This content has been marked as final. Show 7 replies
First, have you specified encryption wallet location in sqlnet.ora?
When you created wallet, master key is automatically created and stored inside wallet. Wallet password is used to access that master key. You don't need to know master key, as you are not going to use it directly. Master key is used by TDE to encrypt table keys and tablespace keys.
Tablespaces can be encrypted only during creation!!! So you cannot encrypt already created tablespace. You need to create new tablespace (defined as encrypted), and then move appropriate objects in that encrypted tablespace.
You can read more here: http://www.oracle.com/technetwork/database/security/twp-transparent-data-encryption-bes-130696.pdf
Thanks for reply.
Ok, and in the 'Transparent Data Encryption' section, at Advanced Options, there is a re-key feature:
Re-key Master Encryption Key
The encryption module password is required to re-key the master encryption key. Re-keying should be fairly infrequent and only needs to be performed for scheduled key rotation or if the master keys have been compromised.
So when should someone re-key the master encryption key and on which circumstances they can be compromised, if they are used internally,to encrypt the table keys, for example?
EDIT: No, i have not specified the location of the wallet, as nobody or nothing asked me to do so. This is what i have in sqlnet.ora:
And in EM, i can see this:
# This file is actually generated by netca. But if customers choose to # install "Software Only", this file wont exist and without the native # authentication, they will not be able to connect to the database on NT. SQLNET.AUTHENTICATION_SERVICES = (NTS)
So do i need something in sqlnet.ora in this case? Is it mandatory to add in sqlnet.ora also:
Encryption Security Module WALLET Wallet Location D:\ORACLE\APP\ADMIN\ORCL\WALLET Wallet Status OPEN
(METHOD = FILE)
(DIRECTORY = D:\ORACLE\APP\ADMIN\ORCL\WALLET)
Re-keying is something that would be done if, for example, you believe that your wallet was compromised (for example, someone broke in to the server and could have copied the wallet).
So if my wallet is stolen, then the 'hacker' can access my encrypted data with this wallet, and now the security using TDE is 0, if i did not re-key the wallet.. that's what i understand :)
It is not so simple. Hacker will need to have your encrypted data, your encrypted keys and a wallet password. That's why Oracle uses two-tier key architecture. But if you ever suspect that your wallet is compromised, you should do a rekey. Also some security standards (like PCI DSS) requires periodical rekey. Then you should rekey only master key and that's it.1 person found this helpful
EDIT: if you haven't specified wallet location in sqlnet.ora, then Oracle uses default one. Now you don't need to enter anything.
Edited by: Zoran Pavlovic on Nov 26, 2012 11:13 AM
I am new to that TDE stuff and i have read the whole document that Oracle released. I have a question about generation keys. We are planning to use an HSM device instead of wallet. So, instead of master key we would like to use smart cards. Is that possible? And any document about how to?
Thanks in advance.
Edited by: user13074370 on 07.Oca.2013 01:12
yet another question... is it possible to store tablespace key in an HSM?