Simple Transparent Data Encryption (TDE) Questions
- From: Chris Taylor <christopherdtaylor1994@xxxxxxxxx>
- To: "oracle-l@xxxxxxxxxxxxx" <oracle-l@xxxxxxxxxxxxx>
- Date: Tue, 16 Dec 2014 13:25:09 -0600
I'm hoping you guys can help me out here as I'm dipping my toes in the Data
Encryption pool. What I'm looking for is a high level answer to the
questions below *while* I read through the Advanced Security documentation.
I understand that TDE has 2 potential components - Tablespace Encryption
and Table/Column Encryption.
I understand (I think) that Tablespace Encryption is invisible to
applications & users - the data in encrypted as it is written to database
files and unencrypted when the database engine reads that data back into
the database as part of a query.
Now my questions are related to TABLE/COLUMN encryption and I'm a looking
for a 10,000 foot view answer right now (not a highly detailed answer):
Questions:
1.) With TDE on Tables/Columns, and using a wallet that is setup, how does
a SPECIFIC user/application interface with the data that is encrypted and
authenticate to see the unecrypted data?
Example:
UNauthorized UserA looks up a Credit Card Number in TableA and sees data
that is encrypted and cannot read the number.
AUthorized UserB/Application looks up a CC# in TableA and sees the
unecrypted data and can continue processing it in a meaningful way.
What I'm trying to figure out is if AUTHORIZED users/applications have to
unlock the data (or re-authorize) each time they login to the database, or
what? How do they "unlock" the data - an automated wallet setup, or do
they have to execute a pl/sql block to authenticate?
2.) Can you use both Tablespace Encryption and Table/Column encryption?
I'm curious how they work together if both are in use - is the data double
encrypted when it gets written to disk?
Thanks for any help!!!
Chris Taylor
Other related posts:
