4 Replies Latest reply: Feb 8, 2013 10:46 PM by 921119 RSS

    Transparent Data Encryption

    BJones
      Everyone,

      After conducting a few tests, I found that the TDE master encryption key is stored in memory after first use. As a result, if something were to occur rendering the wallet unusable, it would not be detected until the instance is restarted. Has anyone found an undocumented parameter or process that can be used to force a query to obtain the encryption key from the wallet? Within my tests, the wallet was set to auto open.

      TEST 1
      -connect to database
      -move wallet files
      -query table in encrypted tablespace(FAILED - ORA-28365: wallet is not open)

      TEST 2
      -connect to database
      -query table in encrypted tablespace(SUCCESS)
      -move wallet files
      -query table in encrypted tablespace(SUCCESS)
      -create new account and query table in encrypted tablespace(SUCCESS)
      -reboot instance
      -connect to database
      -query table in encrypted tablespace(FAILED - ORA-28365: wallet is not open)
      -move wallet files to original location
      -query table in encrypted tablespace - same session as before(SUCCESS)

      TEST 3
      -connect to database
      -query table in non-encrypted tablespace
      -move wallet files
      -query table in encrypted tablespace(FAILED - ORA-28365: wallet is not open)
      -move wallet files to original location
      -query table in encrypted tablespace - same session as before(SUCCESS)

      TEST 4
      -connect to database
      -queried table 1 in encrypted tablespace (SUCCESS)
      -move wallet files
      -flushed shared pool
      -switched logfiles
      -exited first session
      -started second session
      -queried table 2 in encrypted tablespace (SUCCESS)


      Regards,
      Bryan
        • 1. Re: Transparent Data Encryption
          asahide
          Hi,
          I found that the TDE master encryption key is stored in memory after first use
          Correct.
          Once the wallet has been opened, it remains open until you shut down the database instance, or close it explicitly by issuing the following command:
          SQL> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "password"
          <<http://docs.oracle.com/cd/E11882_01/network.112/e10746/asotrans.htm#autoId12>>
          Regards,
          • 2. Re: Transparent Data Encryption
            damorgan
            I highly recommend not using TDE but rather using the DBMS_CRYPTO package.

            It would be inappropriate to discuss my reasons here but suffice it to say that if you need encrypted ... there is no value in its transparent decryption.
            • 3. Re: Transparent Data Encryption
              IBarr
              There are some occasions that would still merit TDE. For example, a third-party application that does not offer encryption could still have its data protected at rest by TDE. In order to use DBMS_CRYPTO, it would require programmatic changes.

              The main benefit of TDE, as I understand it, is that it can be implemented without any knowledge needed by the application.

              Iain Barr
              • 4. Re: Transparent Data Encryption
                921119
                Yes, it is clear that the TDE master encryption key is stored in memory after first use. So, if you want that every time you must get the master key from the store then I would recommend you to use HSM. In this case, for decryption every time you must need to access your HSM and the master key key will remain inside (HSM) that only.

                When we are using the Oracle Wallet at that time the TDE master encryption key get loaded into database memory to decrypt the table/ tablespace keys.
                And, when are using HSM then the table and tablespace keys are sent to the HSM and returned decrypted over a secure connection so they can be used to decrypt or encrypt data in the database.