oracle TDE

转自:oracle TDE学习系列 (1) — wallet 使用管理
关于oracle wallet,通常称为oracle钱夹,说的通俗一点,oracle wallet是一个用
口令加密的PKCS#12文件,PKCS#12是一个个人信息交换的语法标准,该公钥密码标准
由RSA security 涉及和发布。

我们知道11g的表空间加密依赖于oracle wallet以及wallet中的密钥,对于wallet分为
如下2种:

1. 手动打开的wallet (每次数据库启动以后,需要手动打开wallet)
2. 启动打开的wallet (每次数据库启动以后会启动打开)

如何设置数据库启动以后wallet启启动呢?很简单,通过owm去修改属性即可。
如果是DG环境,oracle推荐使自动的wallet(11g TDE支持dataguard)

创建wallet的方法分别有如下几种:

  --> 手动调用OWM 进行GUI图形界面进行操作
  --> 手工运行mkstore命令创建
  --> alter system set encryption key identified by "xxxxx";

当然我这里图方便直接调用OWM进行创建了,如果是用mkstore命令,那么如下:

  --> mkstore -wrl /home/ora11g/admin/roger/wallet -create
  --> 输入密码(此时的密码是主密钥)
  --> 确认密码

我们这里已经有一个wallet,所以我就直接打开即可,如下:

SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "[email protected]";
ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "[email protected]"
*
ERROR at line 1:
ORA-28368: cannot auto-CREATE wallet
 
如果出现上面错误,那么可以说手工指定wallet路径,添加如下信息到sqlnet.ora中:

NAMES.DIRECTORY_PATH=(TNSNAMES,EZCONNECT)
ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/home/ora11g/admin/roger/wallet )))
 
当然,这里的method_data路径必须存在,否则会报错:

SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "[email protected]";
ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "[email protected]"
*
ERROR at line 1:
ORA-28368: cannot auto-CREATE wallet
 
错误依旧,突然发现该目录是不存在的,手工mkdir创建以下,即可:

[[email protected] admin]$ mkdir -p  /home/ora11g/admin/roger/wallet
 
SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "[email protected]";
 
System altered.
 
下面我们手工通过mkstore命令来看看(如下操作我是10204环境中进行):

[[email protected] ~]$ mkstore -wrl $ORACLE_HOME/network/admin/wallet -create
 
Enter password: ******
 
Enter password again: ******
 
==== 这里我输入的wallet密码是www.killdb.com ====
 
==== 将数据库用户roger用户认证信息加入到wallet进行管理 ====
 
[[email protected] admin]$ cat tnsnames.ora
 
# tnsnames.ora Network Configuration File: /home/ora10g/product/10.2//network/admin/tnsnames.ora
# Generated by Oracle configuration tools.
 
TEST_10G =
  (DESCRIPTION =
    (ADDRESS_LIST =
      (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.2.110)(PORT = 1521))
    )
    (CONNECT_DATA =
      (SERVICE_NAME = roger)
    )
  )
 
EXTPROC_CONNECTION_DATA =
  (DESCRIPTION =
    (ADDRESS_LIST =
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC0))
    )
    (CONNECT_DATA =
      (SID = PLSExtProc)
      (PRESENTATION = RO)
    )
  )
 
[[email protected] admin]$ mkstore -wrl $ORACLE_HOME/network/admin/wallet -createCredential  TEST_10G roger "roger"
 
Enter wallet password: ******
 
Create credential oracle.security.client.connect_string1
 
==== 这里输入的wallet同样是我们前面的www.killdb.com ====
 
[[email protected] admin]$ mkstore -wrl $ORACLE_HOME/network/admin/wallet -createCredential  TEST_10G scott "tiger"
 
Enter wallet password:
 
Create credential Secret Store error occured: oracle.security.pki.OracleSecretStoreException: Credential already exists
 
==== 报错了,提示存在?====
 
google了一下,原理是每个连接字符串只能对应一个数据库用户,那我们就收工在tnsnames.ora中再添加一个即可,如下:

[[email protected] admin]$ cat tnsnames.ora
 
# tnsnames.ora Network Configuration File: /home/ora10g/product/10.2//network/admin/tnsnames.ora
# Generated by Oracle configuration tools.
 
