Table of Contents
- Title and Copyright Information
- Preface
- Changes in This Release for Oracle Database Advanced Security Guide
- Changes in Oracle Database Advanced Security 12c Release 2 (12.2.0.1)
- New Features
- Ability to Encrypt Existing Tablespaces and Fully Encrypt Databases
- Additional Supported Encryption Algorithms
- Ability to Force Software Keystore Operations
- Ability to Use an External Store for Software Keystore Passwords
- New Way to Specify Oracle Key Vault as a Keystore
- Ability to Redact Data Based on Different Runtime Conditions
- Ability to Centrally Manage Data Redaction Policy Expressions within a Database
- Ability to Use NULL as the Redacted Value
- Enhanced Support for Redacting Unstructured Data
- New Features
- Changes in Oracle Database Advanced Security 12c Release 2 (12.2.0.1)
- 1 Introduction to Oracle Advanced Security
- Part I Using Transparent Data Encryption
- 2
Introduction to Transparent Data Encryption
- 2.1 What Is Transparent Data Encryption?
- 2.2 Benefits of Using Transparent Data Encryption
- 2.3 Who Can Configure Transparent Data Encryption?
- 2.4
Types and Components of Transparent Data Encryption
- 2.4.1 About Transparent Data Encryption Types and Components
- 2.4.2 How Transparent Data Encryption Column Encryption Works
- 2.4.3 How Transparent Data Encryption Tablespace Encryption Works
- 2.4.4 How the Keystore for the Storage of TDE Master Encryption Keys Works
- 2.4.5 Supported Encryption and Integrity Algorithms
- 3
Configuring Transparent Data Encryption
- 3.1
Configuring a Software Keystore
- 3.1.1 About Configuring a Software Keystore
- 3.1.2
Step 1: Set the Keystore Location in the sqlnet.ora File
- 3.1.2.1 About the Keystore Location in the sqlnet.ora File
- 3.1.2.2 Configuring the sqlnet.ora File for a Software Keystore Location
- 3.1.2.3 Configuring an External Store for a Keystore Password
- 3.1.2.4 Example: Configuring a Software Keystore for a Regular File System
- 3.1.2.5 Example: Configuring a Software Keystore When Multiple Databases Share the sqlnet.ora File
- 3.1.2.6 Example: Configuring a Software Keystore for Oracle Automatic Storage Management
- 3.1.2.7 Example: Configuring a Software Keystore for an Oracle Automatic Storage Management Disk Group
- 3.1.3 Step 2: Create the Software Keystore
- 3.1.4 Step 3: Open the Software Keystore
- 3.1.5 Step 4: Set the Software TDE Master Encryption Key
- 3.1.6 Step 5: Encrypt Your Data
- 3.2
Configuring a Hardware Keystore
- 3.2.1 About Configuring a Hardware (External) Keystore
- 3.2.2 Step 1: Set the Hardware Keystore Type in the sqlnet.ora File
- 3.2.3 Step 2: Configure the Hardware Security Module
- 3.2.4 Step 3: Open the Hardware Keystore
- 3.2.5 Step 4: Set the Hardware Keystore TDE Master Encryption Key
- 3.2.6 Step 5: Encrypt Your Data
- 3.3
Encrypting Columns in Tables
- 3.3.1 About Encrypting Columns in Tables
- 3.3.2 Data Types That Can Be Encrypted with TDE Column Encryption
- 3.3.3 Restrictions on Using Transparent Data Encryption Column Encryption
- 3.3.4
Creating Tables with Encrypted Columns
- 3.3.4.1 About Creating Tables with Encrypted Columns
- 3.3.4.2 Creating a Table with an Encrypted Column Using the Default Algorithm
- 3.3.4.3 Creating a Table with an Encrypted Column Using No Algorithm or a Non-Default Algorithm
- 3.3.4.4 Using the NOMAC Parameter to Save Disk Space and Improve Performance
- 3.3.4.5 Example: Using the NOMAC Parameter in a CREATE TABLE Statement
- 3.3.4.6 Example: Changing the Integrity Algorithm for a Table
- 3.3.4.7 Creating an Encrypted Column in an External Table
- 3.3.5 Encrypting Columns in Existing Tables
