Contents

Expand All · Collapse All

Title and Copyright Information

Preface

• Audience
• Documentation Accessibility
• Related Documents
• Conventions

Changes in This Release for Oracle Database Advanced Security Guide

• Changes in Oracle Database Advanced Security 12c Release 1 (12.1.0.2)
  • New Features
• Changes in Oracle Database Advanced Security 12c Release 1 (12.1.0.1)
  • New Features
  • Deprecated Features
  • Other Changes

1 Introduction to Oracle Advanced Security

• Transparent Data Encryption
• Oracle Data Redaction

Part I Using Transparent Data Encryption

2 Introduction to Transparent Data Encryption

• What Is Transparent Data Encryption?
• Benefits of Using Transparent Data Encryption
• Who Can Configure Transparent Data Encryption?
• Types and Components of Transparent Data Encryption
  • About Transparent Data Encryption Types and Components
  • How Transparent Data Encryption Column Encryption Works
  • How Transparent Data Encryption Tablespace Encryption Works
  • How the Keystore for the Storage of TDE Master Encryption Keys Works
  • Supported Encryption and Integrity Algorithms

3 Configuring Transparent Data Encryption

• Configuring a Software Keystore
  • About Configuring a Software Keystore
  • Step 1: Set the Software Keystore Location in the sqlnet.ora File
  • Step 2: Create the Software Keystore
  • Step 3: Open the Software Keystore
  • Step 4: Set the Software TDE Master Encryption Key
  • Step 5: Encrypt Your Data
• Configuring a Hardware Keystore
  • About Configuring a Hardware Keystore
  • Step 1: Set the Hardware Keystore Type in the sqlnet.ora File
  • Step 2: Configure the Hardware Security Module
  • Step 3: Open the Hardware Keystore
  • Step 4: Set the Hardware Keystore TDE Master Encryption Key
  • Step 5: Encrypt Your Data
• Encrypting Columns in Tables
  • About Encrypting Columns in Tables
  • Data Types That Can Be Encrypted with TDE Column Encryption
  • Restrictions on Using Transparent Data Encryption Column Encryption
  • Creating Tables with Encrypted Columns
  • Encrypting Columns in Existing Tables
  • Creating an Index on an Encrypted Column
  • Adding Salt to an Encrypted Column
  • Removing Salt from an Encrypted Column
  • Changing the Encryption Key or Algorithm for Tables Containing Encrypted Columns
• Encrypting Tablespaces
  • Restrictions on Using Transparent Data Encryption Tablespace Encryption
  • Step 1: Set the COMPATIBLE Initialization Parameter for Tablespace Encryption
  • Step 2: Set the Tablespace TDE Master Encryption Key
  • Step 3: Create the Encrypted Tablespace
• Transparent Data Encryption Data Dynamic and Data Dictionary Views

4 Managing the Keystore and the TDE Master Encryption Key

• Managing the Keystore
  • Changing the Password of a Password-Based Software Keystore
  • Changing the Password of a Hardware Keystore
  • Backing Up Password-Based Software Keystores
  • Backups of the Hardware Keystore
  • Merging Software Keystores
  • Moving a Software Keystore to a New Location
  • Migrating a Software Password Keystore to a Hardware Keystore and Vice Versa
  • Migration of Keystores to and from Oracle Key Vault
  • Closing a Keystore
  • Using a Software Keystore That Resides on Automatic Storage Management Volumes
  • Backup and Recovery of Encrypted Data
  • Deletion of Keystores
• Managing the TDE Master Encryption Key
  • Creating TDE Master Encryption Keys for Later Use
  • Activation of TDE Master Encryption Keys
  • TDE Master Encryption Key Attribute Management
  • Creating Custom TDE Master Encryption Key Attributes for Reporting Purposes
  • Setting and Resetting the TDE Master Encryption Key in the Keystore
  • Exporting and Importing the TDE Master Encryption Key
  • Management of TDE Master Encryption Keys Using Oracle Key Vault
• Storing Secrets Used by Oracle Database
  • About Storing Oracle Database Secrets in a Keystore
  • Storage of Oracle Database Secrets in a Software Keystore
  • Example: Adding an HSM Password to a Software Keystore
  • Example: Changing an HSM Password That Is Stored as a Secret in a Software Keystore
  • Example: Deleting an HSM Password That Is Stored as a Secret in a Software Keystore
  • Storage of Oracle Database Secrets in a Hardware Keystore
  • Example: Adding an Oracle Database Secret to a Hardware Keystore
  • Example: Changing an Oracle Database Secret in a Hardware Keystore
  • Example: Deleting an Oracle Database Secret in a Hardware Keystore
  • Configuring Auto-Login Hardware Security Modules
• Storing Oracle GoldenGate Secrets in a Keystore
  • About Storing Oracle GoldenGate Secrets in Keystores
  • Requirements for Capturing TDE in Oracle GoldenGate Extract Classic Capture Mode
  • Configuring Transparent Data Encryption Keystore Support for Oracle GoldenGate