TEST_10G =
  (DESCRIPTION =
    (ADDRESS_LIST =
      (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.2.110)(PORT = 1521))
    )
    (CONNECT_DATA =
      (SERVICE_NAME = roger)
    )
  )
 
EXTPROC_CONNECTION_DATA =
  (DESCRIPTION =
    (ADDRESS_LIST =
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC0))
    )
    (CONNECT_DATA =
      (SID = PLSExtProc)
      (PRESENTATION = RO)
    )
  )
 
TEST_SCOTT =
  (DESCRIPTION =
    (ADDRESS_LIST =
      (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.2.110)(PORT = 1521))
    )
    (CONNECT_DATA =
      (SERVICE_NAME = roger)
    )
  )
 
[[email protected] admin]$ mkstore -wrl $ORACLE_HOME/network/admin/wallet -createCredential  TEST_SCOTT scott "tiger"
 
Enter wallet password: ******
 
Create credential oracle.security.client.connect_string2
 
==== 创建成功 ====
 
==== 到这里可能有人会问,如何知道哪些用户认证加到wallet了呢?oracle当然也提供了命令,如下:====
 
[[email protected] admin]$ mkstore -wrl $ORACLE_HOME/network/admin/wallet -listCredential
 
Enter wallet password: ******
 
List credential (index: connect_string username)
1: TEST_10G roger
2: TEST_SCOTT scott
 
我们可以发现,目前有2个数据库用户认证加入到wallet了,那么有什么用处呢?请看:

首先我们还得修改sqlnet.ora,添加如下内容:

[[email protected] admin]$ cat sqlnet.ora
 
SQLNET.WALLET_OVERRIDE=TRUE
NAMES.DIRECTORY_PATH=(TNSNAMES,EZCONNECT)
WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/home/ora10g/product/10.2/network/admin/wallet)))
 
[[email protected] admin]$ sqlplus /@test_scott
 
SQL*Plus: Release 10.2.0.5.0 - Production ON Wed Oct 12 08:26:27 2011
Copyright (c) 1982, 2010, Oracle.  ALL Rights Reserved.
 
Connected TO:
Oracle DATABASE 10g Enterprise Edition Release 10.2.0.5.0 - Production
WITH the Partitioning, OLAP, DATA Mining AND REAL Application Testing options
 
SQL> SHOW USER
USER IS "SCOTT"
 
==== 我们可以发现,实现无密码登陆 ====
 
到最后,我想大家会跟我一样还会有个疑问,那就是:如果scott用户更改密码了呢?
那还会有用吗?如果没用的话,是不是需要重建用户的认证呢?
答案是否,oracle还提供了MODIFY功能,如下:
 
SQL> SHOW USER
USER IS "SCOTT"
 
SQL> ALTER USER scott IDENTIFIED BY scott;
 
USER altered.
 
SQL> exit
 
Disconnected FROM Oracle DATABASE 10g Enterprise Edition Release 10.2.0.5.0 - Production
WITH the Partitioning, OLAP, DATA Mining AND REAL Application Testing options
 
[[email protected] admin]$ sqlplus /@test_scott
 
SQL*Plus: Release 10.2.0.5.0 - Production ON Wed Oct 12 08:29:41 2011
 
Copyright (c) 1982, 2010, Oracle.  ALL Rights Reserved.
 
ERROR:
ORA-01017: invalid username/password; logon denied
 
Enter user-name:
 
 
==== 下面进行修改wallet中的scott用户密码认证:====
 
[[email protected] admin]$ mkstore -wrl $ORACLE_HOME/network/admin/wallet/ -modifyCredential TEST_SCOTT scott "scott"
 
Enter wallet password:
 
MODIFY credential
MODIFY 2
 
[[email protected] admin]$ sqlplus /@test_scott
 
SQL*Plus: Release 10.2.0.5.0 - Production ON Wed Oct 12 08:31:51 2011
Copyright (c) 1982, 2010, Oracle.  ALL Rights Reserved.
 
Connected TO:
Oracle DATABASE 10g Enterprise Edition Release 10.2.0.5.0 - Production
WITH the Partitioning, OLAP, DATA Mining AND REAL Application Testing options
 
==== 既然有了MODIFY,那是否有DELETE呢?当然有,如下:====
 
[[email protected] admin]$ mkstore -wrl $ORACLE_HOME/network/admin/wallet/ -deleteCredential TEST_SCOTT
 
Enter wallet password: ******
 
DELETE credential
DELETE 2
 
[[email protected] admin]$ mkstore -wrl $ORACLE_HOME/network/admin/wallet -listCredential
 
