Transparent Data Encryption clarification

Similar Messages

• Listener Start Problem with TDE (Transparent Data Encryption)

  i am testing Transparent Data Encryption in Oracle 10g by using the following link
  http://oracle-base.com/articles/10g/TransparentDataEncryption_10gR2.php
  Before Implementing the TDE listener was running fine but after implementation of TDE the listener was unable to start
  Please check the steps which i follow
  Step1-
  specify the ENCRYPTION_WALLET_LOCATION parameter in the sqlnet.ora file, now SQLNET.ora file looks like the following
  SQLNET.AUTHENTICATION_SERVICES= (NTS)
  NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
  ENCRYPTION_WALLET_LOCATION=
  (SOURCE=(METHOD=FILE)(METHOD_DATA=
  (DIRECTORY=D:\oracle\product\10.2.0\wallet\)))
  please check the contents of listener.ora file,i didn't make any configuration changes for listener before or after implementation of TDE
  SID_LIST_LISTENER =
  (SID_LIST =
  (SID_DESC =
  (SID_NAME = PLSExtProc)
  (ORACLE_HOME = D:\oracle\product\10.2.0\db_1)
  (PROGRAM = extproc)
  LISTENER =
  (DESCRIPTION_LIST =
  (DESCRIPTION =
  (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))
  (ADDRESS = (PROTOCOL = TCP)(HOST = shakeel-pc.lhr.inov8.com.pk)(PORT = 1521))
  Step2-
  CONN sys/password AS SYSDBA
  ALTER SYSTEM SET ENCRYPTION KEY AUTHENTICATED BY "myPassword";
  TDE implemented successfuly implemented.
  But when i try to stop/start listener
  C:\>lsnrctl status
  LSNRCTL for 32-bit Windows: Version 10.2.0.1.0 - Production on 06-JUN-2008 05:44
  :30
  Copyright (c) 1991, 2005, Oracle. All rights reserved.
  Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1)))
  STATUS of the LISTENER
  Alias LISTENER
  Version TNSLSNR for 32-bit Windows: Version 10.2.0.1.0 - Produ
  ction
  Start Date 05-JUN-2008 22:40:14
  Uptime 0 days 7 hr. 4 min. 16 sec
  Trace Level off
  Security ON: Local OS Authentication
  SNMP OFF
  Listener Parameter File D:\oracle\product\10.2.0\db_1\network\admin\listener.o
  ra
  Listener Log File D:\oracle\product\10.2.0\db_1\network\log\listener.log
  Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1ipc)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=shakeel-pc.lhr.inov8.com.pk)(PORT=15
  21)))
  Services Summary...
  Service "PLSExtProc" has 1 instance(s).
  Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
  Service "orcl" has 1 instance(s).
  Instance "orcl", status READY, has 1 handler(s) for this service...
  Service "orclXDB" has 1 instance(s).
  Instance "orcl", status READY, has 1 handler(s) for this service...
  Service "orcl_XPT" has 1 instance(s).
  Instance "orcl", status READY, has 1 handler(s) for this service...
  The command completed successfully
  C:\>lsnrctl stop
  LSNRCTL for 32-bit Windows: Version 10.2.0.1.0 - Production on 06-JUN-2008 05:44
  :35
  Copyright (c) 1991, 2005, Oracle. All rights reserved.
  Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1)))
  The command completed successfully
  C:\>lsnrctl start
  [i]LSNRCTL for 32-bit Windows: Version 10.2.0.1.0 - Production on 06-JUN-2008 05:44
  :40
  Copyright (c) 1991, 2005, Oracle. All rights reserved.
  Starting tnslsnr: please wait...
  TNSLSNR for 32-bit Windows: Version 10.2.0.1.0 - Production
  System parameter file is D:\oracle\product\10.2.0\db_1\network\admin\listener.or
  a
  Log messages written to D:\oracle\product\10.2.0\db_1\network\log\listener.log
  Error listening on: (ADDRESS=(PROTOCOL=tcp)(HOST=127.0.0.1)(PARTIAL=yes)(QUEUESI
  ZE=1))
  No longer listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\E
  XTPROC1ipc)))
  TNS-12560: TNS:protocol adapter error
  TNS-00583: Valid node checking: unable to parse configuration parameters
  Listener failed to start. See the error message(s) above...
  To start the listener i have to close wallet as
  1- SQL>conn sys as sysdba
  ALTER SYSTEM SET WALLET CLOSE;
  2- Replace the SQLNET.ora file as previous ,now SQLNET.ora contains
  SQLNET.AUTHENTICATION_SERVICES= (NTS)
  NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
  Now if i start the listener then the listener was started succesfuly
  Please suggest why listener is not being start with TDE?

