Title: Transparent Data Encryption Explained
1Transparent Data Encryption Explained
2 By Cheryl Lei Bryll, OCP Senior Oracle
DBA Mobile 214-733-3869 cbryll_at_onshoresolutions.
net http//www.onshoresolutions.net
3Transparent Data Encryption
- Why there is a need for Transparent Data
Encryption - What does Transparent Data Encryption address in
the security model - When to use Transparent Data Encryption
- How to implement Transaction Data Encryption
4Why there is a need for Transparent Data
Encryption
- Security threats
- External threats - backup tapes
- Internal threats privileged users\outsourcing
- U.S laws - regulatory compliance issues
- PCI DSS
- FIPS 140-2
- SOX Act of 2002
- HIPPA
- International regulations
5Security threats are an ever growing concern
- Findings from 2009 IOUG Data Security report
- 50 percent increase in data breaches since last
year - Managers see internal threats more pressing than
external threats - Outsourcing of database administration,
development and testing functions - Close to half of organizations employ actual
production data within non-production
environments - corporate management is still complacent about
data security. Management commitment needed
6Internal threats do occur
- Think internal threats dont exist?
- Think again
7(No Transcript)
8The PCI Payment Card Industry
- PCI DSS is a set of requirements designed to
ensure that ALL companies that process, store or
transmit credit card information maintain a
secure environment. - Created by Visa, MasterCard, Discover card, JCB
and American Express - Protect Cardholder Data - requirement 3
9SOX - Sarbanes-Oxley requirement
- Sets standards for public companies
- Information technology governance for financials
- Section 404
- Assessment of internal controls
- Most costly to implement
- 2007 showed avg. 1.9 -1.3 million to comply
- External auditors to access compliance
- Focused on write events (tampering)
10HIPAA - Health Insurance Portability and
Accountability Act
- Includes privacy protection provisions for
personal health information - Compliance has been required since 2005
- Includes a privacy rule and a security rule
11What does Transparent Data Encryption address?
- Preventing privacy and identity theft
- Protecting data at rest, meaning data on the
disks (in datafiles) or in backup media - Protecting against unauthorized access by use of
encryption keys - Allows for an easy to implement solution to data
protection
12 Oracle Transparent Data Encryption
addresses data protection and privacy standards
such as PCI DSS
13Protecting data at rest with Transaction Data
Encryption
- The encryption is done at the operating system
level, where data is stored - Encryption keys are stored external of the
database - Table columns or entire tablespaces are encrypted
- The datafiles, archive logs, redo logs and backup
media contain these objects in encrypted format - Strong encryption algorithms are used
14Transparent Data Encryption addresses strong
encryption
- The need for stronger data security standards
with strong encryption is a growing concern
15Need for strong encryption techniques
- PCI defines strong encryption
- The KEY determines the strength of an
encryption algorithm. At a minimum 80 bits. - FIPS (Federal Information Processing Standards)
- 140-2 defines strong encryption algorithms
- NIST (National Institute of Standards and
Technology) - Special publication 800-57 - Recommendation for
Key Management
16Encryption techniques
- Symmetric ciphers same key for both decryption
and encryption - DES,3DES,AES
- The NSA (National Security) has approved to use
the AES 192 or 256 key length algorithms for top
secret data - Asymmetric ciphers different keys for both
encryption and decryption - RSA/DSA
- Hashing algorithms - One way encryption
- MD5
17 Protects against unauthorized access
- For each encrypted table column or tablespace a
key is created - The table and tablespace keys are encrypted with
a master database key - The master database key is stored external to the
database (external security module) - The external security module is the Oracle wallet
