TDE
Transparent Data Encryption
Transparent Data Encryption (TDE) enables you to encrypt sensitive data stored in tables and tablespaces.
TDE encrypts sensitive data stored in data files. To prevent unauthorized decryption, TDE can be used to create & store the encryption keys inside the Akeyless Platform.
After the data is encrypted, this data is transparently decrypted for authorized users or applications when they access this data. TDE helps protect data at rest.
Akeyless provides a PKCS#11 shared library file, to set TDE for Oracle Database.
Set TDE for Oracle Database
Download the Akeyless PKCS#11 file to your Oracle server:
curl -o libakeyless.so https://akeylessservices.s3.us-east-2.amazonaws.com/services/pkcs11/release/linux/amd64/latest/libakeyless.so
And set the following permissions and folders:
mkdir -p /opt/oracle/extapi/64/hsm/akeyless/0.0.1/ && \
cp libakeyless.so /opt/oracle/extapi/64/hsm/akeyless/0.0.1/. && \
chown -R oracle:dba /opt/oracle && \
mkdir /logs && \
chown -R oracle:dba /logs
With a privilege user permission on your Database server, create the following file:
touch /var/akeyless/conf/pkcs11.conf
Edit the created pkcs11.conf
file and set the following:
log_level="info"
log_path="/logs/pkcs11.log"
akeyless_url="https://<yourAkeylessGW>:8081"
default_aes_mechanism="CBC"
base_item_path="/pkcs11"
[auth]
access_type="access_key"
access_id="<your access id>"
access_key="your access key>"
Where:
-
akeyless_url
is your Akeyless Gateway URL. -
base_item_path
- The destination path, to save all your TDE encryption keys inside the Akeyless Platform. Ensure your Authentication Method has permission to create and manage items under the desired path. -
The
[auth]
section should be set with the relevant Authentication Method type and settings. Using the same structure as the Akeyless CLI profile setting file. -
default_aes_mechanism
- Set the type of AES encryption keys. Oracle supports onlyCBC
.
Optional:
-
customer_fragment_id
- Relevant Customer Fragment ID for Zero-Knowledge Encryption. -
split_level
- Defines the requested split level. By default, split level set with2
. -
[syslog]
Section can be added, to set the destination Syslog server settings:network
- Either TCP or UDPurl
- Syslog server URL.
Set the relevant permission on the pkcs11.conf
file for your oracle
user & group :
chown -R oracle:dba /var/akeyless/conf/pkcs11.conf
Edit the sqlnet.ora
file under $ORACLE_HOME/network/admin/sqlnet.ora
where $ORACLE_HOME
is your oracle
user home directory.
For docker setup, the file location is /u01/app/oracle/product/12.2.0/dbhome_1/admin/ORCLCDB/sqlnet.ora
Add the following line to set your Oracle
wallet:
ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSM))
Note
Starting from Oracle version 18C/19C, before running the commands below, you need to first complete the steps below to set the keystore
- Create a directory, called
wallet
, in the$ORACLE_BASE/admin/db_unique_name
directory. - Log in to the database as a user with the
SYSDBA
administrative privilege. - Set the
WALLET_ROOT
parameter.
alter system set wallet_root='<path to the oracle wallet directory>' scope=spfile;
- Shut down and start up the database.
shutdown immediate;
startup;
- Set the
TDE_CONFIGURATION
parameter as follows:
alter system set TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM" SCOPE=both ;
Encrypting Tablespaces
Login to your Oracle
DB, and run the following commands to create a wallet and a master encryption key:
administer key management set keystore open identified by "akeyless";
administer key management set key identified by "akeyless";
Run the following commands to create an encrypted tablespace:
CREATE TABLESPACE encrypt_ts
DATAFILE '$ORACLE_HOME/dbs/encrypt_df.dbf' SIZE 1M
ENCRYPTION USING 'AES128'
DEFAULT STORAGE (ENCRYPT);
Run the following commands to create an encrypted table:
CREATE TABLE my_table (
person_id NUMBER GENERATED BY DEFAULT AS IDENTITY,
first_name VARCHAR2(50) NOT NULL,
last_name VARCHAR2(50) NOT NULL,
PRIMARY KEY(person_id)
) TABLESPACE encrypt_ts;
Updated 2 months ago