- 3.3.6 Creating an Index on an Encrypted Column
- 3.3.7 Adding Salt to an Encrypted Column
- 3.3.8 Removing Salt from an Encrypted Column
- 3.3.9 Changing the Encryption Key or Algorithm for Tables with Encrypted Columns
- 3.4
Encryption Conversions for Tablespaces and Databases
- 3.4.1 About Encryption Conversions for Tablespaces and Databases
- 3.4.2 Restrictions on Using Transparent Data Encryption Tablespace Encryption
- 3.4.3 Creating an Encrypted New Tablespace
- 3.4.4 Encrypting Future Tablespaces
- 3.4.5 Encryption Conversions for Existing Offline Tablespaces
- 3.4.6
Encryption Conversions for Existing Online Tablespaces
- 3.4.6.1 Encrypting an Existing Tablespace with Online Conversion
- 3.4.6.2 About Encryption Conversions for Existing Online Tablespaces
- 3.4.6.3 Rekeying an Existing Tablespace with Online Conversion
- 3.4.6.4 Decrypting an Existing Tablespace with Online Conversion
- 3.4.6.5 Finishing an Interrupted Online Encryption Conversion
- 3.4.7 Encryption Conversions for Existing Databases
- 3.5 Transparent Data Encryption Data Dynamic and Data Dictionary Views
- 3.1
Configuring a Software Keystore
- 4
Managing the Keystore and the TDE Master Encryption Key
- 4.1
Managing the Keystore
- 4.1.1 Performing Operations That Require a Keystore Password
- 4.1.2 Changing the Password of a Software Keystore
- 4.1.3 Changing the Password of a Hardware Keystore
- 4.1.4 Backing Up Password-Based Software Keystores
- 4.1.5 Backups of the Hardware Keystore
- 4.1.6
Merging Software Keystores
- 4.1.6.1 About Merging Software Keystores
- 4.1.6.2 Merging Two Software Keystores into a Third New Keystore
- 4.1.6.3 Merging One Software Keystore into an Existing Software Keystore
- 4.1.6.4 Merging an Auto-Login Software Keystore into an Existing Password-Based Software Keystore
- 4.1.6.5 Reversing a Software Keystore Merge Operation
- 4.1.7 Moving a Software Keystore to a New Location
- 4.1.8 Moving a Software Keystore Out of Automatic Storage Management
- 4.1.9 Migrating Between a Software Password Keystore and a Hardware Keystore
- 4.1.10 Migration of Keystores to and from Oracle Key Vault
- 4.1.11 Closing a Keystore
- 4.1.12 Using a Software Keystore That Resides on ASM Volumes
- 4.1.13 Backup and Recovery of Encrypted Data
- 4.1.14 Deletion of Keystores
- 4.2
Managing the TDE Master Encryption Key
- 4.2.1 Creating TDE Master Encryption Keys for Later Use
- 4.2.2 Activation of TDE Master Encryption Keys
- 4.2.3 TDE Master Encryption Key Attribute Management
- 4.2.4 Creating Custom TDE Master Encryption Key Attributes for Reporting Purposes
- 4.2.5
Setting or Rotating the TDE Master Encryption Key in the Keystore
- 4.2.5.1 About Setting or Rotating the TDE Master Encryption Key in the Keystore
- 4.2.5.2 Creating and Backing Up a TDE Master Encryption Key and Applying a Tag to It
- 4.2.5.3 About Rotating the TDE Master Encryption Key
- 4.2.5.4 Rotating the TDE Master Encryption Key
- 4.2.5.5 Rotating the TDE Master Encryption Key for a Tablespace
- 4.2.6
Exporting and Importing the TDE Master Encryption Key
- 4.2.6.1 About Exporting and Importing the TDE Master Encryption Key
- 4.2.6.2 About Exporting TDE Master Encryption Keys
- 4.2.6.3 Exporting a TDE Master Encryption Key
- 4.2.6.4 Example: Exporting a TDE Master Encryption Key by Using a Subquery
- 4.2.6.5 Example: Exporting a List of TDE Master Encryption Key Identifiers to a File
- 4.2.6.6 Example: Exporting All TDE Master Encryption Keys of the Database
- 4.2.6.7 About Importing TDE Master Encryption Keys
- 4.2.6.8 Importing a TDE Master Encryption Key
- 4.2.6.9 Example: Importing a TDE Master Encryption Key
