Re: Transparent Data Encryption

• From: Charles Schultz <sacrophyte@xxxxxxxxx>
• Date: Thu, 12 Mar 2015 10:05:08 -0500

I was just thinking about long-term LTC myself. The documentation for
backup/recovery of the keys makes my head hurt:

http://docs.oracle.com/cd/E11882_01/network.112/e40393/asotrans.htm#ASOAG9548

I am very confused why RMAN does not back up the wallet if the wallet is
critical to the operation of the database. But in any event, in my dream I
would store all my wallets in the default location
($ORACLE_BASE/admin/$ORACLE_SID/wallet/) and just backup the wallet at the
default location whenever I do a database backup; if there is no wallet, no
backup of wallet, no problem.

Database cloning is an issue as well, as we typically do several a week. I
have to read up, but my gut says we can use a copy of the wallet/master
key. I might be totally wrong, but I will find out later today when I test
it. :)


By the way, Jeremy, I think some of your observations might be wrong or
slightly incorrect. :)  For instance, querying V$ENCRYPTION_WALLET does not
seem to trigger an open of the wallet for me (11.2.0.4); it merely reports
the status of the wallet, which is good. V$WALLET seems totally useless to
me.

On Thu, Mar 12, 2015 at 9:50 AM, David Mann <dmann99@xxxxxxxxx> wrote:

> Thanks Jeremy for your insights and Charles for your questions.
>
> I'm moving forward with working TDE support into an 11gR2 project as well.
>
> Implementation and care and feeding of the wallets when creating, cloning,
> etc has been going OK. I haven't found enough people that use it in order
> to discuss long term handling of the wallets with.
>
> As we only have a handful of databases (<5% of enterprise) which will be
> using TDE we can't justify the expense of Key Vault or other 3rd party
> products. I want to protect the wallets at a local and remote site but my
> challenge is getting the DB ops teams to make sure when they get a ticket
> that they know they are operating on a TDE encrypted database and they
> should backup the wallet at key times (after creation, before/after
> password changes, etc).
>
> I had a dream about a shell script which would return TDE status of a
> database and offer to make a backup of the wallet to a secure area. Without
> Key Vault are folks just doing these steps manually or is there a good
> basic level of automation I should be striving for?
>
> -Dave
>
> --
> Dave Mann
> General Geekery | www.brainio.us
> Database Geekery | www.ba6.us | @ba6dotus | http://www.ba6.us/rss.xml
>



-- 
Charles Schultz

• Follow-Ups:
  • Re: Transparent Data Encryption
    • From: Jeremy Schneider

• References:
  • Re: Transparent Data Encryption
    • From: David Mann

Other related posts:

• » Transparent Data Encryption
• » RE: Transparent Data Encryption
• » Transparent Data Encryption- Charles Schultz
• » Re: Transparent Data Encryption- Jeremy Schneider
• » Re: Transparent Data Encryption- Marcin Przepiorowski
• » Re: Transparent Data Encryption- Charles Schultz
• » Re: Transparent Data Encryption- David Mann
• » Re: Transparent Data Encryption - Charles Schultz
• » Re: Transparent Data Encryption- Jeremy Schneider
• » Re: Transparent Data Encryption- Stefan Knecht
• » Re: Transparent Data Encryption- MARK BRINSMEAD
• » Transparent Data Encryption- Rusnak, George A CTR (US) DeCA HQ LEITC
• » Re: Transparent Data Encryption- Stefan Knecht
• » Re: Transparent Data Encryption- Stefan Knecht

1. Home
2. oracle-l
3. Archive
4. 03-2015

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---