Advanced Security Guide Adv Sec 02 PDF 121 E50333 18
User Manual:
Open the PDF directly: View PDF
Page Count: 240 [warning: Documents this large are best viewed by clicking the View PDF Link!]
- Contents
- Preface
- Changes in This Release for Oracle Database Advanced Security Guide
- 1 Introduction to Oracle Advanced Security
- Part I Using Transparent Data Encryption
- 2 Introduction to Transparent Data Encryption
- 2.1 What Is Transparent Data Encryption?
- 2.2 Benefits of Using Transparent Data Encryption
- 2.3 Who Can Configure Transparent Data Encryption?
- 2.4 Types and Components of Transparent Data Encryption
- 2.4.1 About Transparent Data Encryption Types and Components
- 2.4.2 How Transparent Data Encryption Column Encryption Works
- 2.4.3 How Transparent Data Encryption Tablespace Encryption Works
- 2.4.4 How the Keystore for the Storage of TDE Master Encryption Keys Works
- 2.4.5 Supported Encryption and Integrity Algorithms
- 3 Configuring Transparent Data Encryption
- 3.1 Configuring a Software Keystore
- 3.1.1 About Configuring a Software Keystore
- 3.1.2 Step 1: Set the Software Keystore Location in the sqlnet.ora File
- 3.1.2.1 About the Keystore Location in the sqlnet.ora File
- 3.1.2.2 Configuring the sqlnet.ora File for a Software Keystore Location
- 3.1.2.3 Example: Configuring a Software Keystore for a Regular File System
- 3.1.2.4 Example: Configuring a Software Keystore When Multiple Databases Share the sqlnet.ora File
- 3.1.2.5 Example: Configuring a Software Keystore for Oracle Automatic Storage Management
- 3.1.2.6 Example: Configuring a Software Keystore for an Oracle Automatic Storage Management Disk Group
- 3.1.3 Step 2: Create the Software Keystore
- 3.1.4 Step 3: Open the Software Keystore
- 3.1.5 Step 4: Set the Software TDE Master Encryption Key
- 3.1.6 Step 5: Encrypt Your Data
- 3.2 Configuring a Hardware Keystore
- 3.2.1 About Configuring a Hardware (External) Keystore
- 3.2.2 Step 1: Set the Hardware Keystore Type in the sqlnet.ora File
- 3.2.3 Step 2: Configure the Hardware Security Module
- 3.2.4 Step 3: Open the Hardware Keystore
- 3.2.5 Step 4: Set the Hardware Keystore TDE Master Encryption Key
- 3.2.6 Step 5: Encrypt Your Data
- 3.3 Encrypting Columns in Tables
- 3.3.1 About Encrypting Columns in Tables
- 3.3.2 Data Types That Can Be Encrypted with TDE Column Encryption
- 3.3.3 Restrictions on Using Transparent Data Encryption Column Encryption
- 3.3.4 Creating Tables with Encrypted Columns
- 3.3.4.1 About Creating Tables with Encrypted Columns
- 3.3.4.2 Creating a Table with an Encrypted Column Using the Default Algorithm
- 3.3.4.3 Creating a Table with an Encrypted Column Using No Algorithm or a Non-Default Algorithm
- 3.3.4.4 Using the NOMAC Parameter to Save Disk Space and Improve Performance
- 3.3.4.5 Example: Using the NOMAC Parameter in a CREATE TABLE Statement
- 3.3.4.6 Example: Changing the Integrity Algorithm for a Table
- 3.3.4.7 Creating an Encrypted Column in an External Table
- 3.3.5 Encrypting Columns in Existing Tables
- 3.3.6 Creating an Index on an Encrypted Column
- 3.3.7 Adding Salt to an Encrypted Column
- 3.3.8 Removing Salt from an Encrypted Column
- 3.3.9 Changing the Encryption Key or Algorithm for Tables with Encrypted Columns
- 3.4 Encrypting Tablespaces
- 3.5 Transparent Data Encryption Data Dynamic and Data Dictionary Views
- 3.1 Configuring a Software Keystore
- 4 Managing the Keystore and the TDE Master Encryption Key
- 4.1 Managing the Keystore
- 4.1.1 Changing the Password of a Password-Based Software Keystore
- 4.1.2 Changing the Password of a Hardware Keystore
- 4.1.3 Backing Up Password-Based Software Keystores
- 4.1.4 Backups of the Hardware Keystore
- 4.1.5 Merging Software Keystores
- 4.1.5.1 About Merging Software Keystores
- 4.1.5.2 Merging Two Software Keystores into a Third New Keystore
- 4.1.5.3 Merging One Software Keystore into an Existing Software Keystore
- 4.1.5.4 Merging an Auto-Login Software Keystore into an Existing Password-Based Software Keystore
- 4.1.5.5 Reversing a Software Keystore Merge Operation
- 4.1.6 Moving a Software Keystore to a New Location
- 4.1.7 Moving a Software Keystore Out of Automatic Storage Management
- 4.1.8 Migrating Between a Software Password Keystore and a Hardware Keystore
- 4.1.9 Migration of Keystores to and from Oracle Key Vault
- 4.1.10 Closing a Keystore
- 4.1.11 Using a Software Keystore That Resides on ASM Volumes
