Transparent Data Encryption
If you have the datafiles, you can see the
data though you have no access in the database. Therefore file level
security is required to protect the data.
TDE encrypts specific table columns or a tablespace that are stored in data files.
TDE can also encrypt indexes, materialized views etc.
TDE is a key-based access control system. Even if the encrypted data is retrieved, it cannot be understood until authorized decryption occurs, which is automatic for users authorized to access the table.
TDE is a key-based access control system. Even if the encrypted data is retrieved, it cannot be understood until authorized decryption occurs, which is automatic for users authorized to access the table.
In 10g Release 2, Oracle first introduce TDE. Here transparent means database users or application need not to do any changes to achieve TDE.
To prevent
unauthorized decryption, TDE stores the Master Encryption Keys in wallet.
Why using Wallet?
As shown in Figure, the master encryption key is stored in an external security module (Wallet) that is outside the database and accessible only to the security administrator. Using an Wallet, making it possible to divide duties between database administrators and security administrators. Security is enhanced because the wallet password can be unknown to the database administrator.
Types of TDE
There are Two types of TDE -
1. Column Encryption
2. Tablespace Encryption
1. Column Encryption
2. Tablespace Encryption
Column Encryption
Use column encryption when you want to encrypt one or more specific columns in a table.
When a table contains encrypted columns, a single key is used regardless of the number of encrypted columns. This key is called the column encryption key. The column encryption keys for all tables, containing encrypted columns, are encrypted with the database server master encryption key and stored in a dictionary table in the database. No keys are stored in the clear.
This feature introduce in Oracle 10g R2.
Creating a table that has a column encrypted is as easy as using the ENCRYPT keyword:
CREATE TABLE scott.emp(
empno NUMBER(9),
ssn NUMBER(9) ENCRYPT USING 'AES256'
);
Restrictions
Do not use TDE column encryption with the following database features:
1. Index types other than B-tree
2. Range scan search through an index
3. Transportable Tablespaces
4. Materialized View Logs
5. Synchronous Change Data Capture
6. Encrypted columns can't be use as foreign key constraints.
7. BFILE
8. Original import/export utilities doesn't support. Use Oracle Data Pump.
8. Original import/export utilities doesn't support. Use Oracle Data Pump.
Tablespace Encryption
Data encryption-decryption for all
objects that stored into the encrypted tablespace. It encrypts/decrypts
data during read/write operations that mean, Database itself will encrypt data while writing
into datafiles and decrypt then while reading.
Oracle Database version must be 11g release 1 (11.1) or higher.
Oracle Database version must be 11g release 1 (11.1) or higher.
Restrictions
1. External Large Objects (BFILEs) can not be encrypted using TDE tablespace encryption. This is because these files reside outside the database.
2. Original import/export utilities doesn't support. Use Oracle Data Pump.
Considerable things for TDE Implementation
1. Need New Tablespace
Existing Tablespace can not be converted to encrypted tablespace. You
need to use table reorganize/redefinition or datapump Export-Import for
Migration.
2. Performance Issue
4-8% performance impact in end-user response time and an increase of 1-5% in CPU usage. Though it ensure below 10% performance impact.
3. Storage overheads
Increase disk consumption. Encrypting a single column would require between 32 and 48 bytes of additional storage for each row, on average. Though TDE tablespace encryption has no storage overheads.
4. Replication issue
Require Goldengate 11.1.1.1 for replication
5. Backup Time
Increase RMAN(backup/restore) & DataPump(export/import) duration.
6. Wallet Issue
Need Separate backup task for Wallet that contains encryption decryption master key.
7. Licencing
Need Oracle Advanced Security Licence (11,500 USD/Core).
8. Using PKI
A PKI key pair (PKI certificate) as a master encryption key may result in greater performance degradation when accessing encrypted columns in the database.
9. Database version
If
you wish to test the Enhanced Tablespace Encryption features, Oracle 11.2 is required.
TDE integrates directly with frequently used Oracle Database tools and technologies including Oracle Advanced Compression, Automatic Storage Management (ASM), Recovery Manager (RMAN), Data Pump, GoldenGate and more.
