Does oracle 10.1 support transparent data encryption?

Similar Messages

• General review of Transparent Data Encryption (TDE) and performance of...

  I understand that the implementation of just about any database encryption solution, is going to result in a some degree of a performance hit, especially as searches are performed against the database, but none-the-less, we are thinking about implementing the Oracle TDE solution and as recommended, just isolating encryption needs to ONLY necessary columns of data - in our case, columns pertaining to private ASNWER (results) data and/or PII (Pers. Ident. Info.). This being said, is anyone else doing something similar with TDE, or does anyone have any pointers up front on what to look out for, what to expect, and how they are operating with TDE. (Just reaching out for some thoughts, insight, comments, and/or warnings)... Thank you very much. - Jason

  Yes, we have many customers using it, please check my updated TDE best practices paper; it has lots of hints and tricks and things to look out for:
  Available from http://www.oracle.com/technology/deploy/security/database-security/transparent-data-encryption/index.html (scroll down, please).
  Thanks, Peter

• Transparent Data Encryption clarification

  Hello All,
  {color:#993300}http://www.oracle.com/technology/deploy/security/database-security/transparent-data-encryption/tde_faq.html#A12010
  Does the database memory (SGA) contain clear-text or encrypted data?
  With column-level TDE, encrypted data remains
  encrypted inside the SGA, but with tablespace encryption, data is
  already decrypted in the SGA.{color}
  my doubt here is,
  1. when a select query issued when and where the decryption takes place before the data comes to SGA?
  2. Is there any tool to dump the duffer cache in SGA to find whether data is encrypted or not?
  Plz do help me
  Thanks in advance

  AFAIK, TDE is for encrypting data on disk (so database cant be stolen), not for encryting data in the tables (may be wrong there)
  dbms_obfuscation is deprecated in 10g, so used dbms_crypto instead - its much better

• Listener Start Problem with TDE (Transparent Data Encryption)