- 4.2.6.10 How Keystore Merge Differs from TDE Master Encryption Key Export or Import
- 4.2.7 Management of TDE Master Encryption Keys Using Oracle Key Vault
- 4.3
Storing Secrets Used by Oracle Database
- 4.3.1 About Storing Oracle Database Secrets in a Keystore
- 4.3.2 Storage of Oracle Database Secrets in a Software Keystore
- 4.3.3 Example: Adding an HSM Password to a Software Keystore
- 4.3.4 Example: Changing an HSM Password Stored as a Secret in a Software Keystore
- 4.3.5 Example: Deleting an HSM Password Stored as a Secret in a Software Keystore
- 4.3.6 Storage of Oracle Database Secrets in a Hardware Keystore
- 4.3.7 Example: Adding an Oracle Database Secret to a Hardware Keystore
- 4.3.8 Example: Changing an Oracle Database Secret in a Hardware Keystore
- 4.3.9 Example: Deleting an Oracle Database Secret in a Hardware Keystore
- 4.3.10 Configuring Auto-Login Hardware Security Modules
- 4.4 Storing Oracle GoldenGate Secrets in a Keystore
- 4.1
Managing the Keystore
- 5
General Considerations of Using Transparent Data Encryption
- 5.1 Compression and Data Deduplication of Encrypted Data
- 5.2 Security Considerations for Transparent Data Encryption
- 5.3 Performance and Storage Overhead of Transparent Data Encryption
- 5.4 Modifying Your Applications for Use with Transparent Data Encryption
- 5.5 How ALTER SYSTEM and orapki Map to ADMINISTER KEY MANAGEMENT
- 5.6 Using Transparent Data Encryption with PKI Encryption
- 5.7 Data Loads from External Files to Tables with Encrypted Columns
- 5.8 Transparent Data Encryption and Database Close Operations
- 6
Using Transparent Data Encryption with Other Oracle Features
- 6.1 How Transparent Data Encryption Works with Export and Import Operations
- 6.2 How Transparent Data Encryption Works with Oracle Data Guard
- 6.3 How Transparent Data Encryption Works with Oracle Real Application Clusters
- 6.4 How Transparent Data Encryption Works with SecureFiles
- 6.5
How Transparent Data Encryption Works in a Multitenant Environment
- 6.5.1 About Using Transparent Data Encryption in a Multitenant Environment
- 6.5.2 Operations That Must Be Performed in Root
- 6.5.3 Operations That Can Be Performed in Root or in a PDB
- 6.5.4 Moving PDBs from One CDB to Another
- 6.5.5 Exporting and Importing TDE Master Encryption Keys for a PDB
- 6.5.6 Unplugging and Plugging a PDB with Encrypted Data in a CDB
- 6.5.7 Managing Cloned PDBs with Encrypted Data
- 6.5.8 How Keystore Open and Close Operations Work in a Multitenant Environment
- 6.5.9 Finding the Keystore Status for All of the PDBs in a Multitenant Environment
- 6.6 How Transparent Data Encryption Works with Oracle Call Interface
- 6.7 How Transparent Data Encryption Works with Editions
- 6.8 Configuring Transparent Data Encryption to Work in a Multidatabase Environment
- 7 Frequently Asked Questions About Transparent Data Encryption
- 2
Introduction to Transparent Data Encryption
- Part II Using Oracle Data Redaction
- 8 Introduction to Oracle Data Redaction
- 9
Oracle Data Redaction Features and Capabilities
- 9.1 Full Data Redaction to Redact All Data
- 9.2 Partial Data Redaction to Redact Sections of Data
- 9.3 Regular Expressions to Redact Patterns of Data
- 9.4 Redaction Using Null Values
- 9.5 Random Data Redaction to Generate Random Values
- 9.6 Comparison of Full, Partial, and Random Redaction Based on Data Types
- 9.7 No Redaction for Testing Purposes
- 9.8 Central Management of Named Data Redaction Policy Expressions
- 10
Configuring Oracle Data Redaction Policies
- 10.1 About Oracle Data Redaction Policies
- 10.2 Who Can Create Oracle Data Redaction Policies?
