Encrypting data with TDE

Similar Messages

• How to encrypt data with PublicKey???

  Hi, I need to know how I can encrypt data (in byte[ ]) with a PublicKey instance.... I'm using BouncyCastle....
  THANKS...
  Andres

  http://javaalmanac.com/egs/javax.crypto/pkg.html#Encrypting%20and%20Decrypting

• Encrypt data with public key?

  I am trying to find a class that support encryption with PublicKey.
  In the class Signature there is a method "initSign" that takes a PrivateKey as argument, but that is used for signing certificates.
  What I am looking for is to make A encrypt some data with B' public key that B can decrypt with its private key...is there any class for this scenario?

  You might want to check out these, if you haven't already:
  http://java.sun.com/j2se/1.5.0/docs/guide/security/CryptoSpec.html
  http://java.sun.com/j2se/1.5.0/docs/guide/security/jce/JCERefGuide.html
  http://java.sun.com/j2se/1.5.0/docs/api/javax/crypto/package-summary.html
  http://java.sun.com/j2se/1.5.0/docs/api/javax/crypto/interfaces/package-summary.html
  http://java.sun.com/j2se/1.5.0/docs/api/javax/crypto/spec/package-summary.html

• Listener Start Problem with TDE (Transparent Data Encryption)

  i am testing Transparent Data Encryption in Oracle 10g by using the following link
  http://oracle-base.com/articles/10g/TransparentDataEncryption_10gR2.php
  Before Implementing the TDE listener was running fine but after implementation of TDE the listener was unable to start
  Please check the steps which i follow
  Step1-
  specify the ENCRYPTION_WALLET_LOCATION parameter in the sqlnet.ora file, now SQLNET.ora file looks like the following
  SQLNET.AUTHENTICATION_SERVICES= (NTS)
  NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
  ENCRYPTION_WALLET_LOCATION=
  (SOURCE=(METHOD=FILE)(METHOD_DATA=
  (DIRECTORY=D:\oracle\product\10.2.0\wallet\)))
  please check the contents of listener.ora file,i didn't make any configuration changes for listener before or after implementation of TDE
  SID_LIST_LISTENER =
  (SID_LIST =
  (SID_DESC =
  (SID_NAME = PLSExtProc)
  (ORACLE_HOME = D:\oracle\product\10.2.0\db_1)
  (PROGRAM = extproc)
  LISTENER =
  (DESCRIPTION_LIST =
  (DESCRIPTION =
  (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))
  (ADDRESS = (PROTOCOL = TCP)(HOST = shakeel-pc.lhr.inov8.com.pk)(PORT = 1521))
  Step2-
  CONN sys/password AS SYSDBA
  ALTER SYSTEM SET ENCRYPTION KEY AUTHENTICATED BY "myPassword";
  TDE implemented successfuly implemented.
  But when i try to stop/start listener
  C:\>lsnrctl status
  LSNRCTL for 32-bit Windows: Version 10.2.0.1.0 - Production on 06-JUN-2008 05:44
  :30
  Copyright (c) 1991, 2005, Oracle. All rights reserved.
  Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1)))
  STATUS of the LISTENER
  Alias LISTENER
  Version TNSLSNR for 32-bit Windows: Version 10.2.0.1.0 - Produ
  ction
  Start Date 05-JUN-2008 22:40:14
  Uptime 0 days 7 hr. 4 min. 16 sec
  Trace Level off
  Security ON: Local OS Authentication
  SNMP OFF
  Listener Parameter File D:\oracle\product\10.2.0\db_1\network\admin\listener.o
  ra
  Listener Log File D:\oracle\product\10.2.0\db_1\network\log\listener.log
  Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1ipc)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=shakeel-pc.lhr.inov8.com.pk)(PORT=15
  21)))
  Services Summary...
  Service "PLSExtProc" has 1 instance(s).
  Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
  Service "orcl" has 1 instance(s).
  Instance "orcl", status READY, has 1 handler(s) for this service...
  Service "orclXDB" has 1 instance(s).
  Instance "orcl", status READY, has 1 handler(s) for this service...
  Service "orcl_XPT" has 1 instance(s).
  Instance "orcl", status READY, has 1 handler(s) for this service...
  The command completed successfully
  C:\>lsnrctl stop
  LSNRCTL for 32-bit Windows: Version 10.2.0.1.0 - Production on 06-JUN-2008 05:44
  :35
  Copyright (c) 1991, 2005, Oracle. All rights reserved.
  Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1)))
  The command completed successfully
  C:\>lsnrctl start
  [i]LSNRCTL for 32-bit Windows: Version 10.2.0.1.0 - Production on 06-JUN-2008 05:44
  :40
  Copyright (c) 1991, 2005, Oracle. All rights reserved.
  Starting tnslsnr: please wait...
  TNSLSNR for 32-bit Windows: Version 10.2.0.1.0 - Production
  System parameter file is D:\oracle\product\10.2.0\db_1\network\admin\listener.or
  a
  Log messages written to D:\oracle\product\10.2.0\db_1\network\log\listener.log
  Error listening on: (ADDRESS=(PROTOCOL=tcp)(HOST=127.0.0.1)(PARTIAL=yes)(QUEUESI
  ZE=1))
  No longer listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\E
  XTPROC1ipc)))
  TNS-12560: TNS:protocol adapter error
  TNS-00583: Valid node checking: unable to parse configuration parameters
  Listener failed to start. See the error message(s) above...
  To start the listener i have to close wallet as
  1- SQL>conn sys as sysdba
  ALTER SYSTEM SET WALLET CLOSE;
  2- Replace the SQLNET.ora file as previous ,now SQLNET.ora contains
  SQLNET.AUTHENTICATION_SERVICES= (NTS)
  NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
  Now if i start the listener then the listener was started succesfuly
  Please suggest why listener is not being start with TDE?

