1/21
Contents
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
Changes in This Release for Oracle Database Advanced Security Guide
Changes in Oracle Database Advanced Security 12c Release 1 (12.1.0.2)
New Features
Changes in Oracle Database Advanced Security 12c Release 1 (12.1.0.1)
New Features
Deprecated Features
Other Changes
1
Introduction to Oracle Advanced Security
Transparent Data Encryption
Oracle Data Redaction
Part I Using Transparent Data Encryption
2
Introduction to Transparent Data Encryption
What Is Transparent Data Encryption?
Benefits of Using Transparent Data Encryption
Who Can Configure Transparent Data Encryption?
Types and Components of Transparent Data Encryption
About Transparent Data Encryption Types and Components
How Transparent Data Encryption Column Encryption Works
How Transparent Data Encryption Tablespace Encryption Works
How the Keystore for the Storage of TDE Master Encryption Keys Works
Supported Encryption and Integrity Algorithms
3
Configuring Transparent Data Encryption
Configuring a Software Keystore
About Configuring a Software Keystore
Step 1: Set the Software Keystore Location in the sqlnet.ora File
Step 2: Create the Software Keystore
Step 3: Open the Software Keystore
Step 4: Set the Software TDE Master Encryption Key
Step 5: Encrypt Your Data
Configuring a Hardware Keystore
About Configuring a Hardware Keystore
Step 1: Set the Hardware Keystore Type in the sqlnet.ora File
Step 2: Configure the Hardware Security Module
Step 3: Open the Hardware Keystore
Step 4: Set the Hardware Keystore TDE Master Encryption Key
Step 5: Encrypt Your Data
Encrypting Columns in Tables
About Encrypting Columns in Tables
Data Types That Can Be Encrypted with TDE Column Encryption
Restrictions on Using Transparent Data Encryption Column Encryption
Creating Tables with Encrypted Columns
Encrypting Columns in Existing Tables
Creating an Index on an Encrypted Column
Adding Salt to an Encrypted Column
Removing Salt from an Encrypted Column
Changing the Encryption Key or Algorithm for Tables Containing Encrypted Columns
Encrypting Tablespaces
Restrictions on Using Transparent Data Encryption Tablespace Encryption
Step 1: Set the COMPATIBLE Initialization Parameter for Tablespace Encryption
Step 2: Set the Tablespace TDE Master Encryption Key
Step 3: Create the Encrypted Tablespace
Transparent Data Encryption Data Dynamic and Data Dictionary Views
4
Managing the Keystore and the TDE Master Encryption Key
Managing the Keystore
Changing the Password of a Password-Based Software Keystore
Changing the Password of a Hardware Keystore
Backing Up Password-Based Software Keystores
Backups of the Hardware Keystore
Merging Software Keystores
Moving a Software Keystore to a New Location
Migrating a Software Password Keystore to a Hardware Keystore and Vice Versa
Migration of Keystores to and from Oracle Key Vault
Closing a Keystore
Using a Software Keystore That Resides on Automatic Storage Management Volumes
Backup and Recovery of Encrypted Data
Deletion of Keystores
Managing the TDE Master Encryption Key
Creating TDE Master Encryption Keys for Later Use
Activation of TDE Master Encryption Keys
TDE Master Encryption Key Attribute Management
Creating Custom TDE Master Encryption Key Attributes for Reporting Purposes
Setting and Resetting the TDE Master Encryption Key in the Keystore
Exporting and Importing the TDE Master Encryption Key
Management of TDE Master Encryption Keys Using Oracle Key Vault
Storing Secrets Used by Oracle Database
About Storing Oracle Database Secrets in a Keystore
Storage of Oracle Database Secrets in a Software Keystore
Example: Adding an HSM Password to a Software Keystore
Example: Changing an HSM Password That Is Stored as a Secret in a Software Keystore
Example: Deleting an HSM Password That Is Stored as a Secret in a Software Keystore
Storage of Oracle Database Secrets in a Hardware Keystore
Example: Adding an Oracle Database Secret to a Hardware Keystore