  i am testing Transparent Data Encryption in Oracle 10g by using the following link
  http://oracle-base.com/articles/10g/TransparentDataEncryption_10gR2.php
  Before Implementing the TDE listener was running fine but after implementation of TDE the listener was unable to start
  Please check the steps which i follow
  Step1-
  specify the ENCRYPTION_WALLET_LOCATION parameter in the sqlnet.ora file, now SQLNET.ora file looks like the following
  SQLNET.AUTHENTICATION_SERVICES= (NTS)
  NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
  ENCRYPTION_WALLET_LOCATION=
  (SOURCE=(METHOD=FILE)(METHOD_DATA=
  (DIRECTORY=D:\oracle\product\10.2.0\wallet\)))
  please check the contents of listener.ora file,i didn't make any configuration changes for listener before or after implementation of TDE
  SID_LIST_LISTENER =
  (SID_LIST =
  (SID_DESC =
  (SID_NAME = PLSExtProc)
  (ORACLE_HOME = D:\oracle\product\10.2.0\db_1)
  (PROGRAM = extproc)
  LISTENER =
  (DESCRIPTION_LIST =
  (DESCRIPTION =
  (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))
  (ADDRESS = (PROTOCOL = TCP)(HOST = shakeel-pc.lhr.inov8.com.pk)(PORT = 1521))
  Step2-
  CONN sys/password AS SYSDBA
  ALTER SYSTEM SET ENCRYPTION KEY AUTHENTICATED BY "myPassword";
  TDE implemented successfuly implemented.
  But when i try to stop/start listener
  C:\>lsnrctl status
  LSNRCTL for 32-bit Windows: Version 10.2.0.1.0 - Production on 06-JUN-2008 05:44
  :30
  Copyright (c) 1991, 2005, Oracle. All rights reserved.
  Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1)))
  STATUS of the LISTENER
  Alias LISTENER
  Version TNSLSNR for 32-bit Windows: Version 10.2.0.1.0 - Produ
  ction
  Start Date 05-JUN-2008 22:40:14
  Uptime 0 days 7 hr. 4 min. 16 sec
  Trace Level off
  Security ON: Local OS Authentication
  SNMP OFF
  Listener Parameter File D:\oracle\product\10.2.0\db_1\network\admin\listener.o
  ra
  Listener Log File D:\oracle\product\10.2.0\db_1\network\log\listener.log
  Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1ipc)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=shakeel-pc.lhr.inov8.com.pk)(PORT=15
  21)))
  Services Summary...
  Service "PLSExtProc" has 1 instance(s).
  Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
  Service "orcl" has 1 instance(s).
  Instance "orcl", status READY, has 1 handler(s) for this service...
  Service "orclXDB" has 1 instance(s).
  Instance "orcl", status READY, has 1 handler(s) for this service...
  Service "orcl_XPT" has 1 instance(s).
  Instance "orcl", status READY, has 1 handler(s) for this service...
  The command completed successfully
  C:\>lsnrctl stop
  LSNRCTL for 32-bit Windows: Version 10.2.0.1.0 - Production on 06-JUN-2008 05:44
  :35
  Copyright (c) 1991, 2005, Oracle. All rights reserved.
  Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1)))
  The command completed successfully
  C:\>lsnrctl start
  [i]LSNRCTL for 32-bit Windows: Version 10.2.0.1.0 - Production on 06-JUN-2008 05:44
  :40
  Copyright (c) 1991, 2005, Oracle. All rights reserved.
  Starting tnslsnr: please wait...
  TNSLSNR for 32-bit Windows: Version 10.2.0.1.0 - Production
  System parameter file is D:\oracle\product\10.2.0\db_1\network\admin\listener.or
  a
  Log messages written to D:\oracle\product\10.2.0\db_1\network\log\listener.log
  Error listening on: (ADDRESS=(PROTOCOL=tcp)(HOST=127.0.0.1)(PARTIAL=yes)(QUEUESI
  ZE=1))
  No longer listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\E
  XTPROC1ipc)))
  TNS-12560: TNS:protocol adapter error
  TNS-00583: Valid node checking: unable to parse configuration parameters
  Listener failed to start. See the error message(s) above...
  To start the listener i have to close wallet as
  1- SQL>conn sys as sysdba
  ALTER SYSTEM SET WALLET CLOSE;
  2- Replace the SQLNET.ora file as previous ,now SQLNET.ora contains
  SQLNET.AUTHENTICATION_SERVICES= (NTS)
  NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
  Now if i start the listener then the listener was started succesfuly
  Please suggest why listener is not being start with TDE?

  I have the same problem. I'm testing TDE using Oracle 11gR1. After setting the parameter encryption_wallet_location and restart the listener, the listener failed to start. The error is exactly the same
  TNS-12560: TNS:protocol adapter error
  TNS-00583: Valid node checking: unable to parse configuration parameters
  By removing the parameter encryption_wallet_location, the listner can be started successfully.
  Anyone can help?

• Transparent Data Encryption vs. OS level encryption

  Can someone help me by posting few URLs to read about Oracle's Transparent Data Encryption vs. OS Level Encryption (Win 2003 server)? We are trying to choose an option and go with it. I'm looking for a comparative analysis doc (Oracle 10.2.0.2 on MS Win 2003 Server), or if you can give me pros and cons for each of those options.
  Many thanks in advance,
  Dejan

  http://www.oracle.com/technology/deploy/security/database-security/transparent-data-encryption/index.html

