Documente Academic
Documente Profesional
Documente Cultură
2007
<Insert Picture Here>
Andreas Becker
Senior Member Technical Staff
Oracle Server Technologies - SAP Development
Agenda
Technical Overview
Demo
Technical Restrictions / Recommendations
Configuration and Support in SAP Environments
Alternatives
RMAN Backup Encryption
Oracle Secure Backup
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Encryption
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
<Insert Picture Here> JP Morgan Client Data Loss
The Wall Street Journal,
May 2007
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
The Need for Encryption
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Database Encryption
Release < 10.2
Oracle8i, Oracle9i and Oracle Database 10g provided a PL/SQL
API for encrypting data in the Enterprise Edition
DBMS_OBFUSCATION_TOOLKIT in Oracle9i, Oracle10g
DBMS_CRYPTO in Oracle Database 10g
Application calls PL/SQL API to perform encryption
Typically requires database triggers, database views
No automated key management
Note that most 3rd party solutions today create triggers and
views to make their encryption solution look transparent
Oracle encryption APIs are used by customers today to encrypt
credit card numbers
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
What our customers wanted
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Transparent Data Encryption
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
TDE Key Features
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
TDE Key Features
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Overview the Big Picture
Data Encrypted
On Backup Files
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Separation of duties
DBA starts up
database
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Master key and column keys
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Transparent Data Encryption
Configuration steps
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
D E M O N S T R A T I O N
Transparent Data
Encryption (TDE)
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Prepare the Database
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Encrypting columns
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Which algorithms are used?
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
TDE Available Algorithms
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Performance?
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Performance?
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Performance?
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Transparent Data Encryption
Overhead
Storage
33-48 Bytes per row per encrypted column
Performance
~5%
Very customer/system-specific
Depends on
# tables
Size of tables
How tables are accessed
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Transparent Data Encryption
SALT vs. NO SALT
SALT
A random string is added to clear text before it is encrypted
Multiple occurrences of same clear text appear different when
encrypted with salt
Increased security
Against pattern matching attack from hackers
But: encrypted columns which are part of an index must be
encrypted with NO SALT
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Transparent Data Encryption
Change Wallet Password
Wallet password is independent from
Master key
Column keys
SYSTEM password
SYS password
Wallet manager supports password policy
At least 8 characters
Must contain number or special characters
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Transparent Data Encryption
Export of table data
Export of encrypted data is only supported with data
pump:
Using exp utility:
EXP-00107: Feature (string) of column string in table
string.string is not supported. The table will not be exported.
Using expdp data pump without encryption
password:
ORA-39173: Encrypted data has been stored unencrypted in
dump file set.
Using expdp data pump with encryption password:
OK
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
TDE Administration
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Transparent Data Encryption
When you loose your wallet
Loosing your wallet is the most secure way to delete
your data
A wallet cannot be recovered (even with the same
wallet password)
Wallet password and master key are not related
Recommendation: back up your wallet frequently
After change of wallet password
After change of master key
After column rekey
Perform change of master key (master rekey) offline
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Re-key the master key
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Re-keying the column keys
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
TDE and Data Guard
Production Database
Physical Standby
Data Encrypted
On Backup Files
Redo apply
redo logs contain
encrypted data
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Supported data types
varchar2
nvarchar2
number
date
binary_float (*)
binary_double (*)
timestamp
raw
char
nchar
interval day to second
interval year to month
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
TDE - Unsupported data types
LONG/LONG RAW
LOB/BLOB
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
TDE - Unsupported database features
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
TDE - restrictions
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
How Oracle Advanced Security helps with
CISP/PCI
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
How Oracle Advanced Security helps with
CISP/PCI
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
How Oracle Advanced Security helps with
CISP/PCI
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Transparent Data Encryption
Recommendations
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Transparent Data Encryption
Recommendations (contd)
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Transparent Data Encryption
Recommendations (contd)
Rekey Operations
Rekey master key: how often?
Depends on regulations (SB1386, Sarbanes-Oxley)
Regularly, but not too often (~once a year)
Maximum number of TDE master keys is limited due to
limited wallet size
10.2.0.2: max wallet size=64k (~240 master keys)
10.2.0.4: max wallet size=4M (>15M )
Rekey column Key:
Depending on your regulations
Full table update
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Transparent Data Encryption
Recommendations (contd)
Wallet Management
Wallet password
Initially set when wallet is created
SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED
BY <wallet password>;
Can be changed only in wallet manager (not via SQL or command
line tool)
Re Key (=generate new) masterkey
Via SQL: SQL> alter system set encryption key
Not from wallet manager
Backup your wallet
Backup of wallet must be part of your backup / recovery strategy
After change of wallet password
After every rekey operation
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Transparent Data Encryption
Recommendations (contd)
Wallet Management
One encryption wallet per database
Do not use autologin wallet
No support for multiple encryption_wallet_location
Only one wallet location in sqlnet.ora
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
TDE in an SAP environment
TDE Candidates
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
TDE Support in SAP BR*TOOLS
ENCRYPTION_WALLET_LOCATION parameter
must be configured in sqlnet.ora to override Oracle
default path
Location of encryption wallet in SAP environment:
$ORACLE_HOME/dbs (Unix)
%ORACLE_HOME%\database (Windows)
BR*Tools support backup and restore of encryption
wallet ewallet.p12
Prerequisite: encryption wallet exists in
$ORACLE_HOME/dbs resp. %ORACLE_HOME%\database
Auto-Login encryption wallet (cwallet.sso, if exist) will
not get backed up by BR*Tools
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
TDE Support in SAP Dictionary
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Alternate Solutions
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Oracle Secure Backup
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Why Oracle Secure Backup?
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
RMAN Backup Encryption
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
TDE OSB RMAN Backup
Encryption
TDE
Encryption of sensible data in database files on OS / file-system level
Encryption of sensible data in backups (disk and tape)
Encryption of sensible data in archive logs (LogMiner)
ASO license required
Oracle Secure Backup (OSB)
Encryption of backups to tape only (not backup to disk)
No encryption of sensible data in database files
No encryption of sensible data in archive logs
Requires separate OSB license
RMAN Backup Encryption (ASO required)
Encryption of backups to disk and to tape
No encryption of sensible data in database files
No encryption of sensible data in archive logs
ASO license required
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
For More Information
http://search.oracle.com
Advanced Security
or
http://www.oracle.com/security
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
SAP Notes
http://service.sap.com/notes
974876: Transparent Data Encryption
973450: Network Encryption
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Oracle Metalink Notes
https://metalink.oracle.com/
Note 317311.1: 10g R2 New Feature TDE:
Transparent Data Encryption
Note 317317.1: How to Export/Import with Data
Encrypted with Transparent Data Encryption (TDE)
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Oracle Technology Network
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Oracle Technology Network
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
DOAG e.V. Server
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
TDE
Pilot Customers
Wanted
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007
Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007