Example: Changing an Oracle Database Secret in a Hardware Keystore
Example: Deleting an Oracle Database Secret in a Hardware Keystore
Configuring Auto-Login Hardware Security Modules
Storing Oracle GoldenGate Secrets in a Keystore
About Storing Oracle GoldenGate Secrets in Keystores
Requirements for Capturing TDE in Oracle GoldenGate Extract Classic Capture Mode
Configuring Transparent Data Encryption Keystore Support for Oracle GoldenGate
5
General Considerations of Using Transparent Data Encryption
Compression and Data Deduplication of Encrypted Data
Security Considerations for Transparent Data Encryption
Transparent Data Encryption General Security Advice
Transparent Data Encryption Column Encryption-Specific Advice
Managing Security for Plaintext Fragments
Performance and Storage Overhead of Transparent Data Encryption
Performance Overhead of Transparent Data Encryption
Storage Overhead of Transparent Data Encryption
Modifying Your Applications for Use with Transparent Data Encryption
How ALTER SYSTEM and orapki Map to ADMINISTER KEY MANAGEMENT
Using Transparent Data Encryption with PKI Encryption
Software Master Encryption Key Use with PKI Key Pairs
Transparent Data Encryption Tablespace and Hardware Keystores with PKI Encryption
Backup and Recovery of a PKI Key Pair
6
Using Transparent Data Encryption with Other Oracle Features
How Transparent Data Encryption Works with Export and Import Operations
About Exporting and Importing Encrypted Data
Exporting and Importing Tables with Encrypted Columns
Using Oracle Data Pump to Encrypt Entire Dump Sets
How Transparent Data Encryption Works with Oracle Data Guard
How Transparent Data Encryption Works with Oracle Real Application Clusters
About Using Transparent Data Encryption with Oracle Real Application Clusters
Using a Non-Shared File System to Store a Software Keystore in Oracle RAC
How Transparent Data Encryption Works with SecureFiles
Example: Creating a SecureFiles LOB with a Specific Encryption Algorithm
Example: Creating a SecureFiles LOB with a Column Password Specified
How Transparent Data Encryption Works in a Multitenant Environment
About Using Transparent Data Encryption in a Multitenant Environment
Operations That Must Be Performed in Root
Operations That Can Be Performed in Root or in a PDB
Exporting and Importing TDE Master Encryption Keys for a PDB
Unplugging and Plugging a PDB with Encrypted Data in a CDB
How Open and Close Operations for a Keystore Work in a Multitenant Environment
Finding the Keystore Status for All of the PDBs in a Multitenant Environment
How Transparent Data Encryption Works with Oracle Call Interface
How Transparent Data Encryption Works with Editions
Configuring Transparent Data Encryption to Work in a Multidatabase Environment
7
Frequently Asked Questions About Transparent Data Encryption
Transparency Questions About Transparent Data Encryption
Performance Questions About Transparent Data Encryption
Part II Using Oracle Data Redaction
8
Introduction to Oracle Data Redaction
What Is Oracle Data Redaction?
When to Use Oracle Data Redaction
Benefits of Using Oracle Data Redaction
Target Use Cases for Oracle Data Redaction
Oracle Data Redaction Use with Database Applications
Considerations When Using Oracle Data Redaction with Ad Hoc Database Queries
9
Oracle Data Redaction Features and Capabilities
Full Data Redaction to Redact All Data
Partial Data Redaction to Redact Sections of Data
Regular Expressions to Redact Patterns of Data
Random Data Redaction to Generate Random Values
Comparison of Full, Partial, and Random Redaction Based on Data Types
Redaction Capabilities for Oracle Built-in Data Types
Redaction Capabilities for the ANSI Data Types
Redaction Capabilities for the User Defined Data Types or Oracle Supplied Types
No Redaction for Testing Purposes
10
Configuring Oracle Data Redaction Policies
About Oracle Data Redaction Policies
Who Can Create Oracle Data Redaction Policies?