• JDBC Thin Driver Support for Data Encryption and Integrity

  Hello JDev Team,
  I am trying to implement JDBC Thin Driver Support for Data Encryption and Integrity.
  It works fine with java.sql.Connection and java.util.Properties like in the following code:
  DriverManager.registerDriver(new oracle.jdbc.driver.OracleDriver());
  Properties props = new Properties();
  int level = AnoServices.REQUIRED;
  props.put("oracle.net.encryption_client", Service.getLevelString(level));
  props.put("oracle.net.encryption_types_client", "( RC4_40 )");
  props.put("oracle.net.crypto_checksum_client",Service.getLevelString(level));
  props.put("oracle.net.crypto_checksum_types_client", "( MD5 )");
  Connection conn = DriverManager.getConnection ("jdbc:oracle:thin:@localhost:1521:main", props);
  etc...
  But I am developing an application with InfoSwing components and it has a different way to connect to Oracle database using oracle.dacf.dataset.connections.Connection, like this:
  sessionInfo1.setAppModuleInfo(new ModuleInfo("bc", "BcModule"));
  sessionInfo1.setConnectionInfo(new LocalConnection("JDBCThin"));
  sessionInfo1.publishSession();
  My question is:
  Is there any way to implement DataEncryption and Integrity into this type of connection?
  Thanks a lot in advance.
  Victor Bykov
  null

  Victor,
  No, you can't do this from DAC, but I've been discussing it with the developer, and we both think this capability would be useful to have, so I've logged it as an enhancement request.
  I do have a question for you. Once you've made the JDBC connection, do you need access to the Connection object afterwards? We're thinking of how the change could be implemented, and one way would be to allow you to pass in a Properties object when creating your own NamedConnection.
  Thanks
  Blaise

• What modifications are required to make a servlet support SSL data encrypti

  Hi,
  What modifications are required to make a servlet support SSL data encryption?
  --kumar                                                                                                                                                                                                

  Hi,
  What modifications are required to make a servlet
  support SSL data encryption?
  --kumar No modifications are required in servlet. You have to setup servlet container.

• Does Oracle 10G R2 support installation on Windows 2003 Domain Controller?

  Does Oracle 10g R2 support installation on Windows 2003 Domain Controller? I remember that 10g R1 had issues with the DC? Is it still the case. Does it work now?
  Any help is appreciated.
  Regards,
  Raghav

  We have Oracle 10g R2 running on a Windows 2003 domain controller. It was not a domain controller when Oracle was installed. The domain was created after installation. (I don't recommend that procedure. I spent a long day fixing the installation after they configured the domain.) If Oracle is unhappy with being on a domain controller, it has not shown it yet.

• SQL Server Transparent Data encryption

  I have implemented TDE for the Database and Column Level Encryption for Sensitive data in Tables. But, the Porblem is the data is entered through an front end application how could i encrypt this data when it is inserted from the Front end. And how to decry-pt
  this data for the users when it is selected.
  Your suggestions are most valuable.
  Reagrds
  Rehaan Khan
  RehaanKhan. M

  Let me start with a solution that may have been overlooked, but it is good to make sure we cover it. Have you considered using column-level permissions? It may not be a complete solution for your particular scenario if you need to give access to the column
  for other reasons (after all, the group you are trying to restrict is probably developing applications on top of the column storing sensitive data) or if the developer group has permission to create objects that would render the sensitive data subject to ownership
  chains. For more information on column-permissions look at
  http://msdn.microsoft.com/en-us/library/ms186915.aspx
  Assuming permissions alone will not solve the problem. By using encryption you should be able to limit access to the sensitive data to the developers, but it will also require some changes to your schema & application. TDE (Transparent Data Encryption)
  will not help you in this scenario since you need to restrict access to the data and restricting access to the column is not sufficient.
  The following links may be useful to get you started with SQL Encryption capabilities:
  SQL Server Encryption (http://msdn.microsoft.com/en-us/library/bb510663.aspx)
  Data Encryption in SQL Server (http://msdn.microsoft.com/en-us/library/bb669072(v=vs.110).aspx)
  Encrypt a Column of data (http://msdn.microsoft.com/en-us/library/ms179331.aspx)
  Cryptographic Functions (T-SQL) (http://msdn.microsoft.com/en-us/library/ms173744.aspx)
  Older articles, but they may still be quite useful:
  Indexing encrypted Data (http://blogs.msdn.com/b/raulga/archive/2006/03/11/549754.aspx)
  SQL Server 2005: searching encrypted data (http://blogs.msdn.com/b/lcris/archive/2005/12/22/506931.aspx)
  One recommendation may be to encrypt the data using an AES key, and protect the key using one or more certificates (I would recommend using a separate certificate per individual if possible), making sure that only authorized people have access to the keys.
  Anyone else with access to the column, but not to the keys would not be able to decrypt the data.
  BTW. I would also recommend using SQL Auditing (http://msdn.microsoft.com/en-us/library/cc280386.aspx) in order to keep honest people honest, by monitoring access to the keys & to the
  sensitive data.
  I hope this information helps,
  -Raul Garcia
  SQL Server Security
  This posting is provided "AS IS" with no warranties, and confers no rights.