  I have the same problem. I'm testing TDE using Oracle 11gR1. After setting the parameter encryption_wallet_location and restart the listener, the listener failed to start. The error is exactly the same
  TNS-12560: TNS:protocol adapter error
  TNS-00583: Valid node checking: unable to parse configuration parameters
  By removing the parameter encryption_wallet_location, the listner can be started successfully.
  Anyone can help?

• Noob with TDE encryption problem

  I'm not a SQL guy, but I was tasked with creating a TDE instance on a dev server a few months ago.
  I created the new instance and ran
  USE master;
  GO
  CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'asdfasdfasdfare23rfyf89werf9fer8c9c8wer9ch89ch9sds';
  go
  CREATE CERTIFICATE MyServerCertificate WITH SUBJECT = 'My Certificate';
  go
  USE MyDatabaseName;
  GO
  CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_128 ENCRYPTION BY SERVER CERTIFICATE MyServerSCertificate;
  GO
  ALTER DATABASE [MyDatabaseName] SET ENCRYPTION ON;
  GO
  --Warning: The certificate used for encrypting the database encryption key has not been backed up. You should immediately back up the certificate and the private key associated with the certificate. If the certificate ever becomes unavailable or if you must restore or attach the database on another server, you must have backups of both the certificate and the private key or you will not be able to open the database.
  OPEN MASTER KEY DECRYPTION BY PASSWORD = '23987hxJKL969#ghf0%94467GRkjg5k3fd117r$$#1946kcj$n44nhdlj'
  BACKUP MASTER KEY TO FILE = 'C:\Projects\SQL\My_Exported_MasterKey'
  ENCRYPTION BY PASSWORD = 'ThisIsMyPa55word!';
  GO
  Everything went fine, the db is encrypted. I've since been told that we're going to move the db to production, and I'm unable to find the certificate or key.
  What can I do?

  So, given my original example, for
  ENCRYPTION BY PASSWORD =
  I'm using
  'asdfasdfasdfare23rfyf89werf9fer8c9c8wer9ch89ch9sds'
  correct?
  And for
  FILE = 'C:\Projects\SQL\My_Exported_MasterKey'
  If this is the case, it's a problem. I'm not seeing anything in
  C:\Projects\SQL\

• Encrypt data over the wire with oracle client?

  Can the Oracle Client encrypt data over the wire? If I have an Oracle 10g R2 server that is outside of my department's firewall, what is the best way to ensure that none of our data is going across the network in the clear? Thanks.

