15Copyright © 2006, Oracle. All rights reserved.

Database Security

15-2 Copyright © 2006, Oracle. All rights reserved.

Objectives

After completing this lesson, you should be able to do the following:

• Implement Transparent Data Encryption (TDE)

• Use TDE with encrypted columns

• Describe Data Pump (DP) encryption

• Identify components of Recovery Manager (RMAN)–encrypted backups

• Define basic concepts of a Virtual Private Database (VPD)

• Apply a column-level VPD policy

TDEDPRMANVPD

15-3 Copyright © 2006, Oracle. All rights reserved.

Oracle Transparent Data Encryption (TDE): Overview

• Need for secure information

• Automatic encryption of sensitive information:– Embedded in the Oracle database– No need to change application logic– Encrypts data and index values

• Using an encryption key:– Master key for the entire database– Stored in Oracle Wallet

Encryption/Decryption

Column and index data Wallet

15-5 Copyright © 2006, Oracle. All rights reserved.

TDE Process

ExternalSecurityModule

WalletName Sal Card Address

JFV 10000 A0023 Rognes20000 B152410000 C256830000 D148320000 E073240000 F3456

Clear data Encrypted data

Name Sal Card Address

JFV É&à{ +”~é[ Rognes])°=# §!?&}&(è`$ }{|\ç{@”#|} #{[|è`µ£*°{ }|_@}~{([ç^ “&²#è

ALTER TABLE

Master key

SELECT|INSERT|UPDATE|CREATE TABLE

Column keys

15-6 Copyright © 2006, Oracle. All rights reserved.

Implementing Transparent Data Encryption

1. Create a wallet: automatically or by using Oracle Wallet Manager.

ENCRYPTION_WALLET_LOCATION= (SOURCE=(METHOD=FILE)(METHOD_DATA= (DIRECTORY=/opt/oracle/product/10.2.0/db_1/)))

Example sqlnet.ora entry:

15-7 Copyright © 2006, Oracle. All rights reserved.

Implementing Transparent Data Encryption

2. Set the master key from within your instance:

3. Open the wallet from within your instance (future):

4. Create tables that contain encrypted columns:

CREATE TABLE emp ( first_name VARCHAR2(128), last_name VARCHAR2(128), empID NUMBER ENCRYPT NO SALT, salary NUMBER(6) ENCRYPT USING '3DES168', comm NUMBER(6) ENCRYPT);

ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY <password>;

ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY <password>;

15-9 Copyright © 2006, Oracle. All rights reserved.

Existing Tables and TDE

• Add encrypted columns:

• Encrypt unencrypted columns:

• Disable column encryption:

• Add or remove salt:

• Change keys and the encryption algorithm:

ALTER TABLE emp ADD (ssn VARCHAR2(11) ENCRYPT);

ALTER TABLE emp MODIFY (first_name ENCRYPT);

ALTER TABLE emp MODIFY (first_name DECRYPT);

ALTER TABLE emp MODIFY (first_name ENCRYPT [NO] SALT);

ALTER TABLE emp REKEY USING '3DES168';

15-10 Copyright © 2006, Oracle. All rights reserved.

Transparent Data Encryption: Considerations

• You cannot encrypt tables owned by SYS.• LONG and LOB data types are not supported.• The supported encryption algorithms are:

– 3DES168– AES128– AES192– AES256

• NO SALT must be used to encrypt index columns.• TDE works with indexes for equality searches.• Encrypted data must be decrypted before

expressions evaluation.• Best practice tip: Back up the wallet.

15-11 Copyright © 2006, Oracle. All rights reserved.

Wallet Support for Usernames and Passwords

• Wallets can now hold more than just a certificate:– You can store usernames and passwords in a wallet

rather than providing them on the command line.

• Batch job processing:– Protects exposure of usernames and passwords

when listing processes on the OS

• Set up using:– WALLET_LOCATION in sqlnet.ora– mkstore utility

connect /@db_connect_string

15-12 Copyright © 2006, Oracle. All rights reserved.

Data Pump and Transparent Data Encryption

• Use your own provided column key

during export and import:

• Also true for external tables:

ENCRYPTION_PASSWORD = <password>

CREATE TABLE emp_ext ( first_name, last_name, empID, salary ENCRYPT IDENTIFIED BY "xIcf3T9u" )ORGANIZATION EXTERNAL ( TYPE ORACLE_DATAPUMP DEFAULT DIRECTORY "D_DIR" LOCATION('emp_ext.dat') )REJECT LIMIT UNLIMITEDas select * from employees;

TDE> DP

RMANVPD

15-13 Copyright © 2006, Oracle. All rights reserved.

RMAN Encrypted Backups: Overview

Three possible encryption modes for your backups:• Transparent mode:

– Requires Oracle Wallet– Is best suited for day-to-day backup and restore

operations at the same location– Is the default encryption mode

• Password mode:– Requires you to provide a password– Is best suited for backups restored at remote

locations• Dual mode:

– Can use either Oracle Wallets or passwords– Is best suited for backups restored locally and

remotely

TDEDP

> RMANVPD

15-14 Copyright © 2006, Oracle. All rights reserved.