- 4.1.12 Backup and Recovery of Encrypted Data
- 4.1.13 Deletion of Keystores
- 4.2 Managing the TDE Master Encryption Key
- 4.2.1 Creating TDE Master Encryption Keys for Later Use
- 4.2.2 Activation of TDE Master Encryption Keys
- 4.2.3 TDE Master Encryption Key Attribute Management
- 4.2.4 Creating Custom TDE Master Encryption Key Attributes for Reporting Purposes
- 4.2.5 Setting and Resetting the TDE Master Encryption Key in the Keystore
- 4.2.6 Exporting and Importing the TDE Master Encryption Key
- 4.2.6.1 About Exporting and Importing the TDE Master Encryption Key
- 4.2.6.2 About Exporting TDE Master Encryption Keys
- 4.2.6.3 Exporting a TDE Master Encryption Key
- 4.2.6.4 Example: Exporting a TDE Master Encryption Key by Using a Subquery
- 4.2.6.5 Example: Exporting a List of TDE Master Encryption Key Identifiers to a File
- 4.2.6.6 Example: Exporting All TDE Master Encryption Keys of the Database
- 4.2.6.7 About Importing TDE Master Encryption Keys
- 4.2.6.8 Importing a TDE Master Encryption Key
- 4.2.6.9 Example: Importing a TDE Master Encryption Key
- 4.2.6.10 How Keystore Merge Differs from TDE Master Encryption Key Export or Import
- 4.2.7 Management of TDE Master Encryption Keys Using Oracle Key Vault
- 4.3 Storing Secrets Used by Oracle Database
- 4.3.1 About Storing Oracle Database Secrets in a Keystore
- 4.3.2 Storage of Oracle Database Secrets in a Software Keystore
- 4.3.3 Example: Adding an HSM Password to a Software Keystore
- 4.3.4 Example: Changing an HSM Password That Is Stored as a Secret in a Software Keystore
- 4.3.5 Example: Deleting an HSM Password That Is Stored as a Secret in a Software Keystore
- 4.3.6 Storage of Oracle Database Secrets in a Hardware Keystore
- 4.3.7 Example: Adding an Oracle Database Secret to a Hardware Keystore
- 4.3.8 Example: Changing an Oracle Database Secret in a Hardware Keystore
- 4.3.9 Example: Deleting an Oracle Database Secret in a Hardware Keystore
- 4.3.10 Configuring Auto-Login Hardware Security Modules
- 4.4 Storing Oracle GoldenGate Secrets in a Keystore
- 4.1 Managing the Keystore
- 5 General Considerations of Using Transparent Data Encryption
- 5.1 Compression and Data Deduplication of Encrypted Data
- 5.2 Security Considerations for Transparent Data Encryption
- 5.3 Performance and Storage Overhead of Transparent Data Encryption
- 5.4 Modifying Your Applications for Use with Transparent Data Encryption
- 5.5 How ALTER SYSTEM and orapki Map to ADMINISTER KEY MANAGEMENT
- 5.6 Using Transparent Data Encryption with PKI Encryption
- 6 Using Transparent Data Encryption with Other Oracle Features
- 6.1 How Transparent Data Encryption Works with Export and Import Operations
- 6.2 How Transparent Data Encryption Works with Oracle Data Guard
- 6.3 How Transparent Data Encryption Works with Oracle Real Application Clusters
- 6.4 How Transparent Data Encryption Works with SecureFiles
- 6.5 How Transparent Data Encryption Works in a Multitenant Environment
- 6.5.1 About Using Transparent Data Encryption in a Multitenant Environment
- 6.5.2 Operations That Must Be Performed in Root
- 6.5.3 Operations That Can Be Performed in Root or in a PDB
- 6.5.4 Exporting and Importing TDE Master Encryption Keys for a PDB
- 6.5.5 Unplugging and Plugging a PDB with Encrypted Data in a CDB
- 6.5.6 How Keystore Open and Close Operations Work in a Multitenant Environment
- 6.5.7 Finding the Keystore Status for All of the PDBs in a Multitenant Environment
- 6.6 How Transparent Data Encryption Works with Oracle Call Interface
- 6.7 How Transparent Data Encryption Works with Editions
- 6.8 Configuring Transparent Data Encryption to Work in a Multidatabase Environment
- 7 Frequently Asked Questions About Transparent Data Encryption
- 2 Introduction to Transparent Data Encryption
- Part II Using Oracle Data Redaction
- 8 Introduction to Oracle Data Redaction
- 9 Oracle Data Redaction Features and Capabilities
- 9.1 Full Data Redaction to Redact All Data
- 9.2 Partial Data Redaction to Redact Sections of Data
- 9.3 Regular Expressions to Redact Patterns of Data
- 9.4 Random Data Redaction to Generate Random Values
- 9.5 Comparison of Full, Partial, and Random Redaction Based on Data Types
- 9.6 No Redaction for Testing Purposes
- 10 Configuring Oracle Data Redaction Policies
- 10.1 About Oracle Data Redaction Policies
- 10.2 Who Can Create Oracle Data Redaction Policies?