- Oracle 11g supports the Hardware Storage Module
18Allows for an easy to implement solution to data
protection
- Before Transparent Data Encryption
- Oracle 8i API for data encryption called
DBMS_OBFUSCATION_TOOLKIT package - Oracle 9i provided support for the 3DES algorithm
- Oracle 10g the package DBMS_CRYPTO package was
added - With Transparent Data encryption
- Oracle 10g rel.2 introduced TDE with encryption
at the column level - Oracle 11g further enhances Transparent Data
Encryption with tablespace encryption and support
for HSM
19 When to use Transparent Data Encryption
- When data at rest needs to be protected
- When only certain data needs encryption
- When you need to adhere to regulatory standards
- When used as a contributing component of the
overall security solution
20How to use Transparent Data Encryption
- Oracle 10g column level encryption
- Oracle 11g tablespace level encryption
- Key management
- Backups Exports
- Replication
- Troubleshooting
21 Transparent Data Encryption 10g rel.2
Restrictions
- Transparent Data Encryption is not included in
Standard Edition - Transparent Data Encryption is an add-on product
bundled with Oracle-net server or Oracle net
client - Transparent Data Encryption is only available in
Oracle 10g rel. 2 and higher - Indexes b-tree only
- TDE cannot be used in foreign key constraints
- TDE can't be enabled on a SYS-owned table
- TDE cannot be used in standard export and import
- The COMPATIBLE initialization parameter must be
at least 10.2.x.x. - RMAN backups not with image copies
- Materialized view logs
- Transportable tablespaces
- External large objects (BFILE)
22Steps for using column-level Transparent Data
Encryption
- Set compatibility parameter
- Set up wallet location
- Create wallet
- Add encrypt to column
- Indexing encrypted columns
- Closing wallet
- Restarting database instance
23Steps for using column-level Transparent Data
Encryption
- Set compatibility parameter
- Compatibility level of 10.2 or higher
24Steps for using column-level Transparent Data
Encryption
- Set up wallet location
- search order for wallet location
- If exists, the wallet location specified by the
parameter in the sqlnet.ora file
ENCRYPTION_WALLET_LOCATION - If exists, the wallet location specified by the
parameter in the sqlnet.ora file WALLET_LOCATION - The default location for the wallet
(ORACLE_BASE/admin/ORACLE_SID/wallet)
mkdir /app/oracle/admin/test/encryption_wallet
25Steps for using column-level Transparent Data
Encryption
- Create the wallet to hold the encryption key and
open the wallet - Must have alter system privilege
- Password is case sensitive, must use quotes
- The command will create a wallet file
(ewallet.p12) - Opens the wallet
- Generates database servers master encryption key
26Steps for using column-level Transparent Data
Encryption
- Add encrypt to column
- Include the ENCRYPT clause to specific columns
- You can specify the encryption method using
- ENCRYPT USING ltAES192gt
- An encryption key for the table is created
- See all columns in your database that are
encrypted - SELECT FROM DBA_ENCRYPTED_COLUMNS
- CREATE TABLE tde_private (
- id NUMBER(10) primary key,
- info VARCHAR2(50) ENCRYPT USING 'AES192'
- )
- TABLESPACE transtable
27Demo 10g Column level
28Demo 10g Column level
29Demo 10g Column level
car Card_num ------------------- X!wp!9r4_at_ee
car Card_num -------------------715088606525
30Steps for using column-level Transparent Data
Encryption
- Indexing encrypted columns
- index columns cannot contain a salted encryption
so be sure to create those columns as 'no salt - Only b-tree indexes
- Do not use an encrypted column on an index used
in range scans
31Steps for using column-level Transparent Data
Encryption
- Foreign key columns cannot be encrypted
- This is because every table has a unique column
encryption key
32(No Transcript)
33Steps for using column-level Transparent Data
Encryption
- Salt
- By default all columns have salt added
- Salt adds an extra layer of randomness
- You can turn salt off
- alter table cust_info modify (cust_last encrypt
no salt)
- SQLgt desc DBA_ENCRYPTED_COLUMNS
- Name Null?