• Transparent Data Encryption Configuration

  Hi,
  I want to configure Transparent Data Encryption on a Database which is protected with Database Vault.
  Is there any document which talks about the integration of Database Vault with Transparent Data Encryption.
  I want to create a common security administrator user (other than sys/system users) for Transparent Data Encryption configuration.
  If i create a new administrator from Enterprise Manager console i am getting the following error:
  SQL Error ORA-47401: Realm violation for grant system privilege on SELECT ANY DICTIONARY. ORA-06512: at "SYSMAN.MGMT_USER", line 9316 ORA-06512
  How to avoid this error.
  Any pointers on this is appreciated.
  Thanks & regards,
  Srikanth

  Turning off DBVault is not needed to turn on TDE ... the DB user who wants to manage the DB through Enterprise Manager, needs to have the SELECT ANY DICTIONARY privilege (I think I remember this is done by logging into EM (not DVA) as DBV_OWNER, or DV_ACCT_MNGR if you have configured one).
  If then the creation of the wallet fails, make the user an OWNER of the DATA DICTIONARY realm in DBVault. Note that the directory that you plan to use to store the wallet needs to exist before you create the wallet and master key for TDE.
  Peter
  Edited by: Peter Wahl on 03.07.2010 02:20

• Does Oracle XML Parser support double byte charset?

  Hi,
  Does Oracle XML Parser support double byte characters such as Korean or Chinese? If so, please tell me what version and how to construct xml/xsl files (...encoding="???")?
  Thanks for any help,
  Tuan

  Hi Raymond,
  Thank you for your help. It worked when I running in JDeveloper with your posted code. However, when I tried in my real application, it won't work.
  The problem is for localization purposes, my application using some texts display in browsers are saved in Unicode file. Later, application runs and depends on languages setting in browsers, with JavaServlet retrieves those texts and saves in formated xml StringBuffer. Then, using existed XSL Stylesheet file and OracleXMLParser to generate an output HTML.
  It has worked fine with English, France or others (single byte characters), but it can't
  for double bytes character such as Korean or Chinese. I also tried different charset in xml file.
  The following is one of returning errors:
  -- oracle.xml.parser.v2.XSLException: XSL-1004: Error while parsing input XML document (<Line 1, Column 552>: XML-0221: (Fatal Error) Invalid char in text.)
  I run this app in win2000/IIS with ServletExec3.0, JDK1.2.2 and OracleXMLParser v2.0.2.10
  Thank you for any helps,
  Tuan
  <BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>Originally posted by Raymond Hayes Jr ([email protected]):
  Nothing fancy 'cause I'm half asleep but I used your xml/xsl and it seemed to work. No errors anyway. This is what I put together in JDeveloper 3.2
  package demo;
  import javax.servlet.*;
  import javax.servlet.http.*;
  import java.io.*;
  import java.net.*;
  import java.util.*;
  import oracle.xml.parser.v2.*;
  public class CuriosityKilledTheCat extends HttpServlet {
  * Initialize global variables
  public void init(ServletConfig config) throws ServletException {
  super.init(config);
  * Service the request
  public void service(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
  try
  XSLStylesheet xsl = new XSLStylesheet( new URL ("file:///c:\\temp\\input.xsl") , null );
  XSLProcessor xp = new XSLProcessor();
  XMLDocument xd = new XMLDocument ();
  XMLDocumentFragment xf = new XMLDocumentFragment();
  xf = xp.processXSL ( xsl , new URL ( "file:///c:\\temp\\input.xml") , null );
  System.out.println ( "here" );
  xd.appendChild( xf );
  xd.print ( response.getOutputStream() );
  catch ( Exception e )
  System.out.println ( e.getMessage() );
  * Get Servlet information
  * @return java.lang.String
  public String getServletInfo() {
  return "demo.CuriosityKilledTheCat Information";
  }<HR></BLOCKQUOTE>
  null