5 General Considerations of Using Transparent Data Encryption

• Compression and Data Deduplication of Encrypted Data
• Security Considerations for Transparent Data Encryption
  • Transparent Data Encryption General Security Advice
  • Transparent Data Encryption Column Encryption-Specific Advice
  • Managing Security for Plaintext Fragments
• Performance and Storage Overhead of Transparent Data Encryption
  • Performance Overhead of Transparent Data Encryption
  • Storage Overhead of Transparent Data Encryption
• Modifying Your Applications for Use with Transparent Data Encryption
• How ALTER SYSTEM and orapki Map to ADMINISTER KEY MANAGEMENT
• Using Transparent Data Encryption with PKI Encryption
  • Software Master Encryption Key Use with PKI Key Pairs
  • Transparent Data Encryption Tablespace and Hardware Keystores with PKI Encryption
  • Backup and Recovery of a PKI Key Pair

6 Using Transparent Data Encryption with Other Oracle Features

• How Transparent Data Encryption Works with Export and Import Operations
  • About Exporting and Importing Encrypted Data
  • Exporting and Importing Tables with Encrypted Columns
  • Using Oracle Data Pump to Encrypt Entire Dump Sets
• How Transparent Data Encryption Works with Oracle Data Guard
• How Transparent Data Encryption Works with Oracle Real Application Clusters
  • About Using Transparent Data Encryption with Oracle Real Application Clusters
  • Using a Non-Shared File System to Store a Software Keystore in Oracle RAC
• How Transparent Data Encryption Works with SecureFiles
  • Example: Creating a SecureFiles LOB with a Specific Encryption Algorithm
  • Example: Creating a SecureFiles LOB with a Column Password Specified
• How Transparent Data Encryption Works in a Multitenant Environment
  • About Using Transparent Data Encryption in a Multitenant Environment
  • Operations That Must Be Performed in Root
  • Operations That Can Be Performed in Root or in a PDB
  • Exporting and Importing TDE Master Encryption Keys for a PDB
  • Unplugging and Plugging a PDB with Encrypted Data in a CDB
  • How Open and Close Operations for a Keystore Work in a Multitenant Environment
  • Finding the Keystore Status for All of the PDBs in a Multitenant Environment
• How Transparent Data Encryption Works with Oracle Call Interface
• How Transparent Data Encryption Works with Editions
• Configuring Transparent Data Encryption to Work in a Multidatabase Environment

7 Frequently Asked Questions About Transparent Data Encryption

• Transparency Questions About Transparent Data Encryption
• Performance Questions About Transparent Data Encryption

Part II Using Oracle Data Redaction

8 Introduction to Oracle Data Redaction

• What Is Oracle Data Redaction?
• When to Use Oracle Data Redaction
• Benefits of Using Oracle Data Redaction
• Target Use Cases for Oracle Data Redaction
  • Oracle Data Redaction Use with Database Applications
  • Considerations When Using Oracle Data Redaction with Ad Hoc Database Queries

9 Oracle Data Redaction Features and Capabilities

• Full Data Redaction to Redact All Data
• Partial Data Redaction to Redact Sections of Data
• Regular Expressions to Redact Patterns of Data
• Random Data Redaction to Generate Random Values
• Comparison of Full, Partial, and Random Redaction Based on Data Types
  • Redaction Capabilities for Oracle Built-in Data Types
  • Redaction Capabilities for the ANSI Data Types
  • Redaction Capabilities for the User Defined Data Types or Oracle Supplied Types
• No Redaction for Testing Purposes