Type - -----------------------------------------
-------- ---------------------------- - OWNER NOT
NULL VARCHAR2(30) - TABLE_NAME NOT NULL
VARCHAR2(30) - COLUMN_NAME NOT NULL
VARCHAR2(30) - ENCRYPTION_ALG
VARCHAR2(29) - SALT
VARCHAR2(3) - SQLgt COLUMN table_name format a15
- SQLgt COLUMN column_name format a15
- SQLgt SELECT table_name,column_name,salt FROM
DBA_ENCRYPTED_COLUMNS - TABLE_NAME COLUMN_NAME SALT
- --------------- --------------- ---------
- TDE_TEST DATA YES
- TDE_DOCTOR DOC_FIRST YES
- TDE_DOCTOR DOC_LAST YES
- TDE_TEST_2 DATA YES
34Steps for using column-level Transparent Data
Encryption
- Closing the wallet
- Encrypted columns cannot be accessed
- Restarting the database
- The wallet must be manually opened
ALTER SYSTEM SET WALLET CLOSE ALTER SYSTEM
SET WALLET OPEN IDENTIFIED BY ltpasswordgt
35How to prove encryption is working?
- SQLgt conn cust_admin/ltpasswordgt
- Connected.
- SQLgt create table my_secrets (
- v_special varchar2(100)) tablespace tde_ts
- Table created.
- SQLgt insert into my_secrets values
('TOP_SECRET') - 1 row created.
- SQLgt COMMIT
- Commit complete.
36Hacker on the OS can see data in your physical
files
- Without encryption the redo logs show cleartext
of - your DML
- bash-3.2 pwd
- /app/oracle/oradata/test
- bash-3.2 strings redo02.log grep TOP_SECRET
- TOP_SECRET
37Hacker on the OS can see data in your physical
files
- With encryption the datafiles and redo logs do
NOT show cleartext of your DML
38Implementation steps
- Implementation Steps
- 1. Identify columns that require data protection
- credit cards, ssn, medical info
- 2. Verify supported datatype
- no bfiles
- 3. Verify column is not part of a foreign key
- query the data dictionary to find this
information - 4. Encrypt existing and new data
- a. may want to do a 'move' of tablespace to
remove ghost copies - b. perform the ddl
- c. alter tables
- d. backup database and wallet !
39Transparent Data Encryption 11g
- Tablespace encryption
- No more searching for columns to encrypt
- Eliminates the foreign key limitation
- Less of a performance impact
- Oracle E-Biz 11i version 11.5.10.2 or higher
- Support for SecureFiles
- Support for hardware security modules (HSM)
- Stores master key on separate hardware device
- Share keys across servers
40Steps for using tablespace Transparent Data
Encryption
- Tablespace
- No restriction on Foreign Key columns
- Default algorithm is AES 128
- Range scans are no longer a
- problem
- view vencrypted_tablespaces
- COMPATIBLE parameter to 11.1
- Create tablespace securets datafile
'/u99/app/oracle/oradata/fins/fins/securets_01.dbf
' size 300M encryption using 'AES192' Default
storage (encrypt)
41Demo 11g tablespace encryption
42Demo 11g tablespace encryption
43Demo 11g tablespace encryption
44Steps for SecureFile LOBsTransparent Data
Encryption
- SecureFile LOBs
- COMPATIBLE parameter to 11.1
- Block level encryption of LOBs
- Cannot change encryption
- algorithm, must do a rekey
- CREATE TABLE lob_tab (
- id NUMBER,
- cmment_info VARCHAR2(300),
- clob_data CLOB )
- LOB(clob_data) STORE AS SECUREFILE encrypt_lob(
ENCRYPT USING 'AES256' ) - ALTER TABLE lob_tab MODIFY ( clob_data CLOB
ENCRYPT USING '3DES168' ) - ! DOES NOT WORK
- ALTER TABLE lob_tab REKEY USING 'AES192'
45Demo Lobs
46Transparent Data Encryption support for HSM
- Support for hardware security modules (HSM)
- Allows master key to be stored in one place and
used by many RAC nodes - A rekey operation is needed to change or upgrade
to using HSM in 11g -
47Transparent Data Encryption HSM
- How does the Hardware security module work?
