Go to main content
1/21
Contents
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
Changes in This Release for Oracle Database Advanced Security Guide
Changes in Oracle Database Advanced Security 12
c
Release 1 (12.1.0.2)
New Features
Support for OLS_LABEL_DOMINATES in Data Redaction Policies
Support for Oracle Key Vault for Keystore and Encryption Key Management
Changes in Oracle Database Advanced Security 12
c
Release 1 (12.1.0.1)
New Features
New Keystore and Keystore Management functionality for Transparent Data Encryption and Other Database Components
New Administrative Privilege for Transparent Data Encryption
Oracle Data Redaction for Limiting Access to Sensitive Data
Deprecated Features
The Use of PKI to Manage Transparent Data Encryption Keys
Other Changes
1
Introduction to Oracle Advanced Security
Transparent Data Encryption
Oracle Data Redaction
Part I Using Transparent Data Encryption
2
Introduction to Transparent Data Encryption
What Is Transparent Data Encryption?
Benefits of Using Transparent Data Encryption
Who Can Configure Transparent Data Encryption?
Types and Components of Transparent Data Encryption
About Transparent Data Encryption Types and Components
How Transparent Data Encryption Column Encryption Works
How Transparent Data Encryption Tablespace Encryption Works
How the Keystore for the Storage of TDE Master Encryption Keys Works
About the Keystore Storage of TDE Master Encryption Keys
Benefits of the Keystore Storage Framework
Types of Keystores
Supported Encryption and Integrity Algorithms
3
Configuring Transparent Data Encryption
Configuring a Software Keystore
About Configuring a Software Keystore
Step 1: Set the Software Keystore Location in the sqlnet.ora File
About the Keystore Location in the sqlnet.ora File
Configuring the sqlnet.ora File for a Software Keystore Location
Example: Configuring a Software Keystore for a Regular File System
Example: Configuring a Software Keystore When Multiple Databases Share the sqlnet.ora File
Example: Configuring a Software Keystore for Oracle Automatic Storage Management
Example: Configuring a Software Keystore for an Oracle Automatic Storage Management Disk Group
Step 2: Create the Software Keystore
About Creating Software Keystores
Creating a Password-Based Software Keystore
Creating an Auto-Login or a Local Auto-Login Software Keystore
Step 3: Open the Software Keystore
About Opening Software Keystores
Opening a Software Keystore
Step 4: Set the Software TDE Master Encryption Key
About Setting the Software TDE Master Encryption Key
Setting the TDE Master Encryption Key in the Software Keystore
Step 5: Encrypt Your Data
Configuring a Hardware Keystore
About Configuring a Hardware (External) Keystore
Step 1: Set the Hardware Keystore Type in the sqlnet.ora File
Step 2: Configure the Hardware Security Module
Step 3: Open the Hardware Keystore
About Opening the Hardware Keystore
Opening the Hardware Keystore
Step 4: Set the Hardware Keystore TDE Master Encryption Key
About Setting the Hardware Keystore TDE Master Encryption Key
Setting a TDE Master Encryption Key if You Have Not Previously Configured One
Migration of a Previously Configured TDE Master Encryption Key
Step 5: Encrypt Your Data
Encrypting Columns in Tables
About Encrypting Columns in Tables
Data Types That Can Be Encrypted with TDE Column Encryption
Restrictions on Using Transparent Data Encryption Column Encryption
Creating Tables with Encrypted Columns
About Creating Tables with Encrypted Columns
Creating a Table with an Encrypted Column Using the Default Algorithm
Creating a Table with an Encrypted Column Using No Algorithm or a Non-Default Algorithm
Using the NOMAC Parameter to Save Disk Space and Improve Performance
Example: Using the NOMAC Parameter in a CREATE TABLE Statement
Example: Changing the Integrity Algorithm for a Table
Creating an Encrypted Column in an External Table
Encrypting Columns in Existing Tables
About Encrypting Columns in Existing Tables
Adding an Encrypted Column to an Existing Table
Encrypting an Unencrypted Column
Disabling Encryption on a Column
Creating an Index on an Encrypted Column
Adding Salt to an Encrypted Column
Removing Salt from an Encrypted Column
Changing the Encryption Key or Algorithm for Tables with Encrypted Columns
Encrypting Tablespaces
Restrictions on Using Transparent Data Encryption Tablespace Encryption