  I have the same problem. I'm testing TDE using Oracle 11gR1. After setting the parameter encryption_wallet_location and restart the listener, the listener failed to start. The error is exactly the same
  TNS-12560: TNS:protocol adapter error
  TNS-00583: Valid node checking: unable to parse configuration parameters
  By removing the parameter encryption_wallet_location, the listner can be started successfully.
  Anyone can help?

• General review of Transparent Data Encryption (TDE) and performance of...

  I understand that the implementation of just about any database encryption solution, is going to result in a some degree of a performance hit, especially as searches are performed against the database, but none-the-less, we are thinking about implementing the Oracle TDE solution and as recommended, just isolating encryption needs to ONLY necessary columns of data - in our case, columns pertaining to private ASNWER (results) data and/or PII (Pers. Ident. Info.). This being said, is anyone else doing something similar with TDE, or does anyone have any pointers up front on what to look out for, what to expect, and how they are operating with TDE. (Just reaching out for some thoughts, insight, comments, and/or warnings)... Thank you very much. - Jason

  Yes, we have many customers using it, please check my updated TDE best practices paper; it has lots of hints and tricks and things to look out for:
  Available from http://www.oracle.com/technology/deploy/security/database-security/transparent-data-encryption/index.html (scroll down, please).
  Thanks, Peter

• SQL Server Transparent Data encryption

  I have implemented TDE for the Database and Column Level Encryption for Sensitive data in Tables. But, the Porblem is the data is entered through an front end application how could i encrypt this data when it is inserted from the Front end. And how to decry-pt
  this data for the users when it is selected.
  Your suggestions are most valuable.
  Reagrds
  Rehaan Khan
  RehaanKhan. M

  Let me start with a solution that may have been overlooked, but it is good to make sure we cover it. Have you considered using column-level permissions? It may not be a complete solution for your particular scenario if you need to give access to the column
  for other reasons (after all, the group you are trying to restrict is probably developing applications on top of the column storing sensitive data) or if the developer group has permission to create objects that would render the sensitive data subject to ownership
  chains. For more information on column-permissions look at
  http://msdn.microsoft.com/en-us/library/ms186915.aspx
  Assuming permissions alone will not solve the problem. By using encryption you should be able to limit access to the sensitive data to the developers, but it will also require some changes to your schema & application. TDE (Transparent Data Encryption)
  will not help you in this scenario since you need to restrict access to the data and restricting access to the column is not sufficient.
  The following links may be useful to get you started with SQL Encryption capabilities:
  SQL Server Encryption (http://msdn.microsoft.com/en-us/library/bb510663.aspx)
  Data Encryption in SQL Server (http://msdn.microsoft.com/en-us/library/bb669072(v=vs.110).aspx)
  Encrypt a Column of data (http://msdn.microsoft.com/en-us/library/ms179331.aspx)
  Cryptographic Functions (T-SQL) (http://msdn.microsoft.com/en-us/library/ms173744.aspx)
  Older articles, but they may still be quite useful:
  Indexing encrypted Data (http://blogs.msdn.com/b/raulga/archive/2006/03/11/549754.aspx)
  SQL Server 2005: searching encrypted data (http://blogs.msdn.com/b/lcris/archive/2005/12/22/506931.aspx)
  One recommendation may be to encrypt the data using an AES key, and protect the key using one or more certificates (I would recommend using a separate certificate per individual if possible), making sure that only authorized people have access to the keys.
  Anyone else with access to the column, but not to the keys would not be able to decrypt the data.
  BTW. I would also recommend using SQL Auditing (http://msdn.microsoft.com/en-us/library/cc280386.aspx) in order to keep honest people honest, by monitoring access to the keys & to the
  sensitive data.
  I hope this information helps,
  -Raul Garcia
  SQL Server Security
  This posting is provided "AS IS" with no warranties, and confers no rights.

• Transparent Data Encryption Configuration

  Hi,
  I want to configure Transparent Data Encryption on a Database which is protected with Database Vault.
  Is there any document which talks about the integration of Database Vault with Transparent Data Encryption.
  I want to create a common security administrator user (other than sys/system users) for Transparent Data Encryption configuration.
  If i create a new administrator from Enterprise Manager console i am getting the following error:
  SQL Error ORA-47401: Realm violation for grant system privilege on SELECT ANY DICTIONARY. ORA-06512: at "SYSMAN.MGMT_USER", line 9316 ORA-06512
  How to avoid this error.
  Any pointers on this is appreciated.
  Thanks & regards,
  Srikanth