- 10.3 Planning an Oracle Data Redaction Policy
- 10.4 General Syntax of the DBMS_REDACT.ADD_POLICY Procedure
- 10.5 Using Expressions to Define Conditions for Data Redaction Policies
- 10.5.1 About Using Expressions in Data Redaction Policies
- 10.5.2 Applying the Redaction Policy Based on User Environment
- 10.5.3 Applying the Redaction Policy Based on Database Roles
- 10.5.4 Applying the Redaction Policy Based on Oracle Label Security Label Dominance
- 10.5.5 Applying the Redaction Policy Based on Application Express Session States
- 10.5.6 Applying the Redaction Policy to All Users
- 10.6 Creating a Full Redaction Policy and Altering the Full Redaction Value
- 10.7 Creating a Partial Redaction Policy
- 10.7.1 About Creating Partial Redaction Policies
- 10.7.2 Syntax for Creating a Partial Redaction Policy
- 10.7.3 Creating Partial Redaction Policies Using Fixed Character Formats
- 10.7.4 Creating Partial Redaction Policies Using Character Data Types
- 10.7.5 Creating Partial Redaction Policies Using Number Data Types
- 10.7.6 Creating Partial Redaction Policies Using Date-Time Data Types
- 10.8 Creating a Regular Expression-Based Redaction Policy
- 10.9 Creating a Random Redaction Policy
- 10.10 Creating a Policy That Uses No Redaction
- 10.11 Exemption of Users from Oracle Data Redaction Policies
- 10.12 Altering an Oracle Data Redaction Policy
- 10.13 Redacting Multiple Columns
- 10.14 Disabling and Enabling an Oracle Data Redaction Policy
- 10.15 Dropping an Oracle Data Redaction Policy
- 10.16 Tutorial: SQL Expressions to Build Reports with Redacted Values
- 10.17 Oracle Data Redaction Policy Data Dictionary Views
- 11 Using Oracle Data Redaction in Oracle Enterprise Manager
- 11.1 About Using Oracle Data Redaction in Oracle Enterprise Manager
- 11.2 Oracle Data Redaction Workflow
- 11.3 Management of Sensitive Column Types in Enterprise Manager
- 11.4 Managing Oracle Data Redaction Formats Using Enterprise Manager
- 11.5 Managing Oracle Data Redaction Policies Using Enterprise Manager
- 11.5.1 About Managing Oracle Data Redaction Policies Using Enterprise Manager
- 11.5.2 Creating an Oracle Data Redaction Policy Using Enterprise Manager
- 11.5.3 Editing an Oracle Data Redaction Policy Using Enterprise Manager
- 11.5.4 Viewing Oracle Data Redaction Policy Details Using Enterprise Manager
- 11.5.5 Enabling or Disabling an Oracle Data Redaction Policy in Enterprise Manager
- 11.5.6 Deleting an Oracle Data Redaction Policy Using Enterprise Manager
- 12 Oracle Data Redaction Use with Oracle Database Features
- 12.1 Oracle Data Redaction and DML and DDL Operations
- 12.2 Oracle Data Redaction and Nested Functions, Inline Views, and the WHERE Clause
- 12.3 Oracle Data Redaction and Database Links
- 12.4 Oracle Data Redaction and Aggregate Functions
- 12.5 Oracle Data Redaction and Object Types
- 12.6 Oracle Data Redaction and XML Generation
- 12.7 Oracle Data Redaction and Editions
- 12.8 Oracle Data Redaction in a Multitenant Environment
- 12.9 Oracle Data Redaction and Oracle Virtual Private Database
- 12.10 Oracle Data Redaction and Oracle Database Real Application Security
- 12.11 Oracle Data Redaction and Oracle Database Vault
- 12.12 Oracle Data Redaction and Oracle Data Pump
- 12.13 Oracle Data Redaction and Data Masking and Subsetting Pack
- 13 Security Considerations for Oracle Data Redaction
- 13.1 Oracle Data Redaction General Usage Guidelines
- 13.2 Restriction of Administrative Access to Oracle Data Redaction Policies
- 13.3 How Oracle Data Redaction Affects the SYS, SYSTEM, and Default Schemas
- 13.4 Policy Expressions That Use SYS_CONTEXT Attributes
- 13.5 Oracle Data Redaction Policies on Materialized Views
- 13.6 Dropped Oracle Data Redaction Policies When the Recycle Bin Is Enabled
- Glossary
- actual data
- auto-login software keystore
- cipher suite
- ciphertext
- data redaction
- decryption
- encrypted text
- encryption
- hardware keystore
- hardware security module
- inference
- key pair
- keystore
- local auto-login software keystore
- mask
- password-based software keystore
- plaintext
- private key
- public key
- public key encryption
- public and private key pair
- public key infrastructure (PKI)
- redacted data
- salt
- software keystore
- tablespace encryption key
- TDE master encryption key
- TDE table key
- wallet
- wallet obfuscation
- Wallet Resource Locator (WRL)
- Index