-
- Basically a separate tamper-resistant
hardware is used to create, store and use
cryptographic keys. The HSM device adds
increased processing power for encryption\decrypti
on of keys. And should meet the proper
validation to ensure it meets industry standards
such as FIPS 140-2.
48Transparent Data Encryption Implement HSM
- Steps to implement the Hardware security module
- Modify sqlnet.ora parameter ENCRYPTION_WALLET_LOCA
TION(SOURCE(METHODHSM)) - Configure PCKS11 library
- /opt/oracle/extapi/32,64/hsm/VENDOR/VERSION/
libapiname.ext - Configure HSM device
- Create user/password
- Create the master key in the database
- ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY
user_Idpassword MIGRATE USING wallet_password - Open the wallet
49Transparent Data Encryption Key Management
- Two-tier key architecture
- Resetting keys
- Backup and recovery of keys
- Autologin
- External security module
- Hardware security module
- Wallet
50Transparent Data Encryption Key Management
- Two-tier key architecture
- Master database key
- Used to encrypt the column and tablespace keys
- Stored in the Oracle wallet
- Table \ tablespace key
- Used to encrypt columns indexes
- Stored in the data dictionary in encrypted format
51Transparent Data Encryption Key Management
- Reset master key
- ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY
ltpasswordgt - Rekeying the table key
- ALTER TABLE cust_info REKEY
- Rekeying to change encryption algorithm
- ALTER TABLE cust_info REKEY USING '3DES168'
- ALTER TABLE cust_info ENCRYPT USING AES128
52Transparent Data Encryption Key Management
- Backup of keys
- Must backup the ewallet.p12 file
- Every time you reset the master you should backup
the wallet file - Recovery of keys
- To restore simply apply a backup copy of
ewallet.p12 to the wallet location - If wallet is not the most recent master key, then
you must perform a data recovery
53Transparent Data Encryption Key Management
- Autologin
- Implicitly opens wallet
- Set up using
- mkwallet utility
- Oracle Wallet Manager
- Cannot have already opened wallet
- Not recommended for TDE (lessens security)
54Transparent Data Encryption Key Management
- External security module the storing of master
keys outside of the database - Hardware security module (HSM)
- Oracle Wallet
- Default database wallet
- Separate wallet
- set in sqlnet.ora ENCRYPTION_WALLET_LOCATION
55EXTERNAL SECURITY MODULE SUPPORT BY DATABASE
VERSION
DATABASE VERSION MASTER KEY FOR IN ORACLE WALLET IN HSM
Oracle RDBMS 10gR2 Column Encryption Yes No
Oracle RDBMS 11gR1 Column Encryption Yes Yes
(11.1.0.6) Tablespace Encryption Yes No
Oracle RDBMS 11gR1 Column Encryption Yes Yes
(11.1.0.7) Tablespace Encryption Yes Yes (no re-key)
Oracle Advanced Security Transparent Data
Encryption Best Practices August 2009 (version
11) Peter A. Wahl
56Backups Exports RMAN
- TDE encrypted columns will be encrypted a second
time during the backup - RMAN Transparent mode is the default
- No DBA intervention no need to enter a password
during daily backups - RMANgt configure encryption for database on
- During recovery Oracle Wallet must be open
57Backups Exports Data Pump
58Demo Data Pump
ENCRYPTION_PASSWORD is the data pump password
used and not the wallet password. This password
must be similarly entered during the import
59Demo Data Pump
Creating an external table with encrypted
columns, type ORACLE_DATAPUMP
60Demo Data Pump
Oracle Data Pump prohibits the export of an
external table ORA-39214 Data Pump does not
support external tables with encrypted columns.
61Transparent Data Encryption Replication
- Clones
- Materialized views
- Data guard
- Streams
- RAC
62Cloning Production
- It is important that the Oracle Wallet from the
source is copied to the target.