  Why don't you use a VPN?
  If that is for some reason or other no good idea, and you still need a solution: We have a tool to redirect TCP connections, which is able to encrypt the connection. Just mail to [email protected]
  Best Regards
  Artur Södler

• Send encrypted data from oracle 11g to Ms SQL Server 12

  Hi every body,
  we want to send encrypted data from oracle 11g to Ms SQL Server 12:
  - data are encrypted to oracle
  - data should be sent encrypted to Ms SQL server
  - data will be decrypted in Ms SQL server by sensitive users.
  How can we do this senario, any one has contact simlare senario?
  can we use asymetric encription to do this senario?
  Please Help!!
  Thanks in advance.

  Hi,
    What you want to do about copying data from Oracle to SQL*Server using insert will work with the 12c gateway.  There was a problem trying to do this using the 11.2 gateway but it should be fixed with the 12c gateway.
  If 'insert' doesn't work then you can use the SQLPLUS 'copy' command, for example -
  SQL> COPY FROM SCOTT/TIGER@ORACLEDB -
  INSERT SCOTT.EMP@MSQL -
  USING SELECT * FROM EMP
  There is further information in this note available on My Oracle Support -
  Copying Data Between an Oracle Database and Non-Oracle Foreign Data Stores or Databases Using Gateways (Doc ID 171790.1)
  However, if the data is encrypted already in the Oracle database then it will be sent in the encrypted format. The gateway cannot decrypt the data before it is sent to SQL*Server.
  There is no specific documentation about the gateways and TDE.  TDE encrypts the data as it is in the Oracle database but I doubt that SQL*Server will be able to de-encrypt the Oracle data if it is passed in encrypted format and as far as I know it is not designed to be used for non-Oracle databases.
  The Gateway encrypts data as it is sent across the network for security but doesn't encrypt the data at source in the same way as TDE does.
  Regards,
  Mike

• Encrypting data and using a funtion

  I am using dbms_obfuscation_toolkit.DESEncrypt
  This is a procedure. so if i need to encrypt data, I have to do it row by row. I actually need to update records to make them encrypted so its
  cursor
  run encrypt procedure
  update
  this is really slow.
  anything that is a function so I can use it directly in an update clause? anything faster?

  With a row by row approach there is no other way, you will have to encrypt one by one if this isn't already encrypted. Since you are on 10gR2, you could consider using TDE (Transparent Data Encryption).
  Now you said you want to pull it from production, does it mean that the data will live unencrypted, then in order for you to transport it, do you have to encrypt and then decrypt it? TDE could be a solution, using it along with backup techniques too.
  ~ Madrid
  http://hrivera99.blogspot.com/

• EFS, password change denies access to encrypted data

  Hi,
  Has anyone had the issue with admin changing users password in Console One
  resulting in users not being able to access their encrypted data.
  Laptop users are using EFS to encrypt their data.
  These users have WinXPPro SP2 and we are running ZfD 6.5SP2.
  I have found IR 1 for ZfD 6.5 SP2 which includes TID3003874 "Personal IE
  certificates and EFS stop working after password change" however this does
  not fix the issue.
  Could someone explain in more detail what this fix does as I may have
  misunderstood what this fix is.
  Regards,
  Eric.

  I know this is an old thread, but I thought it would be best to those who
  found it realized that the best method for addressing this issue may be
  found here:
  http://www.novell.com/support/viewCo...rnalId=3724689
  However the MS article could still be useful for some.
  Craig Wilson - MCNE, MCSE, CCNA
  Novell Support Forums Volunteer Sysop
  Novell does not officially monitor these forums.
  Suggestions/Opinions/Statements made by me are solely my own.
  These thoughts may not be shared by either Novell or any rational human.
  "ghoskins" <[email protected]> wrote in message
  news:[email protected]..
  >
  > I'm having the same problem. I ran acrosss this Microsoft KB and it
  > seems to fix the issue. I'm not certain this is the best security
  > practices, but it does work.
  >
  > 'User cannot gain access to certificate functionality after password
  > change or when using a roaming profile'
  > (http://support.microsoft.com/default...b;en-us;331333)
  >
  >
  > --
  > ghoskins
  > ------------------------------------------------------------------------
  > ghoskins's Profile: http://forums.novell.com/member.php?userid=12306
  > View this thread: http://forums.novell.com/showthread.php?t=215857
  >

• What happens to encrypted data when the server is destroyed?

  Backups to tape are encrypted with a certificate. 
  But what happens if the backup server is destroyed? Do I lose all the backup data on those tapes?
  Can I backup the certificate or is it specific to that specific DPM server?
  In the case of a catastrophic datacenter failure, where everything is lost except the tapes and the certificate, what is the process for recovering the encrypted data?