  Turning off DBVault is not needed to turn on TDE ... the DB user who wants to manage the DB through Enterprise Manager, needs to have the SELECT ANY DICTIONARY privilege (I think I remember this is done by logging into EM (not DVA) as DBV_OWNER, or DV_ACCT_MNGR if you have configured one).
  If then the creation of the wallet fails, make the user an OWNER of the DATA DICTIONARY realm in DBVault. Note that the directory that you plan to use to store the wallet needs to exist before you create the wallet and master key for TDE.
  Peter
  Edited by: Peter Wahl on 03.07.2010 02:20

• Transparent Data Encryption vs. OS level encryption

  Can someone help me by posting few URLs to read about Oracle's Transparent Data Encryption vs. OS Level Encryption (Win 2003 server)? We are trying to choose an option and go with it. I'm looking for a comparative analysis doc (Oracle 10.2.0.2 on MS Win 2003 Server), or if you can give me pros and cons for each of those options.
  Many thanks in advance,
  Dejan

  http://www.oracle.com/technology/deploy/security/database-security/transparent-data-encryption/index.html

• Does oracle 10.1 support transparent data encryption?

  hi,
  does oracle Release 10.1.0.3.0 support transparent data encryption?
  if not, what can i use instead?
  thanks

  According to http://download-uk.oracle.com/docs/cd/B14117_01/network.101/b10772/asoconfg.htm ,
  data encryption is supported for Oracle Net services in release 10.1.

• Transparency Data Encryption V.S. DBMS_CRYPTO

  Which provides more security between Transparency Data Encryption V.S. DBMS_CRYPTO?

  The security protection is, for all essential purposes, identical.
  TDE automates encryption at the column level (10g) and dbms_crypto is used by PL/SQL.

• Regarding Transparent Data Encryption.

  I am using Oracle 10g Release 10.1.0.2.0
  I issue following command by connecting "SYS" user
  ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY Welcome1;
  But it give me error
  ORA-02065: Illegal option for ALTER SYSTEM
  Please Advise.
  Regards

  I am using Win2000 Professional O/S.
  I have installed New Wallet from Oracle Wallet Manager. I save a wallet at C:\WALLET. This folder contains only one file name "ewallet".
  Now I mention this in Sqlnet.Ora file
  ENCRYPTION_WALLET_LOCATION =
  (SOURCE=
  (METHOD=file)
  (METHOD_DATA=
  (DIRECTORY=c:\wallet)))
  After that when I run this command it remains give the same error
  alter system set encryption key authenticated by "welcome";
  ORA-02065: Illegal option for ALTER SYSTEM

• PKCS#11 HSM support for Transparent Data Encryption

  Hi,
  I'm trying to get a PKCS#11 HSM working with TDE with little luck.
  I have installed Oracle 11gR1 (recent release version) on a Linux VM running Red Hat Application Server 4. The sqlnet.ora file contains
  ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSM))
  and the PKCS#11 implementation dll exists at
  /opt/oracle/extapi/32/hsm/RSA/1.8.0/libp11s.so
  as per the documentation.
  In sqlplus, after starting the DB, I issue the command
  ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "user:1234";
  but this fails with
  ERROR at line 1: ORA-28353: failed to open wallet.
  and it appears the PKCS#11 dll is never even loaded.
  TDE works fine when I use a local wallet (P12)
  Is there anything else I need to do to get a PKCS#11 HSM to be used to store the TDE master key? Also, why does a username have to be specified, when PKCS#11 only requires a slot number and PIN. How does oracle know which PKCS#11 driver to load if there are multiple under /opt/oracle/extapi/32/hsm/... ?
  Thanks very much,
  Owen Roberts

  Thanks.
  for the sake of the record I fixed this by specifying a METHOD_DATA and DIRECTORY in sqlnet.ora like in
  ENCRYPTION_WALLET_LOCATION=
  (SOURCE=(METHOD=HSM)(METHOD_DATA=
  (DIRECTORY=/app/oracle/admin/SID1/wallet)))
  where the directory exists, as opposed to just
  ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSM))
  as it says in the doco...
  I have a new issue, which I'll start a new thread for.

• Need suggestion for data encryption

  Hello Experts,
  I need your expert opinion on one of the data encryption method. We have some legal compliance to implement data encryption as listed below, lets say we have to apply encryption on 2 tables (1) TAB_A (2) TAB_B.
  (1) Need data encryption on the TAB_A & TAB_B for 2-3 columns and not the entire table.
  (2) Data should not be in readable format, if anyone connect to database and query the table.
  (3) We have reporting services on our tables but reporting services doesn't connect to our schema directly rather they connect to a different schema to which we have given the table Select grant.
  (4) Reports should work as it is, and users should see the data in readable format only.
  (5) There are batch processes which generates the data into these tables and we are not allowed to make any changes to these batch processes.
  This is a business need which has to be delivered. I explored various options such as VPDs, Data encryption methods etc but honestly none of these are serving our business need. There is also a limitation of encrypting data as data volume of quiet high (30TB DB) and generally users query the data on millions of records at a time. Also reports have very tight SLAs as well. If we create any encryption wrapper then decrypt will take longer in reports and will cause the SLA miss for reports.
  Could someone please suggest any better solution to me or if something is inbuilt in Oracle? We are using Oracle 11g.
  Regds,
  Amit.