Step 1: Set the COMPATIBLE Initialization Parameter for Tablespace Encryption
About Setting the COMPATIBLE Initialization Parameter for Tablespace Encryption
Setting the COMPATIBLE Initialization Parameter for Tablespace Encryption
Step 2: Set the Tablespace TDE Master Encryption Key
Step 3: Create the Encrypted Tablespace
About Creating Encrypted Tablespaces
Creating an Encrypted Tablespace
Example: Creating an Encrypted Tablespace That Uses 3DES168
Example: Creating an Encrypted Tablespace That Uses the Default Algorithm
Transparent Data Encryption Data Dynamic and Data Dictionary Views
4
Managing the Keystore and the TDE Master Encryption Key
Managing the Keystore
Changing the Password of a Password-Based Software Keystore
About Changing the Password of a Password-Based Software Keystore
Changing the Password-Based Software Keystore Password
Changing the Password of a Hardware Keystore
Backing Up Password-Based Software Keystores
About Backing Up Password-Based Software Keystores
Creating a Backup Identifier String for the Backup Keystore
How the V$ENCRYPTION_WALLET View Interprets Backup Operations
Backing Up a Password-Based Software Keystore
Backups of the Hardware Keystore
Merging Software Keystores
About Merging Software Keystores
Merging Two Software Keystores into a Third New Keystore
Merging One Software Keystore into an Existing Software Keystore
Merging an Auto-Login Software Keystore into an Existing Password-Based Software Keystore
Reversing a Software Keystore Merge Operation
Moving a Software Keystore to a New Location
Moving a Software Keystore Out of Automatic Storage Management
Migrating Between a Software Password Keystore and a Hardware Keystore
Migrating from a Password-Based Software Keystore to a Hardware Keystore
Step 1: Convert the Software Keystore to Open with the Hardware Keystore
Step 2: Configure sqlnet.ora for the Migration of the Password-Based Software Keystore
Step 3: Perform the Hardware Keystore Migration
Migrating from a Hardware Keystore to a Password-Based Software Keystore
About Migrating Back from a Hardware Keystore
Step 1: Configure sqlnet.ora for the Reverse Migration
Step 2: Configure the Keystore for the Reverse for the Reverse Migration
Step 3: Configure the Hardware Keystore to Open with the Software Keystore
Keystore Order After a Migration
Migration of Keystores to and from Oracle Key Vault
Closing a Keystore
About Closing Keystores
Closing a Software Keystore
Closing a Hardware Keystore
Using a Software Keystore That Resides on ASM Volumes
Backup and Recovery of Encrypted Data
Deletion of Keystores
Managing the TDE Master Encryption Key
Creating TDE Master Encryption Keys for Later Use
About Creating a TDE Master Encryption Key for Later Use
Creating a TDE Master Encryption Key for Later Use
Example: Creating a TDE Master Encryption Key in a Single Database
Example: Creating a TDE Master Encryption Key in All PDBs
Activation of TDE Master Encryption Keys
About Activating TDE Master Encryption Keys
Activating a TDE Master Encryption Key
Example: Activating a TDE Master Encryption Key
TDE Master Encryption Key Attribute Management
TDE Master Encryption Key Attributes
Finding the TDE Master Encryption Key That Is in Use
Creating Custom TDE Master Encryption Key Attributes for Reporting Purposes
About Creating Custom Attribute Tags
Creating a Custom Attribute Tag
Setting and Resetting the TDE Master Encryption Key in the Keystore
About Setting or Rotating the TDE Master Encryption Key in the Keystore
Creating and Backing Up a TDE Master Encryption Key and Applying a Tag to It
About Rotating the TDE Master Encryption Key
Rotating the TDE Master Encryption Key
Exporting and Importing the TDE Master Encryption Key
About Exporting and Importing the TDE Master Encryption Key
About Exporting TDE Master Encryption Keys
Exporting a TDE Master Encryption Key
Example: Exporting a TDE Master Encryption Key by Using a Subquery
Example: Exporting a List of TDE Master Encryption Key Identifiers to a File
Example: Exporting All TDE Master Encryption Keys of the Database
About Importing TDE Master Encryption Keys
Importing a TDE Master Encryption Key
Example: Importing a TDE Master Encryption Key
How Keystore Merge Differs from TDE Master Encryption Key Export or Import
Management of TDE Master Encryption Keys Using Oracle Key Vault