Enter wallet password: ******
 
List credential (INDEX: connect_string username)
1: TEST_10G roger
 
最后来看看如何设置新的密钥?首先这里我们要弄清楚2个概念:

wallet密码跟我们这里要修改的master key不是一个东西,wallet密码仅仅是你登陆owm或进行wallet
时需要输入的密码,而master key是存在wallet中,用于加密解密数据库的加密列或加密表空间的。

另外还有一个表密钥,如果一个表有多个列需要进行加密,那么在该表上也只会生成一个表级密钥,
当前段用户从该表中取回数据时,会首先取出表密钥然后再取出存在wallet中的master key进行对
表密钥的解密,最后用解密后的表密钥去解密加密的列或表空间数据,最终返回明文数据给用户。

更改wallet key很简单,可以通过owm gui界面进行或如下命令:

orapki wallet change_pwd -wallet <wallet_location>

这里主要测试下master key的更改。

SQL> SELECT * FROM V$ENCRYPTION_WALLET;
 
WRL_TYPE             WRL_PARAMETER                                                STATUS
-------------------- ------------------------------------------------------------ ---------
file                 /home/ora10g/product/10.2/network/admin/wallet               CLOSED
 
SQL> ALTER system SET encryption wallet OPEN IDENTIFIED BY "www.killdb.com";
 
System altered.
 
SQL> SELECT * FROM V$ENCRYPTION_WALLET;
 
WRL_TYPE             WRL_PARAMETER                                                STATUS
-------------------- ------------------------------------------------------------ ---------
file                 /home/ora10g/product/10.2/network/admin/wallet               OPEN
 
SQL> conn roger/roger
Connected.
 
SQL> CREATE TABLE ht01 (id NUMBER ENCRYPT,name varchar2(10));
CREATE TABLE ht01 (id NUMBER ENCRYPT,name varchar2(10))
*
ERROR at line 1:
ORA-28361: master KEY NOT yet SET
 
 
SQL> ALTER system SET encryption KEY IDENTIFIED BY "www.killdb.com";
 
System altered.
 
SQL> CREATE TABLE ht01 (id NUMBER ENCRYPT,name varchar2(10));
 
TABLE created.
 
SQL> INSERT INTO ht01 VALUES(1314,‘killdb‘);
 
1 ROW created.
 
SQL> commit;
 
Commit complete.
 
SQL> SELECT * FROM DBA_ENCRYPTED_COLUMNS;
 
OWNER        TABLE_NAME       COLUMN_NAME      ENCRYPTION_ALG                SAL INTEGRITY_AL
------------ ---------------- ---------------- ----------------------------- --- ------------
ROGER        HT01             ID               AES 192 bits KEY              YES SHA-1
 
SQL> ALTER system SET encryption KEY  IDENTIFIED BY "oraclemaster";
ALTER system SET encryption KEY  IDENTIFIED BY "oraclemaster"
*
ERROR at line 1:
ORA-28353: failed TO OPEN wallet
 
SQL>  SELECT * FROM V$ENCRYPTION_WALLET;
 
WRL_TYPE             WRL_PARAMETER                                                STATUS
-------------------- ------------------------------------------------------------ ---------
file                 /home/ora10g/product/10.2/network/admin/wallet               CLOSED
 
SQL> ALTER system SET encryption wallet OPEN IDENTIFIED BY "www.killdb.com";
 
System altered.
 
SQL> SELECT * FROM V$ENCRYPTION_WALLET;
 
WRL_TYPE             WRL_PARAMETER                                                STATUS
-------------------- ------------------------------------------------------------ ---------
file                 /home/ora10g/product/10.2/network/admin/wallet               OPEN
 
SQL>  SELECT obj#, mkeyid FROM sys.enc$;
 
      OBJ# MKEYID
---------- ----------------------------------------------------------------
     51809 AcNbIDu9IE+6vzrrVp/L4qcAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 
SQL> SELECT owner,object_name FROM dba_objects WHERE object_id=51809;
 
OWNER                          OBJECT_NAME
------------------------------ --------------------------------------------
ROGER                          HT01
 
SQL> SELECT obj#, mkeyid FROM sys.enc$;
 
      OBJ# MKEYID
---------- ----------------------------------------------------------------
     51809 AcNbIDu9IE+6vzrrVp/L4qcAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 
SQL> SHOW USER
USER IS "ROGER"
 
SQL> ALTER system SET encryption KEY IDENTIFIED BY "www.killdb.com";
 
System altered.
 
SQL> SELECT a.owner, object_name, b.mkeyid
  2    FROM sys.dba_objects a, sys.enc$ b
  3   WHERE a.object_id = b.obj#;
 
OWNER     OBJECT_NAME     MKEYID
--------- --------------- -------------------------------------------------------
ROGER     HT01            AUkm6RyZ2084v/KP0PwFGUwAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 
SQL>
 
++++ 我们可以看到,master KEY已经更改。++++
++++ 当然,当我们更改了master KEY以后,我们最好也同时更改下表级密钥。++++
 
SQL> SELECT * FROM ht01;
 
        ID NAME
---------- ----------
      1314 killdb
 
SQL> ALTER TABLE ht01  rekey;
 
TABLE altered.
 
SQL> SELECT * FROM ht01;
 
        ID NAME
---------- ----------
      1314 killdb
 
SQL> SELECT a.owner, object_name, b.mkeyid
  2    FROM sys.dba_objects a, sys.enc$ b
  3   WHERE a.object_id = b.obj#;
 
OWNER              OBJECT_NAME     MKEYID
------------------ --------------- -------------------------------------------------------
ROGER              HT01            AUkm6RyZ2084v/KP0PwFGUwAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 
SQL> ALTER TABLE ht01  rekey;
 
TABLE altered.
 
SQL> SELECT a.owner, object_name, b.mkeyid
  2    FROM sys.dba_objects a, sys.enc$ b
  3   WHERE a.object_id = b.obj#;
 
OWNER              OBJECT_NAME     MKEYID
------------------ --------------- -------------------------------------------------------
ROGER              HT01            AUkm6RyZ2084v/KP0PwFGUwAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 
 
+++++ 既然wallet如此重要,那如何备份wallet?++++++
 
SQL> ALTER system SET encryption wallet close IDENTIFIED BY "www.killdb.com";
ALTER system SET encryption wallet close IDENTIFIED BY "www.killdb.com"
                                         *
ERROR at line 1:
ORA-28364: invalid wallet operation
 
SQL> ALTER system SET wallet close;
 
System altered.
 
SQL> ALTER system SET wallet close;
 
System altered.
 
SQL> !
 
[[email protected] ~]$ cd $ORACLE_HOME/net*/admin
[[email protected] admin]$ ls -ltr
 
total 48
-rw-r--r--  1 ora10g oinstall  172 Dec 26  2003 shrept.lst
drwxr-x---  2 ora10g oinstall 4096 Sep 24 05:11 samples
drwx------  2 ora10g oinstall 4096 Oct 12 08:06 wallet
-rw-r--r--  1 ora10g oinstall  488 Oct 12 08:08 listener.ora
-rw-r--r--  1 ora10g oinstall  712 Oct 12 08:20 tnsnames.ora
-rw-r--r--  1 ora10g oinstall  181 Oct 12 08:25 sqlnet.ora
 
[[email protected] admin]$ mv wallet wallet_old
[[email protected] admin]$ ls -ltr
 
total 48
-rw-r--r--  1 ora10g oinstall  172 Dec 26  2003 shrept.lst
drwxr-x---  2 ora10g oinstall 4096 Sep 24 05:11 samples
drwx------  2 ora10g oinstall 4096 Oct 12 08:06 wallet_old
-rw-r--r--  1 ora10g oinstall  488 Oct 12 08:08 listener.ora
-rw-r--r--  1 ora10g oinstall  712 Oct 12 08:20 tnsnames.ora
-rw-r--r--  1 ora10g oinstall  181 Oct 12 08:25 sqlnet.ora
 
[[email protected] admin]$ exit
exit
 
SQL> SELECT * FROM roger.ht01;
SELECT * FROM roger.ht01
                    *
ERROR at line 1:
ORA-28365: wallet IS NOT OPEN
 
 
SQL> ALTER system SET encryption wallet OPEN IDENTIFIED BY "www.killdb.com";
ALTER system SET encryption wallet OPEN IDENTIFIED BY "www.killdb.com"
*
ERROR at line 1:
ORA-28367: wallet does NOT exist
 
SQL> !
 
 
[[email protected] ~]$ cd $ORACLE_HOME/net*/admin
[[email protected] admin]$ mv wallet_old wallet
[[email protected] admin]$ exit
exit
 
SQL> ALTER system SET encryption wallet OPEN IDENTIFIED BY "www.killdb.com";
 
System altered.
 
SQL> SELECT * FROM roger.ht01;
 
        ID NAME
---------- ----------
      1314 killdb
 
==== 对于wallet的备份,我们可以直接拷贝即可如下,当然我这里直接mv测试:====
 
[[email protected] admin]$ cp -r wallet wallet_20111113
      分享到:
时间: 2024-11-05 20:31:47

oracle TDE的相关文章

ORACLE TDE 透明数据加密技术

从ORALE 10GR2开始出现透明数据加密技术(Transparent Data Encryption,TDE) TDE用来对数据加密,通常 SQL 执行的应用程序逻辑不需要进行更改,仍能正常运行. 换言之,应用程序可以使用同一语法将数据插入到应用程序表中,并且 Oracle 数据库在将信息写入磁盘之前将自动对数据进行加密. 随后的选择操作将透明地解密数据,因此应用程序将继续正常地运行. 这一点很重要,因为当前的应用程序通常期望未加密的应用程序数据. 显示加密数据至少会使应用程序用户迷惑不解,

[课]13.2 Oracle TDE的数据加密示例并用logminer验证加密效果

1.确认数据库版本 2创建密钥钱包 3创建加密列的表并初始值 4演示TDE的数据加密示例 5 logminer验证加密效果

ORACLE 透明加密(TDE)

/* author:CH date:2015 theme:oracle TDE test */ 一透明加密(TDE, Transparent Data Encryption) 参考: http://www.oracle.com/technetwork/cn/tutorials/tde-096772-zhs.html#t3 http://www.eygle.com/archives/2011/09/oracle_transparent_data_encryption.html http://blo

ORACLE恢复神器之ODU/AUL/DUL

分享ORACLE数据库恢复神器之ODU.DUL和AUL工具. ODU:ORACLE DATABASE UNLOADER DUL:DATA UNLOADER AUL:也称MyDUL 关于三种工具说明: (1)Oracle 的内部工具是DUL(Data UnLoader).这个需要Oracle 的支持. (2)老熊写的ODU   网址:http://www.oracleodu.com/en/ (3)d.c.b.a (支付宝 楼方鑫)写的AUL. 网址:http://www.anysql.net/do

Oracle中对列加密的方法

Oracle中对列加密的方法 2011-12-22 17:21:13 分类: Linux Oracle支持多种列加密方式: 1,透明数据加密(TDE):create table encrypt_col(id int,txt varchar2(100) encrypt using '算法名称' identified by '密钥' no salt);优点:对应用完全透明缺点:需要数据库管理员管理wallet,增加了管理复杂性,也无法避免数据库管理员查看原文. 2,使用DBMS_CRYPTO包优点:

透明数据加密 (TDE)常见问题解答

透明数据加密 (TDE)常见问题解答问题任何人只要有权访问加密数据就能对其进行解密吗?TDE 会带来哪些开销?哪些加密算法可与 TDE 一同使用?可以使用第三方加密算法代替 TDE 提供的算法吗?可以对外键约束中使用的列采用 TDE 列加密吗?可以对联接中使用的列进行加密吗?可以对已建索引的列进行加密吗?TDE 列加密支持哪些数据类型和数据长度?数据在网络上传输时仍处于加密状态吗?数据库内存 (SGA) 中包含的是明文数据还是加密数据?如何知道要加密哪些数据呢?需要加密的数据都在哪里?对于 Or

Oracle 11g Articles

发现一个比较有意思的网站,http://www.oracle-base.com/articles/11g/articles-11g.php Oracle 11g Articles Oracle Database 11g: New Features For Administrators OCP Exam Articles Oracle Database 11g Release 1: Miscellaneous Articles Oracle Database 11g Release 2: Misc

使用Oracle的Security External Password Store功能实现无密码登录数据库

使用Oracle的Security External Password Store功能实现无密码登录数据库 作者:赵全文  网名:guestart 在今年国内很多用户的Oracle数据库突然遭到比特币勒索,从这一方面来说,数据库的安全,大家没有引起足够的重视.其实不难发现,我们在生产环境中使用的Oracle数据库确实存在着很多安全隐患和安全风险.Oracle在数据库安全方面的解决方案也有很多,比如Oracle审计与数据库防火墙(AVDF)产品.Oracle的透明数据加密功能(KDE)和Oralc

Oracle数据泵的使用

几乎所有DBA都熟悉oracle的导出和导入实用程序,它们将数据装载进或卸载出数据库,在oracle  database 10g和11g中,你必须使用更通用更强大的数据泵导出和导入(Data Pump Export and Import)实用程序导出和导入数据. 以前的导出和导入实用程序在oracle database 11g中仍然可以使用,但是Oracle强烈建议使用数据泵(Data Pump)技术,因为它提供了更多的高级特性.例如,你可以中断导出/导入作业,然后恢复它们:可以重新启动已失败的