Transparent Mode Setup

1. Create a wallet: automatically or by using Oracle Wallet Manager.

2. Open the wallet from within your instance:

3. Set the master key from within your instance:

4. Configure RMAN to use transparent encryption:

5. There are no changes to your backup or recover commands.

6. Permanent configuration can be temporarily overwritten:

ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY <password>;

ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY <password>;

CONFIGURE ENCRYPTION FOR DATABASE ON

SET ENCRYPTION OFF

15-15 Copyright © 2006, Oracle. All rights reserved.

Password Mode Setup

1. Set your RMAN session to use password encryption:

2. There are no changes to your backup commands.

3. Set your RMAN session to decrypt password-encrypted backups:

4. There are no changes to your recover commands.

SET ENCRYPTION ON IDENTIFIED BY password ONLY

SET DECRYPTION IDENTIFIED BY password1 {, password2,…, passwordn}

15-16 Copyright © 2006, Oracle. All rights reserved.

Dual Mode Setup

1. Create a wallet: automatically or by using Oracle Wallet Manager.

2. Open the wallet from within your instance:

3. Set your RMAN session to use dual encryption:

4. There are no changes to your backup commands.

5. If necessary, set your RMAN session to decrypt your backups by using the password:

6. There are no changes to your recover commands.

SET ENCRYPTION ON IDENTIFIED BY password

SET DECRYPTION IDENTIFIED BY password1 {, password2,…, passwordn}

ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY <password>;

15-17 Copyright © 2006, Oracle. All rights reserved.

RMAN-Encrypted Backups: Considerations

• Image copy backups cannot be encrypted.• COMPATIBLE must be set to at least 10.2.0.• V$RMAN_ENCRYPTION_ALGORITHMS contains the

list of possible encryption algorithms.

• Backup encryption is available only with Oracle Database Enterprise Edition.

• One new encryption key is used for each new encrypted backup.

• You can increase disk performance by using multiple channels.

• You can change the master key anytime without affecting your transparent encrypted backups.

SET ENCRYPTION ALGORITHM 'algorithmname'

CONFIGURE ENCRYPTION ALGORITHM 'algorithmname'

15-18 Copyright © 2006, Oracle. All rights reserved.

Need for Data Privacy

Examples:

• Employees: Protect salary and commission percent (used in the remainder of this lesson)

• Online banking: Protect access to accounts

• Web store: Supply individual shopping baskets

• Web host: Allow each customer to see only their own data

• Used in Oracle SalesOnline.com and

Oracle Portal

TDEDPRMAN

> VPD

15-19 Copyright © 2006, Oracle. All rights reserved.

Definition and Usage of Terms

• Fine-grained access control (FGAC): Use of functions

• Application context: To preserve user identity and serve as a secure data cache for application attributes and values

• Application attributes: Used by fine-grained access policies

15-20 Copyright © 2006, Oracle. All rights reserved.

Virtual Private Database: Overview

• Virtual Private Database (VPD) consists of:– Fine-grained access control (FGAC)– Secure application context

• VPD uses policies to add conditions to SQL statements that protect sensitive data.

• VPD provides row-level access control.

• Application attributes defined inside an application context are used byfine-grained access policies.

15-21 Copyright © 2006, Oracle. All rights reserved.

Virtual Private Database: Features

• Column-level VPD enforces row-level access control based on accessed security columns.

• With customization, you can define static and nonstatic policies.

• Using shared policies, you can associate one policy with multiple objects.

• Policy type can be INDEX.

• Policy predicate text string can be of size 32 KB.

15-22 Copyright © 2006, Oracle. All rights reserved.

Column-Level VPD: Example

• Statements are not always rewritten.

• Consider a policy protecting the SALARY and COMMISSION_PCT columns of the EMPLOYEES table. Fine-grained access control is:– Not needed for this query:

– Enforced for these queries:

SQL> SELECT last_name, salary 2 FROM employees;

SQL> SELECT last_name FROM employees;

SQL> SELECT * FROM employees;

15-23 Copyright © 2006, Oracle. All rights reserved.

Creating a Column-Level Policy

1. Grant the privilege.

2. Create the function.

3. Apply the policy to the object.

BEGIN dbms_rls.add_policy(object_schema => 'hr', object_name => 'employees', policy_name => 'hr_policy', function_schema =>'hr', policy_function => 'hrsec', statement_types =>'select,insert', sec_relevant_cols=>'salary,commission_pct');END;/

15-24 Copyright © 2006, Oracle. All rights reserved.

Summary

In this lesson, you should have learned how to:

• Implement Transparent Data Encryption

• Use TDE with encrypted columns

• Describe Data Pump encryption

• Identify components of RMAN-encrypted backups

• Define basic concepts of a Virtual Private Database

• Apply a column-level VPD policy

15-25 Copyright © 2006, Oracle. All rights reserved.

Practice Overview:Using Oracle Database Security

This practice covers the following topics:

• Implementing TDE by creating an encrypted wallet and encryption keys

• Using TDE with encrypted columns