  You can absolutely backup the certificates used for DPM encryption and you should store those somewhere safe (for example, burn to CD and put in a fireproof safe offsite somewhere secure in an encrypted file).
  This section of TechNet describes the process: http://technet.microsoft.com/en-us/library/jj628058.aspx
  If you had to recreate a DPM server to read the tapes then you'd need to the certificates in the correct certificate store on the DPM server, in addition you'd need to ensure you had the certificates for the certificate chain, if there is one, in the correct
  locations in the cert store.
  Once a cert expires, do not delete it from the DPM until all the tapes that have used that cert are no longer in use or have been overwritten.
  The data would need to be imported through the recovery section in DPM but you'd be able to read and recover the data if the certs were present. No cert = no recovery.

• Encrypting Data on part of a file system.

  A few months ago, using hints I found on the internet, I was able to use diskutil command line utililty to create an encrypted partition of the same sort as when turning FileVault on in Security Preferences.  File Vault doe not appear to offer a way to choose some pargt of the disk storage such as an entire drive of a folder on a drive.  I was able to do it and it worked.  When I mount the disk partition to the system (usualy by plugging it in and turning it on), I'm asked for the security pass phrase or key to decrypt it.  Once mounted with the key supplied, I can access it as any other mounted disk with the type of access restrictions that might be present on any disk.Since I want the data to be truly privatem U decline to put the key into the a known place such as the keychain.  I don't want just anyone who has a log on to this iMac to b e able to read this data.  I want them to need to enter a private key to mount the data. 
  My only problem with this is the hoops I needed to go through to do this.  It is complicated and invovlves setting up special partitions for the purpose.
  Searching Finder help for encrypting data it offered a solution for data on a removable drive.  The stepsare very simple and easy to do:
     a) Mount the files to be encrypted if they are not  online.  They also need to be in a folder or even an entire partition.
      b) Open Disk Utility (GUI version)
      c)Choose File > New > Disk Image From Folder (or New-> Disk Image ffrom a Device).
      d) Select the folder or disk you want to encrypt.
      e) A save dialog will pop up.  Select the name of the archive you wish to create and select a location.  I choose a removable disk partition which has enouh space.  Select Compressed if you wish.  Then Select Encryption and choose the key size for encryption from the drop dwon.  When you click Save, Disk Utility begins creating a disk image that is (possibly) compressed and probably encrypted.  Once done, the files in the folder or partiion are hiddent behind the encryption.  To get to them, you much open the DMG file and supply the password to unlock the encryption.  You can save the key in the keychain if you are not worreid about who can get in.  If you wish to restrict access to fewer people, keep the key secret and provide a recovery mechanism that is suitable for you need.
     f)  One the archive is created, the disk partition containing it may b4 mounted on the system (if it is not there already) and by opening the dmg file you will be asked for the key.  The system will validate that the key works and the encryption and comprewssion are working.  The archive will be mounted as a virual disk.  It can be accessed by any useer of that computer unless the file permissions get in the way.  Mounting it only when the computer is being used by authorized people allow you to mount and dismount the archive for use during a limited time.
  I have a couple of questions here.  Is there an easier way to do this?  Is this encryption as strong as that used in FileVault? 

  No. I don't know why it would not be, except it is easier for a person to leave the disk mounted where anyone can then see it. With FileVault forcing a password on wake from sleep, it will likely be encrypted if anyone found it.
  I'm not sure why you went to the trouble you did before, except the instructions might have been to create an encrypted partition as opposed to creating the disk image. Disk images have been around for at least a decade.
  If you plan on backing up the image with Time Machine, use a sparse bundle disk image as it will write the data to small files, called stripes. Only the stripes that change get backed up instead of the entire image.