• Transparency Data Encryption V.S. DBMS_CRYPTO

  Which provides more security between Transparency Data Encryption V.S. DBMS_CRYPTO?

  The security protection is, for all essential purposes, identical.
  TDE automates encryption at the column level (10g) and dbms_crypto is used by PL/SQL.

• PKCS#11 HSM support for Transparent Data Encryption

  Hi,
  I'm trying to get a PKCS#11 HSM working with TDE with little luck.
  I have installed Oracle 11gR1 (recent release version) on a Linux VM running Red Hat Application Server 4. The sqlnet.ora file contains
  ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSM))
  and the PKCS#11 implementation dll exists at
  /opt/oracle/extapi/32/hsm/RSA/1.8.0/libp11s.so
  as per the documentation.
  In sqlplus, after starting the DB, I issue the command
  ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "user:1234";
  but this fails with
  ERROR at line 1: ORA-28353: failed to open wallet.
  and it appears the PKCS#11 dll is never even loaded.
  TDE works fine when I use a local wallet (P12)
  Is there anything else I need to do to get a PKCS#11 HSM to be used to store the TDE master key? Also, why does a username have to be specified, when PKCS#11 only requires a slot number and PIN. How does oracle know which PKCS#11 driver to load if there are multiple under /opt/oracle/extapi/32/hsm/... ?
  Thanks very much,
  Owen Roberts

  Thanks.
  for the sake of the record I fixed this by specifying a METHOD_DATA and DIRECTORY in sqlnet.ora like in
  ENCRYPTION_WALLET_LOCATION=
  (SOURCE=(METHOD=HSM)(METHOD_DATA=
  (DIRECTORY=/app/oracle/admin/SID1/wallet)))
  where the directory exists, as opposed to just
  ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSM))
  as it says in the doco...
  I have a new issue, which I'll start a new thread for.

• Does Oracle (12c) manage the interval data (6NF) ?

  Hi!
  I would like to know if Oracle (12c) supports the data type interval.
  In other words, does it manage the Normal Form Six (6NF) with temporal data?
  Thank you in advance for your answer.
  N.B.:
  And if yes, please precise since which version does Oracle support the intervals. Thank you.

  Sb92075, You're a genius !
  But you did not read exactly my question here: the additional question is Since which version are the intervals supported?
  (A copy paste from an unfindable documentation would be appreciated.)
  That was my proper question on DbForums, before having connexion problem for a special Oracle Support - but not Premium - and precisions asking of Oracle...
  during all this time, these answers were made.
  That was a question which I had for monthes ago, so this is why I already asked in several forums.
  Let me post here my response to them for the case where you can answer:
  -Something that I don't really understand, reading the docs:
  INTERVAL YEAR [(year_precision)] TO MONTH, what does it mean, exactly ? I guess that "to month" means the granularity of time. But for me, if I say "to", is as in "from... to", so it doesn't make any sense in this interval example.
  In his book, Temporal data and the relational model, Date recommend to write as:
  [begin:end], so if I translate:
  [2013-11-18 21H10M00s : 2013-11-18 21H15M00s] (the exact writing is from me).
  According that.. the granularity of time is implicit in the dates precision!
  Did I make a mistake ?"
  Thank you

• Does Oracle Advanced Queueing support JRockit?

  Does anyone know if Oracle Advanced Queueing supports JRockit (1.5 or 1.6),
  or better still, does anyone have experience using this?

  AQ is an in-database implementation of Java Messaging Service (JMS).
  With that in mind could you please ask your question again including specifics as to what you are thinking.