Forum Stats

  • 3,767,978 Users
  • 2,252,735 Discussions
  • 7,874,399 Comments

Discussions

About encrypting database in oracle 19c

User_MI6PG
User_MI6PG Member Posts: 6 Green Ribbon

I have known several way to encrypt the database, there is: using 2 package DBMS_OBFUSCATION_TOOLKIT or DBMS_CRYPTO, or using TDE. I don't know if I get it right. But is there any way else to encrypt the database? Which one is the most common and should be used.

Thank you!

Answers

  • Solomon Yakobson
    Solomon Yakobson Member Posts: 18,904 Red Diamond

    Depending on your version in addition to application tablespacese you can (starting, I believe, 12.2) use TDE on SYSTEM, SYSAUX, UNDO & TEMP tablespaces. However Oracle doesn't recommend TDE on SYSTEM, SYSAUX, UNDO & TEMP tablespaces:

    " If you encrypt the SYSTEM, SYSAUX, TEMP, or UNDO tablespace, then never close the keystore manually, even if you later decrypt the tablespace by using the ALTER TABLESPACE SQL statement."

    Therefore, encryption of SYSTEM, SYSAUX, TEMP, UNDO tablespace encryption is not recommended. And it is necessary to judge carefully when encrypting.

    SY.

  • User_MI6PG
    User_MI6PG Member Posts: 6 Green Ribbon
    edited Nov 20, 2021 1:51PM

    I think I need to reading more document to understand clearly what you say. Thanks for respond.

    I have one more problem while practicing encrypt using TDE. When I type this command:

    SQL>conn userManagement;

    SQL> alter table Employee modify (Salary encrypt);

    It said: ORA-28361: master key not yet set

    But along previous days ago, I have already created one master key, I don't know why that error come. So I try to set a new master key by:

    SQL> conn / as sysdba;

    SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "5" WITH BACKUP;

    And it said: ORA-28362: master key not found

    Can you show me the point where cause the errors? I have no ideas what to do next. (explanation: 5 is my wallet key, it is simple because I'm just a student practicing my own homework). When I ask you this question, I did so many way to solve it but not work, so I don't mind if you recommend me some way to delete the wallet or make a new one. I have also check status of wallet, check location, delete folder wallet and create another, ect but still hopeless.

    Hope you will rescue me out of this morass T.T

  • Solomon Yakobson
    Solomon Yakobson Member Posts: 18,904 Red Diamond
    edited Nov 20, 2021 2:55PM

    Did you specify ENCRYPTION_WALLET_LOCATION in sqlnet.ora (on database server side)?

    SY.

  • User_MI6PG
    User_MI6PG Member Posts: 6 Green Ribbon

    of course I did. It look like this in sqlnet.ora

    # sqlnet.ora Network Configuration File: C:\Users\Thuy\Desktop\WINDOWS.X64_193000_db_home\NETWORK\ADMIN\sqlnet.ora

    # Generated by Oracle configuration tools.


    # This file is actually generated by netca. But if customers choose to 

    # install "Software Only", this file wont exist and without the native 

    # authentication, they will not be able to connect to the database on NT.


    SQLNET.AUTHENTICATION_SERVICES= (NTS)


    NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)


    ENCRYPTION_WALLET_LOCATION=

    (SOURCE=

    (METHOD=file)

    (METHOD_DATA=

    (DIRECTORY=C:\Users\Thuy\Desktop\WINDOWS.X64_193000_db_home\NETWORK\ADMIN\wallet1)

    )

    )

    and in my folder wallet1 appear 3 things, I don't know what it called: ewallet.p12, ewallet_2021112013190223.p12, ewallet_2021112014014045.p12.

  • Solomon Yakobson
    Solomon Yakobson Member Posts: 18,904 Red Diamond
    edited Nov 22, 2021 2:01PM

    Wallet will be open by user oracle is installed under so C:\Users\Thuy is questionable. What do you get when issue:

    select WRL_TYPE, WRL_PARAMETER, STATUS, CON_ID from v$encryption_wallet;
    
    

    In addition 19C allows specifying wallet location in initialization parameter WALLET_ROOT

    SY.

  • User_MI6PG
    User_MI6PG Member Posts: 6 Green Ribbon
    edited Nov 22, 2021 2:28PM

    I get this. Sorry for not reply in time. My device don't get the notification.

    So you mean my configure path is wrong? I will check it out.

  • thatJeffSmith-Oracle
    thatJeffSmith-Oracle Distinguished Product Manager Posts: 8,056 Employee

    This needs moved to either the database or the security forums.

This discussion has been closed.