Storing Secrets Used by Oracle Database
About Storing Oracle Database Secrets in a Keystore
Storage of Oracle Database Secrets in a Software Keystore
Example: Adding an HSM Password to a Software Keystore
Example: Changing an HSM Password That Is Stored as a Secret in a Software Keystore
Example: Deleting an HSM Password That Is Stored as a Secret in a Software Keystore
Storage of Oracle Database Secrets in a Hardware Keystore
Example: Adding an Oracle Database Secret to a Hardware Keystore
Example: Changing an Oracle Database Secret in a Hardware Keystore
Example: Deleting an Oracle Database Secret in a Hardware Keystore
Configuring Auto-Login Hardware Security Modules
About Configuring Auto-Login Hardware Security Modules
Configuring an Auto-Login Hardware Security Module
Storing Oracle GoldenGate Secrets in a Keystore
About Storing Oracle GoldenGate Secrets in Keystores
Oracle GoldenGate Extract Classic Capture Mode TDE Requirements
Configuring TDE Keystore Support for Oracle GoldenGate
Step 1: Decide on a Shared Secret for the Keystore
Step 2: Configure Oracle Database for TDE Support for Oracle GoldenGate
Step 3: Store the TDE GoldenGate Shared Secret in the Keystore
Step 4: Set the TDE Oracle GoldenGate Shared Secret in the Extract Process
5
General Considerations of Using Transparent Data Encryption
Compression and Data Deduplication of Encrypted Data
Security Considerations for Transparent Data Encryption
Transparent Data Encryption General Security Advice
Transparent Data Encryption Column Encryption-Specific Advice
Managing Security for Plaintext Fragments
Performance and Storage Overhead of Transparent Data Encryption
Performance Overhead of Transparent Data Encryption
Storage Overhead of Transparent Data Encryption
Modifying Your Applications for Use with Transparent Data Encryption
How ALTER SYSTEM and orapki Map to ADMINISTER KEY MANAGEMENT
Using Transparent Data Encryption with PKI Encryption
Software Master Encryption Key Use with PKI Key Pairs
TDE Tablespace and Hardware Keystores with PKI Encryption
Backup and Recovery of a PKI Key Pair
6
Using Transparent Data Encryption with Other Oracle Features
How Transparent Data Encryption Works with Export and Import Operations
About Exporting and Importing Encrypted Data
Exporting and Importing Tables with Encrypted Columns
Using Oracle Data Pump to Encrypt Entire Dump Sets
How Transparent Data Encryption Works with Oracle Data Guard
How Transparent Data Encryption Works with Oracle Real Application Clusters
About Using Transparent Data Encryption with Oracle Real Application Clusters
Using a Non-Shared File System to Store a Software Keystore in Oracle RAC
How Transparent Data Encryption Works with SecureFiles
About Transparent Data Encryption and SecureFiles
Example: Creating a SecureFiles LOB with a Specific Encryption Algorithm
Example: Creating a SecureFiles LOB with a Column Password Specified
How Transparent Data Encryption Works in a Multitenant Environment
About Using Transparent Data Encryption in a Multitenant Environment
Operations That Must Be Performed in Root
Operations That Can Be Performed in Root or in a PDB
Exporting and Importing TDE Master Encryption Keys for a PDB
About Exporting and Importing TDE Master Encryption Keys for a PDB
Exporting or Importing a TDE Master Encryption Key for a PDB
Example: Exporting a TDE Master Encryption Key from a PDB
Example: Importing a TDE Master Encryption Key into a PDB
Unplugging and Plugging a PDB with Encrypted Data in a CDB
Unplugging a PDB That Has Encrypted Data
Plugging a PDB That Has Encrypted Data into a CDB
Unplugging a PDB That Has Master Keys Stored in an HSM
Plugging a PDB That Has Master Keys Stored in an HSM
How Keystore Open and Close Operations Work in a Multitenant Environment
Finding the Keystore Status for All of the PDBs in a Multitenant Environment
How Transparent Data Encryption Works with Oracle Call Interface
How Transparent Data Encryption Works with Editions
Configuring Transparent Data Encryption to Work in a Multidatabase Environment
7
Frequently Asked Questions About Transparent Data Encryption
Transparency Questions About Transparent Data Encryption
Performance Questions About Transparent Data Encryption
Part II Using Oracle Data Redaction
8
Introduction to Oracle Data Redaction
What Is Oracle Data Redaction?
