This content has been marked as final. Show 4 replies
How can anyone help you when the only information you provide is this:
To encrypt what? where? why?
We'd like to use the security/encryption provided by Solaris.
Is this personal information being entered from an application front-end or government secrets? Medical information or your mother's favorite cookie recipes?
Without a clear and concise explanation no help is possible.
But generally speaking I can't think of any good reason to use operating system encryption when it is not even close to as capable of that in the database.
Here are some more specifics:
The data will have personal identifiable information which needs to be encrypted, per requirements. Gov't in this case.
Solaris 11 provides encryption on volumes on the system, which would provide encryption for the data at rest. The system will contain both file based information (individual user files) as well as information in the database. the PII will be in both places
For cost concerns would need to use oracle standard version. standard does not have TDE.
However of course we can setup oracle using the filesystem for data file storage and not ASM.
So it would seem that we could have the OS protecting the data files with the OS provided encryption.
I'd like to confirm however that such a setup would actually work. I haven't found mention of it anywhere.
Thoughts or information on that?
Got the answer myself from oracle support (opened an SR):
"Oracle Database 11gR2 is certified to work on Solaris 11 with ZFS encryption. This has been confirmed by Development team."
Hope this helps anyone else with the same question.
The answer is correct but I would strongly recommend you throw it away and use database encryption. Here's why:
1. While the file system may encrypt the physical files the information is non-encrypted and anyone with database access can read it.
2. Anyone with access to Log Miner can read the redo logs as plain text.
3. If anyone with database access can read the information you are almost undoubtedly (I don't know your country) not achieved regulation compliance.
So can you do it? As Oracle says ... yes you can.
Should you do it is an entirely different question and from experience my advice would be NO!