TDE

Transparent Data Encryption

Transparent Data Encryption (TDE) enables you to encrypt sensitive data stored in tables and tablespaces.

TDE encrypts sensitive data stored in data files. To prevent unauthorized decryption, TDE can be used to create & store the encryption keys inside the Akeyless Platform.

After the data is encrypted, this data is transparently decrypted for authorized users or applications when they access this data. TDE helps protect data at rest.

Akeyless provides a PCKS#11 shared library file, to set TDE for Oracle Database.

Set TDE for Oracle Database

Download the Akeyless PKCS#11 file to your Oracle server:

curl -o libakeyless.so https://akeylessservices.s3.us-east-2.amazonaws.com/services/pkcs11/release/linux/amd64/latest/libakeyless.so

And set the following permissions and folders:

mkdir -p /opt/oracle/extapi/64/hsm/akeyless/0.0.1/ && \
cp libakeyless.so /opt/oracle/extapi/64/hsm/akeyless/0.0.1/. && \
chown -R oracle:dba /opt/oracle && \
mkdir /logs && \
chown -R oracle:dba /logs

With a privilege user permission on your Database server, create the following file:

touch /var/akeyless/conf/pkcs11.conf

Edit the created pkcs11.conf file and set the following:

log_level="info"
log_path="/logs/pkcs11.log"
akeyless_url="https://<yourAkeylessGW>:8081"
default_aes_mechanism="CBC"
base_item_path="/pkcs11"
[auth]
access_type="access_key"
access_id="<your access id>"
access_key="your access key>"

Where:

  • akeyless_url is your Akeyless Gateway URL.

  • base_item_path - The destination path, to save all your TDE encryption keys inside the Akeyless Platform. Ensure your Authentication Method has permission to create and manage items under the desired path.

  • The [auth] section should be set with the relevant Authentication Method type and settings. Using the same structure as the Akeyless CLI profile setting file.

  • default_aes_mechanism - Set the type of AES encryption keys. Oracle supports only CBC.

Optional:

  • customer_fragment_id - Relevant Customer Fragment ID for Zero-Knowledge Encryption.

  • split_level - Defines the requested split level. By default, split level set with 2.

  • [syslog] Section can be added, to set the destination Syslog server settings:

    • network - Either TCP or UDP
    • url - Syslog server URL.

Set the relevant permission on the pkcs11.conf file for your oracle user & group :

chown -R oracle:dba /var/akeyless/conf/pkcs11.conf

Edit the sqlnet.ora file under $ORACLE_HOME/network/admin/sqlnet.ora where $ORACLE_HOME is your oracle user home directory.

For docker setup, the file location is /u01/app/oracle/product/12.2.0/dbhome_1/admin/ORCLCDB/sqlnet.ora

Add the following line to set your Oracle wallet:

ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSM))

Encrypting Tablespaces

Login to your Oracle DB, and run the following commands to create a wallet and a master encryption key:

administer key management set keystore open identified by "akeyless";
administer key management set key identified by "akeyless";

Run the following commands to create an encrypted tablespace:

CREATE TABLESPACE encrypt_ts
  DATAFILE '$ORACLE_HOME/dbs/encrypt_df.dbf' SIZE 1M
  ENCRYPTION USING 'AES128'
  DEFAULT STORAGE (ENCRYPT);

Run the following commands to create an encrypted table:

CREATE TABLE my_table (
    person_id NUMBER GENERATED BY DEFAULT AS IDENTITY,
    first_name VARCHAR2(50) NOT NULL,
    last_name VARCHAR2(50) NOT NULL,
    PRIMARY KEY(person_id)
)  TABLESPACE encrypt_ts;