When to Use Oracle Data Redaction
Benefits of Using Oracle Data Redaction
Target Use Cases for Oracle Data Redaction
Oracle Data Redaction Use with Database Applications
Oracle Data Redaction with Ad Hoc Database Queries Considerations
9
Oracle Data Redaction Features and Capabilities
Full Data Redaction to Redact All Data
Partial Data Redaction to Redact Sections of Data
Regular Expressions to Redact Patterns of Data
Random Data Redaction to Generate Random Values
Comparison of Full, Partial, and Random Redaction Based on Data Types
Oracle Built-in Data Types Redaction Capabilities
ANSI Data Types Redaction Capabilities
User Defined Data Types or Oracle Supplied Types Redaction Capabilities
No Redaction for Testing Purposes
10
Configuring Oracle Data Redaction Policies
About Oracle Data Redaction Policies
Who Can Create Oracle Data Redaction Policies?
Planning an Oracle Data Redaction Policy
General Syntax of the DBMS_REDACT.ADD_POLICY Procedure
Using Expressions to Define Conditions for Data Redaction Policies
About Using Expressions in Data Redaction Policies
Applying the Redaction Policy Based on User Environment
Applying the Redaction Policy Based on Database Roles
Applying the Redaction Policy Based on Oracle Label Security Label Dominance
Applying the Redaction Policy Based on Application Express Session States
Applying the Redaction Policy to All Users
Creating a Full Redaction Policy and Altering the Full Redaction Value
Creating a Full Redaction Policy
About Creating Full Data Redaction Policies
Syntax for Creating a Full Redaction Policy
Example: Full Redaction Policy
Example: Fully Redacted Character Values
Altering the Default Full Data Redaction Value
About Altering the Default Full Data Redaction Value
Syntax for the DBMS_REDACT.UPDATE_FULL_REDACTION_VALUES Procedure
Modifying the Default Full Data Redaction Value
Creating a Partial Redaction Policy
About Creating Partial Redaction Policies
Syntax for Creating a Partial Redaction Policy
Creating Partial Redaction Policies Using Fixed Character Formats
Settings for Fixed Character Formats
Example: Partial Redaction Policy Using a Fixed Character Format
Creating Partial Redaction Policies Using Character Data Types
Settings for Character Data Types
Example: Partial Redaction Policy Using a Character Data Type
Creating Partial Redaction Policies Using Number Data Types
Settings for Number Data Types
Example: Partial Redaction Policy Using a Number Data Type
Creating Partial Redaction Policies Using Date-Time Data Types
Settings for Date-Time Data Types
Example: Partial Redaction Policy Using Date-Time Data Type
Creating a Regular Expression-Based Redaction Policy
About Creating Regular Expression-Based Redaction Policies
Syntax for Creating a Regular Expression-Based Redaction Policy
Regular Expression-Based Redaction Policies Using Formats
Regular Expression Formats
Example: Regular Expression Redaction Policy Using Formats
Custom Regular Expression Redaction Policies
Settings for Custom Regular Expressions
Example: Custom Regular Expression Redaction Policy
Creating a Random Redaction Policy
Syntax for Creating a Random Redaction Policy
Example: Random Redaction Policy
Creating a Policy That Uses No Redaction
Syntax for Creating a Policy with No Redaction
Example: Performing No Redaction
Exemption of Users from Oracle Data Redaction Policies