  you can read about Transparent Data Encryption
  Check
  http://docs.oracle.com/cd/B28359_01/network.111/b28530/asotrans.htm

• How to determine if Transparent Data Encyption was installed

  Hello -
  How can I determine if Transparent Data Encryption was installed on a 10.2.0.3 instance?
  Thanks!

  It is installed, but you have to enable it as described in the doc:
  http://download-uk.oracle.com/docs/cd/B19306_01/network.102/b14268/asotrans.htm#sthref183

• Transparaent Data Encryption

  Hi all,
  Is Transparent data encryption method is available in oracle 10g release 1 ?
  In release2 i can able to do TDE with wallet manager but it is not possible to do in oracle 10g release 1 and i can able to find dba_encrypted_columns in these release, kindly guide me is there any script or method to be used inorder to configure manually

  Hi,
  It's Purpose is to copy (Loading) source schema into a target schema.
  Suppose that you execute the following Export and Import commands to remap the hr schema into the scott schema:
  expdp SYSTEM/password SCHEMAS=hr DIRECTORY=dpump_dir1 DUMPFILE=hr.dmp
  impdp SYSTEM/password DIRECTORY=dpump_dir1 DUMPFILE=hr.dmp REMAP_SCHEMA=hr:scott
  In this example, if user scott already exists before the import, then the Import REMAP_SCHEMA command will add objects from the hr schema into the existing scott schema. You can connect to the scott schema after the import by using the existing password (without resetting it).
  If user scott does not exist before you execute the import operation, Import automatically creates it with an unusable password. This is possible because the dump file, hr.dmp, was created by SYSTEM, which has the privileges necessary to create a dump file that contains the metadata needed to create a schema. However, you cannot connect to scott on completion of the import, unless you reset the password for scott on the target database after the import completes.
  You can map different source schemas to the same target schema.
  Thanks
  Pavan Kumar N

• About Network Data Encryption

  Hi,
  I have a DataBase Oracle 10g, I'm configuring the Advanced Security, and I would like to know if it's posible to configure the server in order to refuse the connections which do not have configured the encryption option that I have defined in the server.
  For example: in the server, the sqlnet.ora contain that:
  sqlnet.crypto_seed="dsdfrpdstrpgrmmpbmprthmtpommbmptbmpotpre"
  sqlnet.encryption_client = required
  sqlnet.encryption_types_client = (RC4_40)
  but, if the client don't have defined nothing in his sqlnet.ora can to connect with the DataBase.
  Can someone help me?
  Thanks in advance,
  Fernando.

  Roger22 wrote:
  Ok, thanks for reply
  And one more question:
  If i have
  alter system set encryption key authenticated by "ImOracle";then the encryption key is ImOracle, like the password for the wallet too? The password for the wallet is ImOracle too?
  I found this here: http://oracleflash.com/26/Oracle-10g-Transparent-Data-Encryption-examples.html
  (This creates a wallet at the location defined in the sqlnet.ora, sets the password for the wallet for TDE to retrieve the master key for encryption of table keys used to encrypt values in the tables.)First of all, try to stick with the official oracle documentation website, http://tahiti.oracle.com . Now, the encryption key is the key that is used to encrypt the data of the columns. The above command is setting the master key for the column encryption. Please see,
  http://download.oracle.com/docs/cd/E11882_01/network.112/e10746/asotrans.htm#ASOAG9525
  For the wallet, you set up a password when you set up the wallet using the oracle wallet manager so that should have prompted you for a password.
  HTH
  Aman....

• Data Encryption

  Hello.
  Although I red the docs about Transparent Data Encryption, Data Vault and some encryption packages, I could't find an info about how to encrypt data in tables so that when someone runs :
  SELECT username FROM sometableon the encrypted table where
  username is varchar2, he gets encrypted data,something like:
  username
  Ab34SferT
  ....Also it would be great if I could use WHERE clouse on the encrypted column in the query above using nonencrypted data format.
  something like :
  SELECT username FROM sometable WHERE username='JONES'and to get :
  username
  Ab34SferTIf I could achive this somehow, please explain me how.
  Thank You.

  Thank you damorgan, i was guessing dbms_crypto will do the trick.
  Also, does anyone have some good example doc about using dbms_crypto ?
  I searched the web but have found nothing containing explanation with good examples.
  Toni.