oracle TDE(Transparent Data Encryption)透明数据加密

时间:2022-07-21 20:50:45
1,建立钱夹
   钱夹的作用类似锁,锁相当于存在于服务器上一个位置的文件,钥匙相当于口令;当然文件可以存在于数据库服务器之外
加密算法有:
AES192          192位密钥加密,对称性加密算法:加密与解密使用同一密钥进行
AES128(default)  128位密钥加密,非对称性加密算法:加密与解密使用不同密钥进行,公钥与私钥,例RSA
AES256          256位密钥加密
3DES168         168位密钥加密 DES(Data Encryption Standard数据加密标准)

查看钱夹位置:select * from v$encryption_wallet;
如果没有设定可以在sqlnet.ora中设定
比如编辑次文件追加
encryption_wallet_location=(source=
                             (method=file)
                                 (method_data=
                                 (directory=/u01/app/oracle/product/12.2.0.1/dbhome_1/network/admin)))

使用alter system命令创建:

alter system set encryption key identified by 123456;
创建之后就可以打开|关闭钱夹,默认打开了:

alter system set encryption wallet open|close identified by 123456;
实验过程

SQL> select * from v$encryption_wallet;

WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS WALLET_TYPE WALLET_OR FULLY_BAC
------------------------------ -------------------- --------- ---------
CON_ID
----------
FILE
/u01/app/oracle/product/12.2.0.1/db_1/network/admin/
NOT_AVAILABLE UNKNOWN SINGLE UNDEFINED
1


SQL> alter system set encryption key identified by "123456";

System altered.

SQL> select * from v$encryption_wallet;

WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS WALLET_TYPE WALLET_OR FULLY_BAC
------------------------------ -------------------- --------- ---------
CON_ID
----------
FILE
/u01/app/oracle/product/12.2.0.1/db_1/network/admin/
OPEN PASSWORD SINGLE NO
1


SQL> alter system set encryption wallet open identified by 123456;
alter system set encryption wallet open identified by 123456
*
ERROR at line 1:
ORA-28357: password required to open the wallet


SQL> alter system set encryption wallet open identified by "123456";
alter system set encryption wallet open identified by "123456"
*
ERROR at line 1:
ORA-28354: Encryption wallet, auto login wallet, or HSM is already open

2,透明列级加密

可以在创建表的列上使用加密,比如:
create table t(
id int,
c1 varchar2(10) encrypt,
clob1 clob encrypt using 'AES128'
)lob(clob1) store as securefile(cache);

不再举例

3,表空间加密

直接上例子,下边是创建了一个加密表空间,然后创建了一个普通表,移动到加密表空间中,关闭钱夹,看看效果,这里只是演示生产环境不适用sys用户操作

SQL> create tablespace tbs_sec datafile '/u01/app/oracle/oradata/cdb1/tbs_sec1.dbf' size 50M encryption using '3DES168' default storage(encrypt);
Tablespace created.

SQL> create table t1(id int);

Table created.

SQL> insert into t1 values(1);

1 row created.

SQL> commit;

Commit complete.

SQL> col owner for a10
SQL> col table_name for a20
SQL> col tablespace_name for a30
SQL> select owner,table_name,tablespace_name from dba_tables where table_name='T1' and owner='SYS';

OWNER TABLE_NAME TABLESPACE_NAME
---------- -------------------- ------------------------------
SYS T1 SYSTEM

SQL> alter table sys.t1 move tablespace tbs_sec;

Table altered.

SQL> select owner,table_name,tablespace_name from dba_tables where table_name='T1' and owner='SYS';

OWNER TABLE_NAME TABLESPACE_NAME
---------- -------------------- ------------------------------
SYS T1 TBS_SEC

SQL> select tablespace_name,encrypted from dba_tablespaces;

TABLESPACE_NAME ENC
------------------------------ ---
SYSTEM NO
SYSAUX NO
UNDOTBS1 NO
TEMP NO
USERS NO
TBS_SEC YES

6 rows selected.

SQL> select * from t1;

ID
----------
1

SQL> alter system set encryption wallet close identified by 123456;
alter system set encryption wallet close identified by 123456
*
ERROR at line 1:
ORA-28393: password required to close the wallet


SQL> alter system set encryption wallet close identified by "123456";

System altered.

SQL> select * from t1;
select * from t1
*
ERROR at line 1:
ORA-28365: wallet is not open


SQL> alter table t1 add c1 varchar2(10);
alter table t1 add c1 varchar2(10)
*
ERROR at line 1:
ORA-02002: error while writing to audit trail
ORA-28365: wallet is not open
ORA-28365: wallet is not open


SQL> alter system set encryption wallet open identified by "123456";


System altered.

SQL> SQL> alter table t1 add c1 varchar2(10);

Table altered.

SQL> insert into t1 values(2,'china');

1 row created.

SQL> commit;

Commit complete.

SQL> select * from t1;

ID C1
---------- ----------
1
2 china

SQL> alter system set encryption wallet close identified by "123456";

System altered.

SQL> select * from t1;
select * from t1
*
ERROR at line 1:
ORA-28365: wallet is not open


SQL> select c1 from t1;
select c1 from t1
*
ERROR at line 1:
ORA-28365: wallet is not open