Transparent Data Encryption (TDE) enables you to encrypt sensitive data stored in tables and tablespaces.
TDE encrypts sensitive data stored in data files. To prevent unauthorized decryption, TDE can be used to create & store the encryption keys inside the Akeyless Platform.
After the data is encrypted, this data is transparently decrypted for authorized users or applications when they access this data. TDE helps protect data at rest.
Akeyless provides a PCKS#11 shared library file, to set TDE for Oracle Database.
Download the Akeyless PKCS#11 file to your Oracle server:
curl -o libakeyless.so https://akeylessservices.s3.us-east-2.amazonaws.com/services/pkcs11/release/linux/amd64/latest/libakeyless.so
And set the following permissions and folders:
mkdir -p /opt/oracle/extapi/64/hsm/akeyless/0.0.1/ && \ cp libakeyless.so /opt/oracle/extapi/64/hsm/akeyless/0.0.1/. && \ chown -R oracle:dba /opt/oracle && \ mkdir /logs && \ chown -R oracle:dba /logs
With a privilege user permission on your Database server, create the following file:
Edit the created
pkcs11.conf file and set the following:
log_level="info" log_path="/logs/pkcs11.log" akeyless_url="https://<yourAkeylessGW>:8081" default_aes_mechanism="CBC" base_item_path="/pkcs11" [auth] access_type="access_key" access_id="<your access id>" access_key="your access key>"
akeyless_urlis your Akeyless Gateway URL.
base_item_path- The destination path, to save all your TDE encryption keys inside the Akeyless Platform. Ensure your Authentication Method has permission to create and manage items under the desired path.
default_aes_mechanism- Set the type of AES encryption keys. Oracle supports only
customer_fragment_id- Relevant Customer Fragment ID for Zero-Knowledge Encryption.
split_level- Defines the requested split level. By default, split level set with
[syslog]Section can be added, to set the destination Syslog server settings:
network- Either TCP or UDP
url- Syslog server URL.
Set the relevant permission on the
pkcs11.conf file for your
oracle user & group :
chown -R oracle:dba /var/akeyless/conf/pkcs11.conf
sqlnet.ora file under
$ORACLE_HOME is your
oracle user home directory.
For docker setup, the file location is
Add the following line to set your
Login to your
Oracle DB, and run the following commands to create a wallet and a master encryption key:
administer key management set keystore open identified by "akeyless"; administer key management set key identified by "akeyless";
Run the following commands to create an encrypted tablespace:
CREATE TABLESPACE encrypt_ts DATAFILE '$ORACLE_HOME/dbs/encrypt_df.dbf' SIZE 1M ENCRYPTION USING 'AES128' DEFAULT STORAGE (ENCRYPT);
Run the following commands to create an encrypted table:
CREATE TABLE my_table ( person_id NUMBER GENERATED BY DEFAULT AS IDENTITY, first_name VARCHAR2(50) NOT NULL, last_name VARCHAR2(50) NOT NULL, PRIMARY KEY(person_id) ) TABLESPACE encrypt_ts;
Updated about 2 months ago