Re: Transparent Data Encryption
- From: Jeremy Schneider <jeremy.schneider@xxxxxxxxxxxxxx>
- To: Charles Schultz <sacrophyte@xxxxxxxxx>
- Date: Wed, 11 Mar 2015 18:19:10 -0500
IMHO the docs are a little thin on this, but admittedly I haven't
looked around a ton and I might be missing some good web tutorials.
I've been completely immersed in 11gR2 TDE for the past months - so
let me take a stab at a few of those issue you hit.
First off, it seems that a lot changes in 12c. Just be warned...
you'll probably have to re-learn everything on multitenant.
1) EM - I have no idea, I haven't bothered with EM yet at all. <g>
2) location: select WRL_PARAMETER from [G]V$ENCRYPTION_WALLET is definitive.
3) opening and closing wallets: very important to understand there are
(at least) 3 kinds of wallets. the 'standard' p12 wallet on disk, the
sso/auto-open wallet, and HSM (hardware) wallets. multiple wallets
can be open simultaneously and oracle has a very unhelpful interface
around the whole thing.
3a) standard p12: ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED
BY "PASSWORD" to open and ALTER SYSTEM SET ENCRYPTION WALLET CLOSE
IDENTIFIED BY "PASSWORD" to close
3b) sso/auto-open: query [G]V$ENCRYPTION_WALLET to open [accessing
tables might do it too] and ALTER SYSTEM SET ENCRYPTION WALLET CLOSE
to close.
there's no way to check if wallets are open without triggering the sso
wallet to auto-open itself. the only way to "verify" that it's closed
is actually rename/move cwallet.sso and then "set encryption wallet
close" and then query v$encryption_wallet.
4) orapki and mkstore utilities: i've only used three commands so far:
"orapki wallet create" to setup the -auto_login_local wallet, and
"mkstore -viewEntry" and "orapki wallet display" to view the contents.
agree doc & help isn't great.
I'm just brain dumping here, hoping something helps you out. Good
luck with TDE and post any other questions to oracle-l; if I'm around
then I'll try to answer stuff I can - since I've recently been digging
into this feature!
-Jeremy
--
http://about.me/jeremy_schneider
On Wed, Mar 11, 2015 at 1:48 PM, Charles Schultz <sacrophyte@xxxxxxxxx> wrote:
> I feel like an idiot asking this of such a list of smart people, but I must.
>
> Where does one get started with Transparent Data Encryption?
>
> I am trying to teach myself, but I have run up against some quirky things
> that hinder my progress.
>
> For example, Enterprise Manager seems very inconsistent; using 12c EMCC, I
> never know when/if the "Transparent Data Encryption" menu option will appear
> under "Security". When it does, it is not clear if the options I select have
> any significance. For example, when I "close" the wallet, I get a message
> saying the wallet was successfully closed, but nothing changes in the
> database (I can still select uncached data from an encrypted tablespace) and
> the wallet still shows as open in EM.
>
> Another example. I have tried to follow the documentation for an 11gR2
> database. Setting the encryption key via sqlplus seems to work fine, but
> then I can not locate the wallet which should be in the "default location".
> When I set a specific location in sqlnet.ora, I still do not see the wallet.
> I often get messages about an auto-login wallet when trying to open or
> close. And the documentation for the orapki interface leaves me confused. :)
>
> Obviously I am bumbling around. Is there a simpler way to get my feet wet?
>
> Or am I just not getting it? :)
>
> --
> Charles Schultz
--
//www.freelists.org/webpage/oracle-l
Other related posts:
