is copied to the ‘target’.
Production Development
Copy
Materialized Views
Encrypted columns cannot be used with 10g Materialized view logs.
When creating a materialized view the target columns do not take on the encrypt attribute of the data types.
Data Guard
It is important that the Oracle Wallet from the ‘source’ is copied to the ‘target’.
Creating a new wallet with the same password will not work.
Encryption=data_only, all,
encrypted_columns_only
encryption_mode=transparent
Encrption_algorithm=AES192
Primary Standby
Copy
Streams
The data is decrypted by the streams engine prior to transporting to the target system.
However, if the target system does not successfully accept the message the data is stored in a temp location encrypted.
. Local
downstream
carCard_num
-------------------X!wp#!9r4@ee
carCard_num
-------------------715088606525
Copy wallet
Buffered queue
carCard_num
-------------------X!wp#!9r4@ee
decrypted
encrypted
RAC
Copy the Oracle Wallet from the first node to each additional node servers in the Real Application Cluster.
Open the wallet manually on each node database.
SAN:Datafiles,redo,archive logs
RAC node 1
RAC node 2
RAC node 3copy
Troubleshooting
How do you determine that Oracle Advanced Security Option is installed ?
Universal installer
opatch lsinventory
$ORACLE_HOME/bin/adapters
Troubleshooting
How do you determine that Oracle Advanced Security Option is installed ?
Universal installer
opatch lsinventory
$ORACLE_HOME/bin/adapters
Troubleshooting
How do you determine that Oracle Advanced Security Option is installed ?
Universal installer
opatch lsinventory
$ORACLE_HOME/bin/adapters
Troubleshooting
If you create a new table based on a table with encrypted columns does the ‘encrypt’ column definition transfer with the table?
No
Troubleshooting
What happens to my encrypted data when the Oracle wallet is closed?
The data is inaccessible. However, you can still access all the other columns. Just do not perform ‘select *’ queries.
Troubleshooting
Is it possible to apply to different encryption algorithms on the same table?
NO! An error will result, the encryption algorithm is based on the table. Remember only one table key is created regardless of the amount of columns set to ENCRYPT.
SQL> CREATE TABLE cust_info
2 ( cust_id NUMBER(12) PRIMARY KEY,
3 cust_last VARCHAR2(30) ENCRYPT USING 'AES192' NO SALT,
4 cust_first VARCHAR2(30),
5 dob DATE,
6 state VARCHAR2(5),
7 ssn VARCHAR2(9) ENCRYPT USING 'AES256'
8 ) TABLESPACE tde_ts;
ssn VARCHAR2(9) ENCRYPT USING 'AES256'
*
ERROR at line 7:
ORA-28340: a different encryption algorithm has been chosen for the table
Troubleshooting
How can the DBA determine if the wallet is open and how can the DBA determine the OS location of the wallet?
Simply query the v$encryption_wallet view.
SQL> column WRL_TYPE format a5
SQL> column WRL_PARAMETER format a50
SQL> select * from V$ENCRYPTION_WALLET;
WRL_T WRL_PARAMETER STATUS
----- -------------------------------------------------- ---------
file /app/oracle/admin/test/encryption_wallet/ OPEN
Questions/Comments?
Slides to be posted to:http://www.onshoresolutions.net/knowledge.html
“White papers & tutorials”
References:
Oracle 10g Advanced Security http://download.oracle.com/docs/cd/B19306_01/network.102/b14268/asotrans.htm#CHDCGBEA
Oracle 11g Advanced Security Guidehttp://download.oracle.com/docs/cd/B28359_01/network.111/b28530/asotrans.htm#CJADBFGF
Oracle Advanced Security Transparent Data Encryption Best Practices; August 2009 (version 11) Peter A. Wahl
PCI Standardswww.pcisecuritystandards.org/security_standards/pci_dss.shtml
Top Related