- 10.3 Planning an Oracle Data Redaction Policy
- 10.4 General Syntax of the DBMS_REDACT.ADD_POLICY Procedure
- 10.5
Using Expressions to Define Conditions for Data Redaction Policies
- 10.5.1 About Using Expressions in Data Redaction Policies
- 10.5.2 Supported Functions for Data Redaction Expressions
- 10.5.3 Applying the Redaction Policy Based on User Environment
- 10.5.4 Applying the Redaction Policy Based on Database Roles
- 10.5.5 Applying the Redaction Policy Based on Oracle Label Security Label Dominance
- 10.5.6 Applying the Redaction Policy Based on Application Express Session States
- 10.5.7 Applying the Redaction Policy to All Users
- 10.6
Creating and Managing Multiple Named Policy Expressions
- 10.6.1 About Data Redaction Policy Expressions to Define Conditions
- 10.6.2 Creating and Applying a Named Data Redaction Policy Expression
- 10.6.3 Updating a Named Data Redaction Policy Expression
- 10.6.4 Dropping a Named Data Redaction Expression Policy
- 10.6.5
Tutorial: Creating and Sharing a Named Data Redaction Policy Expression
- 10.6.5.1 Step 1: Create Users for This Tutorial
- 10.6.5.2 Step 2: Create an Oracle Data Redaction Policy
- 10.6.5.3 Step 3: Test the Oracle Data Redaction Policy
- 10.6.5.4 Step 4: Create and Apply a Policy Expression to the Redacted Table Columns
- 10.6.5.5 Step 5: Test the Data Redaction Policy Expression
- 10.6.5.6 Step 6: Modify the Data Redaction Policy Expression
- 10.6.5.7 Step 7: Test the Modified Policy Expression
- 10.6.5.8 Step 8: Remove the Components of This Tutorial
- 10.7 Creating a Full Redaction Policy and Altering the Full Redaction Value
- 10.8 Creating a DBMS_REDACT.NULLIFY Redaction Policy
- 10.9
Creating a Partial Redaction Policy
- 10.9.1 About Creating Partial Redaction Policies
- 10.9.2 Syntax for Creating a Partial Redaction Policy
- 10.9.3 Creating Partial Redaction Policies Using Fixed Character Formats
- 10.9.4 Creating Partial Redaction Policies Using Character Data Types
- 10.9.5 Creating Partial Redaction Policies Using Number Data Types
- 10.9.6 Creating Partial Redaction Policies Using Date-Time Data Types
- 10.10 Creating a Regular Expression-Based Redaction Policy
- 10.11 Creating a Random Redaction Policy
- 10.12 Creating a Policy That Uses No Redaction
- 10.13 Exemption of Users from Oracle Data Redaction Policies
- 10.14 Altering an Oracle Data Redaction Policy
- 10.15 Redacting Multiple Columns
- 10.16 Disabling and Enabling an Oracle Data Redaction Policy
- 10.17 Dropping an Oracle Data Redaction Policy
- 10.18 Tutorial: SQL Expressions to Build Reports with Redacted Values
- 10.19 Oracle Data Redaction Policy Data Dictionary Views
- 11
Using Oracle Data Redaction in Oracle Enterprise Manager
- 11.1 About Using Oracle Data Redaction in Oracle Enterprise Manager
- 11.2 Oracle Data Redaction Workflow
