2 Replies Latest reply: Jan 25, 2013 8:58 AM by 856988 RSS

    Use a different wallets for column encryption and Tablespace encryption:

    856988
      We have Oracle Database (Enterprise Edition) along with ASO.
      Due to FERPA and HIPAA, we use TDE on all our data table spaces.

      However, we have a need to encrypt certain columns and these columns should be accessible to certain users who know a "key phrase" - and not others.
      We do NOT have license for oracle vault and would appreciate if other than using dbms_crypto package can an encrypted column be created such that when queried, it prompts for a password or key-phrase.

      Any/all response is appreciated.

      Best regards,
      NK
        • 1. Re: Use a different wallets for column encryption and Tablespace encryption:
          Harm Joris ten Napel-Oracle
          Hi NK,

          if you use Transparent Data Encryption you can choose between column encryption and tablespace encryption (or a mix)
          and the master key for both can only be stored in the same wallet (in 11gR2 we have a unified master key for both).

          Also an important concept of TDE is that it is tranparent: application users do not need to know any encryption key (passphrase),
          when you are asking that
          need to encrypt certain columns and these columns should be accessible to certain users who know a "key phrase" - and not others
          then you are making a common conceptual mistake, which is to confuse encryption with access control, there's actually a good
          statement about this in the security guide here: Principle 1: Encryption Does Not Solve Access Control Problems

          http://docs.oracle.com/cd/E11882_01/network.112/e16543/data_encryption.htm#i1006159

          So if some users should not have access to certain data, please solve this with access controls in combination with VPD,
          trying to solve it with encryption is simply ill-advised,

          greetings,

          Harm ten Napel

          Edited by: hnapel on Jan 24, 2013 8:14 AM
          • 2. Re: Use a different wallets for column encryption and Tablespace encryption:
            856988
            Thanks for the pointers, it does help us go in the right direction..

            regards,
            NK