Altering an Oracle Data Redaction Policy
About Altering Oracle Data Redaction Policies
Syntax for the DBMS_REDACT.ALTER_POLICY Procedure
Parameters Required for DBMS_REDACT.ALTER_POLICY Actions
Tutorial: Altering an Oracle Data Redaction Policy
Redacting Multiple Columns
Adding Columns to a Data Redaction Policy for a Single Table or View
Example: Redacting Multiple Columns
Disabling and Enabling an Oracle Data Redaction Policy
Disabling an Oracle Data Redaction Policy
Enabling an Oracle Data Redaction Policy
Dropping an Oracle Data Redaction Policy
Tutorial: SQL Expressions to Build Reports with Redacted Values
Oracle Data Redaction Policy Data Dictionary Views
11
Using Oracle Data Redaction in Oracle Enterprise Manager
About Using Oracle Data Redaction in Oracle Enterprise Manager
Oracle Data Redaction Workflow
Management of Sensitive Column Types in Enterprise Manager
Managing Oracle Data Redaction Formats Using Enterprise Manager
About Managing Oracle Data Redaction Formats Using Enterprise Manager
Creating a Custom Oracle Data Redaction Format
Editing a Custom Oracle Data Redaction Format
Viewing Oracle Data Redaction Formats
Deleting a Custom Oracle Data Redaction Format
Managing Oracle Data Redaction Policies Using Enterprise Manager
About Managing Oracle Data Redaction Policies Using Enterprise Manager
Creating an Oracle Data Redaction Policy Using Enterprise Manager
Editing an Oracle Data Redaction Policy Using Enterprise Manager
Viewing Oracle Data Redaction Policy Details Using Enterprise Manager
Enabling or Disabling an Oracle Data Redaction Policy in Enterprise Manager
Deleting an Oracle Data Redaction Policy Using Enterprise Manager
12
Oracle Data Redaction Use with Oracle Database Features
Oracle Data Redaction and DML and DDL Operations
Oracle Data Redaction and Nested Functions, Inline Views, and the WHERE Clause
Oracle Data Redaction and Database Links
Oracle Data Redaction and Aggregate Functions
Oracle Data Redaction and Object Types
Oracle Data Redaction and XML Generation
Oracle Data Redaction and Editions
Oracle Data Redaction in a Multitenant Environment
Oracle Data Redaction and Oracle Virtual Private Database
Oracle Data Redaction and Oracle Database Real Application Security
Oracle Data Redaction and Oracle Database Vault
Oracle Data Redaction and Oracle Data Pump
Oracle Data Pump Security Model for Oracle Data Redaction
Export of Objects That Have Oracle Data Redaction Policies Defined
Finding Type Names Used by Oracle Data Pump
Exporting Only the Data Dictionary Metadata Related to Data Redaction Policies
Importing Objects Using the INCLUDE Parameter in IMPDP
Export of Data Using the EXPDP Utility access_method Parameter
Import of Data into Objects Protected by Oracle Data Redaction
Oracle Data Redaction and Data Masking and Subsetting Pack
13
Security Considerations for Oracle Data Redaction
Oracle Data Redaction General Usage Guidelines
Restriction of Administrative Access to Oracle Data Redaction Policies
How Oracle Data Redaction Affects the SYS, SYSTEM, and Default Schemas
Policy Expressions That Use SYS_CONTEXT Attributes
Oracle Data Redaction Policies on Materialized Views
Dropped Oracle Data Redaction Policies When the Recycle Bin Is Enabled
Glossary
Index
Scripting on this page enhances content navigation, but does not change the content in any way.