• How to handle HTTP-POST encrypted data for ECC Using proxy or RFC

  I have a scenario HTTP-POST ->PI->ECC.sender is HTTP Post  send encrypted data i need to handle the data and stored in to SAP ECC  with out decrypt using PI .what should i take for receiver  can i use inbound proxy or RFC  and how can handle the encrypted data  for decrypt.
  Regards
  Ravi

  1. my sender is HTTP POST . what should i configure in sender communication channel in SAP PI .like SOAP or HTTP .What are the parameters i need to pass .
  >>>
  If you are on PI 7.3 and above, configure the HTTP AAE adapter - Configuring the Java HTTP Adapter on the Sender Channel - Advanced Adapter Engine - SAP Library
  2.while using inbound proxy for encrypted data  i need  store the data in to table , the same proxy can i call  another outbound  service for decrypt  same data.
  >>>>
  Yes you can always a proxy within a proxy.

• Insert an encrypt data in a Table

  Hi all,
  i have encrypted a data with HmacMD5, all its fine. but when i've tried to insert encrypt data in my table, hash code may return symbols like �?��Z��x��. then when i do a select data has been corrupted. how can i encrypted in stardand symbols( like mysql passwords). here is my code:
              KeyGenerator kg = KeyGenerator.getInstance("HmacMD5");
              SecretKey sk = kg.generateKey();
              // Get instance of Mac object implementing HMAC-MD5, and
              // initialize it with the above secret key
              Mac mac = Mac.getInstance("HmacMD5");
              mac.init(sk);
              byte[] result = mac.doFinal(dirMAC.getBytes());
              String macenc=new String(result);
              String x = "jdbc:mysql://localhost/"+
                      "mydatabase?user="+user+"&password="+
                      pass;
              Class.forName("com.mysql.jdbc.Driver").newInstance();
              conn = DriverManager.getConnection(x);
              conn.createStatement().executeUpdate("insert into user " +
                      "(User,Password) values('system','"+myPass+"')");
              java.sql.ResultSet rs=conn.createStatement().executeQuery("select password "+
                       "from " +"user where user ='system' ");
              rs.next();
              if((rs.getString(1).equals(macenc))) {
                  System.out.println(rs.getString(1)+" YES "+macenc);
              } else {
                  System.out.println(rs.getString(1)+" NO "+macenc);
              }Output NO. and sometimes when hash has (') character Query not found.
  thanks.

  Thie is most probably the offending line
  String macenc=new String(result);
  It is never a good idea to try to convert arbitrary bytes into a String using this approach. Not all byte sequences have valid char representation. If you must have a String representation use Base64 or Hex encoding of your Hmac. Google for Jakarta Commons Codec to get a library to assist you with this.

• Encrypt sensitive with password and calling sub pkgs

  Hi we run 2012 enterprise and r introducing a db2 connection that "allows saving password".
  We run from the file system (not the catalog) and face a challenge.
  The default prot level on the SUB PACKAGE that has the db2 connection (only such connection right now) prevents our prod credentials from making the connection because its a different user than the one that created the sub pkg.
  Encrypt sensitive with password seems a more strategic alternative but I dont know if the param (I think its called "decrypt") on the dtexec command line that allows passing a password at run time applies to just the parent pkg or all subs also.
  I dont want to delay validation.  I wouldnt even mind changing the xml connection string (by entering pswd in whatever syntax is necessary) using notepad but dont know what issues that will cause.
  I wouldnt mind having someone logon and "re" save  the pkg using the credentials of our prod userid and choosing the default prot level instead.
  I also wonder if none of the other pkgs (including master) dont have any sensitive data, can their prot level defaults be left alone?
  Can the community comment?

  If you are having sensitive info (passwords for conn strings etc) in our packages, the best way is to change the protection level to "encrypt sensitive with password" and then provide the password.
  When we schedule a job or exec the parent package, the child packages are called automatically.
  Thanks, hsbal

• Export and Import encrypted data

  Hi,
  I have a database table with encryped data (encrypted using DBMS_OBFUSCATION_TOOLKIT.DES3Encrypt). I am having an issue when I export this table and import it into a new schema. The encrypted data seems to have changed after import. I am unable to decrypt it from the new schema.
  Below is the character set details from export/import.
  "Export done in WE8MSWIN1252 character set and AL16UTF16 NCHAR character set. Server uses WE8ISO8859P1 character set (possible charset conversion)."
  "Import done in WE8MSWIN1252 character set and AL16UTF16 NCHAR character set."
  Has anybody had this issue before? Does it have anything to do with the character set? If so, how do I fix it?
  Thank you!

  Hello,
  since this question is about using the export utility, you might better ask this in {forum:id=61} or {forum:id=732}.
  Regards
  Marcus