Planning an Oracle Data Redaction Policy
General Syntax of the DBMS_REDACT.ADD_POLICY Procedure
Using Expressions to Define Conditions for Data Redaction Policies
About Using Expressions in Data Redaction Policies
Applying the Redaction Policy Based on User Environment
Applying the Redaction Policy Based on Database Roles
Applying the Redaction Policy Based on Oracle Label Security Label Dominance
Applying the Redaction Policy Based on Oracle Application Express Session States
Applying the Redaction Policy to All Users
Creating a Full Redaction Policy and Altering the Full Redaction Value
Creating a Full Redaction Policy
Altering the Default Full Data Redaction Value
Creating a Partial Redaction Policy
About Creating Partial Redaction Policies
Syntax for Creating a Partial Redaction Policy
Creating Partial Redaction Policies Using Fixed Character Formats
Creating Partial Redaction Policies Using Character Data Types
Creating Partial Redaction Policies Using Number Data Types
Creating Partial Redaction Policies Using Date-Time Data Types
Creating a Regular Expression-Based Redaction Policy
About Creating Regular Expression-Based Redaction Policies
Syntax for Creating a Regular Expression-Based Redaction Policy
Regular Expression-Based Redaction Policies Using Formats
Custom Regular Expression Redaction Policies
Creating a Random Redaction Policy
Syntax for Creating a Random Redaction Policy
Example: Random Redaction Policy
Creating a Policy That Uses No Redaction
Syntax for Creating a Policy with No Redaction
Example: Performing No Redaction
Exemption of Users from Oracle Data Redaction Policies
Altering an Oracle Data Redaction Policy
About Altering Oracle Data Redaction Policies
Syntax for the DBMS_REDACT.ALTER_POLICY Procedure
Parameters Required for DBMS_REDACT.ALTER_POLICY Actions
Tutorial: Altering an Oracle Data Redaction Policy
Redacting Multiple Columns
Adding Columns to a Data Redaction Policy for a Single Table or View
Example: Redacting Multiple Columns
Disabling and Enabling an Oracle Data Redaction Policy
Disabling an Oracle Data Redaction Policy
Enabling an Oracle Data Redaction Policy
Dropping an Oracle Data Redaction Policy
Tutorial: How Oracle Data Redaction Affects Tables and Views
Tutorial: SQL Expressions to Build Reports with Redacted Values
Oracle Data Redaction Policy Data Dictionary Views
11
Using Oracle Data Redaction in Oracle Enterprise Manager
About Using Oracle Data Redaction in Oracle Enterprise Manager
Oracle Data Redaction Workflow
Management of Sensitive Column Types in Enterprise Manager
Managing Oracle Data Redaction Formats Using Enterprise Manager
About Managing Oracle Data Redaction Formats Using Enterprise Manager
Creating a Custom Oracle Data Redaction Format
Editing a Custom Oracle Data Redaction Format
Viewing Oracle Data Redaction Formats
Deleting a Custom Oracle Data Redaction Format
Managing Oracle Data Redaction Policies Using Enterprise Manager
About Managing Oracle Data Redaction Policies Using Enterprise Manager
Creating an Oracle Data Redaction Policy Using Enterprise Manager
Editing an Oracle Data Redaction Policy Using Enterprise Manager
Viewing the Details of an Oracle Data Redaction Policy Using Enterprise Manager
Enabling or Disabling an Oracle Data Redaction Policy Using Enterprise Manager
Deleting an Oracle Data Redaction Policy Using Enterprise Manager
12
Oracle Data Redaction Use with Oracle Database Features
Oracle Data Redaction and DML and DDL Operations
Oracle Data Redaction and Nested Functions, Inline Views, and the WHERE Clause
Oracle Data Redaction and Aggregate Functions
Oracle Data Redaction and Object Types
Oracle Data Redaction and XML Generation
Oracle Data Redaction and Editions
Oracle Data Redaction in a Multitenant Environment
Oracle Data Redaction and Oracle Virtual Private Database
Oracle Data Redaction and Oracle Database Real Application Security
Oracle Data Redaction and Oracle Database Vault
Oracle Data Redaction and Oracle Data Pump
Oracle Data Pump Security Model for Oracle Data Redaction
Export of Objects That Have Oracle Data Redaction Policies Defined
Export of Data Using the EXPDP Utility access_method Parameter
Import of Data into Objects Protected by Oracle Data Redaction
Oracle Data Redaction and Data Masking and Subsetting Pack
13
Security Considerations for Using Oracle Data Redaction
Oracle Data Redaction General Usage Guidelines
Restriction of Administrative Access to Oracle Data Redaction Policies
How Oracle Data Redaction Affects the SYS, SYSTEM, and Default Schemas
Policy Expressions That Use SYS_CONTEXT Attributes
Oracle Data Redaction Policies on Materialized Views
Dropped Oracle Data Redaction Policies When the Recycle Bin Is Enabled
Glossary
Index
Scripting on this page enhances content navigation, but does not change the content in any way.