10 Configuring Oracle Data Redaction Policies

• About Oracle Data Redaction Policies
• Who Can Create Oracle Data Redaction Policies?
• Planning an Oracle Data Redaction Policy
• General Syntax of the DBMS_REDACT.ADD_POLICY Procedure
• Using Expressions to Define Conditions for Data Redaction Policies
  • About Using Expressions in Data Redaction Policies
  • Applying the Redaction Policy Based on User Environment
  • Applying the Redaction Policy Based on Database Roles
  • Applying the Redaction Policy Based on Oracle Label Security Label Dominance
  • Applying the Redaction Policy Based on Oracle Application Express Session States
  • Applying the Redaction Policy to All Users
• Creating a Full Redaction Policy and Altering the Full Redaction Value
  • Creating a Full Redaction Policy
  • Altering the Default Full Data Redaction Value
• Creating a Partial Redaction Policy
  • About Creating Partial Redaction Policies
  • Syntax for Creating a Partial Redaction Policy
  • Creating Partial Redaction Policies Using Fixed Character Formats
  • Creating Partial Redaction Policies Using Character Data Types
  • Creating Partial Redaction Policies Using Number Data Types
  • Creating Partial Redaction Policies Using Date-Time Data Types
• Creating a Regular Expression-Based Redaction Policy
  • About Creating Regular Expression-Based Redaction Policies
  • Syntax for Creating a Regular Expression-Based Redaction Policy
  • Regular Expression-Based Redaction Policies Using Formats
  • Custom Regular Expression Redaction Policies
• Creating a Random Redaction Policy
  • Syntax for Creating a Random Redaction Policy
  • Example: Random Redaction Policy
• Creating a Policy That Uses No Redaction
  • Syntax for Creating a Policy with No Redaction
  • Example: Performing No Redaction
• Exemption of Users from Oracle Data Redaction Policies
• Altering an Oracle Data Redaction Policy
  • About Altering Oracle Data Redaction Policies
  • Syntax for the DBMS_REDACT.ALTER_POLICY Procedure
  • Parameters Required for DBMS_REDACT.ALTER_POLICY Actions
  • Tutorial: Altering an Oracle Data Redaction Policy
• Redacting Multiple Columns
  • Adding Columns to a Data Redaction Policy for a Single Table or View
  • Example: Redacting Multiple Columns
• Disabling and Enabling an Oracle Data Redaction Policy
  • Disabling an Oracle Data Redaction Policy
  • Enabling an Oracle Data Redaction Policy
• Dropping an Oracle Data Redaction Policy
• Tutorial: How Oracle Data Redaction Affects Tables and Views
• Tutorial: SQL Expressions to Build Reports with Redacted Values
• Oracle Data Redaction Policy Data Dictionary Views

11 Using Oracle Data Redaction in Oracle Enterprise Manager

• About Using Oracle Data Redaction in Oracle Enterprise Manager
• Oracle Data Redaction Workflow
• Management of Sensitive Column Types in Enterprise Manager
• Managing Oracle Data Redaction Formats Using Enterprise Manager
  • About Managing Oracle Data Redaction Formats Using Enterprise Manager
  • Creating a Custom Oracle Data Redaction Format
  • Editing a Custom Oracle Data Redaction Format
  • Viewing Oracle Data Redaction Formats
  • Deleting a Custom Oracle Data Redaction Format
• Managing Oracle Data Redaction Policies Using Enterprise Manager
  • About Managing Oracle Data Redaction Policies Using Enterprise Manager
  • Creating an Oracle Data Redaction Policy Using Enterprise Manager
  • Editing an Oracle Data Redaction Policy Using Enterprise Manager
  • Viewing the Details of an Oracle Data Redaction Policy Using Enterprise Manager
  • Enabling or Disabling an Oracle Data Redaction Policy Using Enterprise Manager
  • Deleting an Oracle Data Redaction Policy Using Enterprise Manager

12 Oracle Data Redaction Use with Oracle Database Features

• Oracle Data Redaction and DML and DDL Operations
• Oracle Data Redaction and Nested Functions, Inline Views, and the WHERE Clause
• Oracle Data Redaction and Aggregate Functions
• Oracle Data Redaction and Object Types
• Oracle Data Redaction and XML Generation
• Oracle Data Redaction and Editions
• Oracle Data Redaction in a Multitenant Environment
• Oracle Data Redaction and Oracle Virtual Private Database
• Oracle Data Redaction and Oracle Database Real Application Security
• Oracle Data Redaction and Oracle Database Vault
• Oracle Data Redaction and Oracle Data Pump
  • Oracle Data Pump Security Model for Oracle Data Redaction
  • Export of Objects That Have Oracle Data Redaction Policies Defined
  • Export of Data Using the EXPDP Utility access_method Parameter
  • Import of Data into Objects Protected by Oracle Data Redaction
• Oracle Data Redaction and Data Masking and Subsetting Pack

13 Security Considerations for Using Oracle Data Redaction

• Oracle Data Redaction General Usage Guidelines
• Restriction of Administrative Access to Oracle Data Redaction Policies
• How Oracle Data Redaction Affects the SYS, SYSTEM, and Default Schemas
• Policy Expressions That Use SYS_CONTEXT Attributes
• Oracle Data Redaction Policies on Materialized Views
• Dropped Oracle Data Redaction Policies When the Recycle Bin Is Enabled

Glossary

Index

Previous Page

Page 1 of 21

Next Page