Re: Wallet file on host only during startup
- From: "GovindanK" <gkatteri@xxxxxxxxxxx>
- To: "Alberto Dell'Era" <alberto.dellera@xxxxxxxxx>
- Date: Fri, 15 Dec 2006 14:28:08 -0800
Good reference. But even Tom Kyte's followup does not shedding any light
on how to keep the wallet on a diff. server.
Parallelly i found the the following might be of help , of using LDAP.
http://download-west.oracle.com/docs/cd/B19306_01/network.102/b14268/asowalet.htm#BABFJICD
Govindan
On Fri, 15 Dec 2006 22:31:14 +0100, "Alberto Dell'Era"
<alberto.dellera@xxxxxxxxx> said:
> > Hi Has anyone tried keeping the wallet file out of the box once the
> > database is started.
>
> I'm not an expert about TDE, but one week ago I investigated it and
> found this posting by Arup Nanda very informative:
>
> http://asktom.oracle.com/pls/ask/f?p=4950:8:::::F4950_P8_DISPLAYID:44742967463133#45591838845270
>
> basically, what I got is that keeping the wallet on the same box
> is perfectly safe, since a wallet without its password is perfectly
> useless to the attacker.
>
> Also, I would expect (stress on "expect", I'm making an educated guess)
> that the encryption algorithm used for the wallet is much stronger than
> the one
> used for the columns. Because, the columns have to be en/decrypted
> on line, so reasonably fast, while the wallet has to be decrypted only
> when the instance starts; a few seconds used to decrypt the wallet
> is perfectly acceptable, but definitely not acceptable for the columns.
>
> If my guess is correct, an attacker would be better off ignoring the
> stolen wallet altogether, and use his cryptanalysis skills directly
> on the datafiles - less resistance there.
>
> --
> Alberto Dell'Era
> "Per aspera ad astra"
--
//www.freelists.org/webpage/oracle-l
Other related posts:
