Forum Stats

  • 3,840,371 Users
  • 2,262,594 Discussions
  • 7,901,249 Comments

Discussions

Using TDE in Oracle 12.2.0.1

GoldenData
GoldenData Member Posts: 3 Bronze Badge
edited May 28, 2020 11:58PM in Database Security - General

Hello,

We would like to use Oracle TDE (Transparent Data Encryption) for the encryption of sensitive data (RDBMS 12.2.0.1).

We already have the Advanced Security license , so it's ok

We should secure access to sensitive data in 2 databases:

- A source database.: DB1

- A target  database (DB2)  copy from DB1 by using DataStage tool.

Application users USER_APP_1, USER_APP_2 use the same single oracle user USER_ORACLE to connect to the DB1 database.

The user USER_APP_1 has the privileges  to see the data encrypted in clear (Decrypted).

User USER_APP_2 does not have privileges to see encrypted data.

1 / How to apply this strategy on the 2 users USER_APP_1 and USER_APP_2 if they use the same Oracle connection via the user USER_ORACLE?

2 / Should the same key be used in the 2 databases DB1 and DB2? if so, should you share this key for each database or duplicate it for each of the 2 databases DB1 and DB2 (DataStage copy of DB1).

Thanks for your help.

Best regards.

GD.

Answers

  • Emad Al-Mousa
    Emad Al-Mousa Member Posts: 716 Bronze Trophy
    edited May 28, 2020 2:41PM

    Hi,

    i didn't understand you question.....if you are using TDE the encryption is on "rest" on the physical data files levels, once you perform a SQL query the data is "decrypted". Are you performing a "column" level encryption ?

    Regards,

  • pmdba
    pmdba Member Posts: 103 Bronze Badge
    edited May 28, 2020 11:58PM

    TDE won't prevent any user from reading the data once they log into the database. It only encrypts the datafiles (or portions of them) themselves. Any data selected by any query is automatically decrypted as it is read into memory from the file (thus "transparent"). If you want to allow one user to see data and prevent another user, then consider Virtual Private Database. VPD is access control, not encryption.