- 11.3 Management of Sensitive Column Types in Enterprise Manager
- 11.4
Managing Oracle Data Redaction Formats Using Enterprise Manager
- 11.4.1 About Managing Oracle Data Redaction Formats Using Enterprise Manager
- 11.4.2 Creating a Custom Oracle Data Redaction Format Using Enterprise Manager
- 11.4.3 Editing a Custom Oracle Data Redaction Format Using Enterprise Manager
- 11.4.4 Viewing Oracle Data Redaction Formats Using Enterprise Manager
- 11.4.5 Deleting a Custom Oracle Data Redaction Format Using Enterprise Manager
- 11.5
Managing Oracle Data Redaction Policies Using Enterprise Manager
- 11.5.1 About Managing Oracle Data Redaction Policies Using Enterprise Manager
- 11.5.2 Creating an Oracle Data Redaction Policy Using Enterprise Manager
- 11.5.3 Editing an Oracle Data Redaction Policy Using Enterprise Manager
- 11.5.4 Viewing Oracle Data Redaction Policy Details Using Enterprise Manager
- 11.5.5 Enabling or Disabling an Oracle Data Redaction Policy in Enterprise Manager
- 11.5.6 Deleting an Oracle Data Redaction Policy Using Enterprise Manager
- 11.6
Managing Named Data Redaction Policy Expressions Using Enterprise Manager
- 11.6.1 About Named Data Redaction Policy Expressions in Enterprise Manager
- 11.6.2 Creating a Named Data Redaction Policy Expression in Enterprise Manager
- 11.6.3 Editing a Named Data Redaction Policy Expression in Enterprise Manager
- 11.6.4 Viewing Named Data Redaction Policy Expressions in Enterprise Manager
- 11.6.5 Deleting a Named Data Redaction Policy Expression in Enterprise Manager
- 12
Oracle Data Redaction Use with Oracle Database Features
- 12.1 Oracle Data Redaction and DML and DDL Operations
- 12.2 Oracle Data Redaction and Nested Functions, Inline Views, and the WHERE Clause
- 12.3 Oracle Data Redaction and Database Links
- 12.4 Oracle Data Redaction and Aggregate Functions
- 12.5 Oracle Data Redaction and Object Types
- 12.6 Oracle Data Redaction and XML Generation
- 12.7 Oracle Data Redaction and Editions
- 12.8 Oracle Data Redaction in a Multitenant Environment
- 12.9 Oracle Data Redaction and Oracle Virtual Private Database
- 12.10 Oracle Data Redaction and Oracle Database Real Application Security
- 12.11 Oracle Data Redaction and Oracle Database Vault
- 12.12 Oracle Data Redaction and Oracle Data Pump
- 12.13 Oracle Data Redaction and Data Masking and Subsetting Pack
- 12.14 Oracle Data Redaction and JSON
- 13
Security Considerations for Oracle Data Redaction
- 13.1 Oracle Data Redaction General Usage Guidelines
- 13.2 Restriction of Administrative Access to Oracle Data Redaction Policies
- 13.3 How Oracle Data Redaction Affects the SYS, SYSTEM, and Default Schemas
- 13.4 Policy Expressions That Use SYS_CONTEXT Attributes
- 13.5 Oracle Data Redaction Policies on Materialized Views
- 13.6 Dropped Oracle Data Redaction Policies When the Recycle Bin Is Enabled
- Glossary
- Index