Production
Development
Copy
63Materialized Views
- Encrypted columns cannot be used with 10g
Materialized view logs. - When creating a materialized view the target
columns do not take on the encrypt attribute of
the data types.
64Data Guard
- It is important that the Oracle Wallet from the
source is copied to the target. - Creating a new wallet with the same password will
not work. - Encryptiondata_only, all,
- encrypted_columns_only
- encryption_modetransparent
- Encrption_algorithmAES192
Primary
Standby
Copy
65Streams
Local
car Card_num ------------------- X!wp!9r4_at_ee
decrypted
- The data is decrypted by the streams engine prior
to transporting to the target system. - However, if the target system does not
successfully accept the message the data is
stored in a temp location encrypted.
Buffered queue
car Card_num -------------------715088606525
downstream
encrypted
car Card_num ------------------- X!wp!9r4_at_ee
Copy wallet
66RAC
RAC node 2
- Copy the Oracle Wallet from the first node to
each additional node servers in the Real
Application Cluster. - Open the wallet manually on each node database.
RAC node 1
copy
RAC node 3
SAN Datafiles,redo ,archive logs
67Troubleshooting
- How do you determine that Oracle Advanced
Security Option is installed ? - Universal installer
- opatch lsinventory
- ORACLE_HOME/bin/adapters
68Troubleshooting
- How do you determine that Oracle Advanced
Security Option is installed ? - Universal installer
- opatch lsinventory
- ORACLE_HOME/bin/adapters
69Troubleshooting
- How do you determine that Oracle Advanced
Security Option is installed ? - Universal installer
- opatch lsinventory
- ORACLE_HOME/bin/adapters
70Troubleshooting
- If you create a new table based on a table with
encrypted columns does the encrypt column
definition transfer with the table? - No
71Troubleshooting
- What happens to my encrypted data when the Oracle
wallet is closed? - The data is inaccessible. However, you can still
access all the other columns. Just do not
perform select queries.
72Troubleshooting
- SQLgt CREATE TABLE cust_info
- 2 ( cust_id NUMBER(12) PRIMARY KEY,
- 3 cust_last VARCHAR2(30) ENCRYPT USING
'AES192' NO SALT, - 4 cust_first VARCHAR2(30),
- 5 dob DATE,
- 6 state VARCHAR2(5),
- 7 ssn VARCHAR2(9) ENCRYPT USING
'AES256' - 8 ) TABLESPACE tde_ts
- ssn VARCHAR2(9) ENCRYPT USING 'AES256'
-
- ERROR at line 7
- ORA-28340 a different encryption algorithm has
been chosen for the table
- Is it possible to apply to different encryption
algorithms on the same table? - NO! An error will result, the encryption
algorithm is based on the table. Remember only
one table key is created regardless of the amount
of columns set to ENCRYPT.
73Troubleshooting
- SQLgt column WRL_TYPE format a5
- SQLgt column WRL_PARAMETER format a50
- SQLgt select from VENCRYPTION_WALLET
- WRL_T WRL_PARAMETER
STATUS - ----- --------------------------------------------
------ --------- - file /app/oracle/admin/test/encryption_wallet/
OPEN
- How can the DBA determine if the wallet is open
and how can the DBA determine the OS location of
the wallet? - Simply query the vencryption_wallet view.
74Questions/Comments? Slides to be posted
to http//www.onshoresolutions.net/knowledge.html
White papers tutorials
75References
Oracle 10g Advanced Security http//download.orac
le.com/docs/cd/B19306_01/network.102/b14268/asotra
ns.htmCHDCGBEA Oracle 11g Advanced Security
Guide http//download.oracle.com/docs/cd/B28359_01
/network.111/b28530/asotrans.htmCJADBFGF Oracle
Advanced Security Transparent Data Encryption
Best Practices August 2009 (version 11) Peter
A. Wahl PCI Standards www.pcisecuritystandards.or
g/security_standards/pci_dss.shtml