Skip Headers
Oracle® Database Advanced Security Guide
12c Release 1 (12.1)

E17729-19
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
PDF · Mobi · ePub

Index

A  C  D  E  G  H  I  K  M  N  O  P  R  S  T  U  V 

A

ad hoc tools
Oracle Data Redaction, 8.9.2
administrative access to policies, restricting, 9.18
aggregate functions
affect on Data Redaction policy optimization, 8.11.3
ALTER SYSTEM statement
how compares with ADMINISTER KEY MANAGEMENT statement, 5.5
APEX_UTIL.GET_NUMERIC_SESSION_STATE function
Oracle Data Redaction policies (NV public function), 9.4.4
APEX_UTIL.GET_SESSION_STATE function
Oracle Data Redaction policies (V public function), 9.4.4
applications
database applications and Oracle Data Redaction, 8.9.1
modifying to use Transparent Data Encryption, 5.4
auto login keystores
and Transparent Data Encryption (TDE), 4.2.5.4

C

CDBs
Data Redaction masking policies, 8.11.2
PDBs with encrypted data, 6.5.5
TDE operations in root, 6.5.2
TDE operations in root and PDBs, 6.5.3
change data capture, synchronous, 3.3.3
closing hardware keystores, 4.1.8.1
closing software keystores, 4.1.8.1
column encryption
about, 2.4.2
changing algorithm, 3.3.8
changing encryption key, 3.3.8
creating encrypted table column with default algorithm, 3.3.4.2
creating encrypted table column with non-default algorithm, 3.3.4.3
creating index on encrypted column, 3.3.6
data types to encrypt, 3.3.2
existing tables
about, 3.3.5.1
adding encrypted column to, 3.3.5.2
disabling encryption, 3.3.5.4
encrypting unencrypted column, 3.3.5.3
external tables, 3.3.4.5
improving performance, 3.3.4.4
incompatibilities, 7.1
limitations, 7.1, 7.1
performance, optimum, 7.2
restrictions, 3.3.3
salt, 3.3.7
security considerations, 5.2.2
skipping integrity check, 3.3.4.4
compliance
Transparent Data Encryption, 2.2
compression of Transparent Data Encryption data, 5.1

D

data at rest, 2.1
data deduplication of Transparent Data Encryption data, 5.1
data redaction
See Oracle Data Redaction
data storage
Transparent Data Encryption, 5.3.2
database roles
Data Redaction policies, 9.4.3
DDLstatements
Oracle Data Redaction policies, 8.5
DMLstatements
Oracle Data Redaction policies, 8.5

E

Editions
Transparent Data Encryption, 6.7
encryption
See also Transparent Data Encryption (TDE)
ENCRYPTION_WALLET_LOCATION parameter in sqlnet.ora, 3.1.2.1
EXEMPT REDACTION POLICY privilege
using with Database Vault, 9.18

G

guidelines
ad hoc query attacks and Data Redaction, 11.1
application context value handling by Data Redaction policies, 11.1
day-to-day operations and Data Redaction, 11.1
DDL statements and Data Redaction policies, 11.1
exhaustive SQL queries and inference and Data Redaction, 11.1
materialized views and Data Redaction, 11.3
recycle bin and Data Redaction, 11.4
SYS_CONTEXT values and Data Redaction, 11.2

H

hardware keystores
backing up, 4.1.4
closing, 4.1.8.1
hardware security modules
backing up keystores, 4.1.4

I

import/export utilities, original, 3.3.3
index range scans, 2.4.3
indexes
creating on encrypted column, 3.3.6
inline views
Data Redaction policies order of redaction, 8.7
Data Redaction redaction, 8.7
intruders
ad hoc query attacks, 11.1

K

keystores
about, 2.4.4.1
architecture, 2.4.2
ASM-based, 4.1.9
auto login, 4.2.5.4
backing up password-based software keystores
about, 4.1.3.1
backup identifier rules, 4.1.3.2
procedure, 4.1.3.4
changing hardware keystore password, 4.1.2
changing passwords for password-based software keystores, 4.1.1.1
closing, 4.1.8.3
closing hardware keystores, 4.1.8.1
closing software keystores, 4.1.8.1
deleting, 4.1.11
hardware keystore
configuration process, 3.2
master encryption key merge differing from import or export, 4.2.6.8
merging
about, 4.1.5
auto-login into password-based, 4.1.5
one into another existing keystore, 4.1.5
reversing merge operation, 4.1.5
two into a third new keystore, 4.1.5
migrating
creating master encryption key for hardware keystore-based encryption, 4.1.7.1
hardware keystore to software keystore, 4.1.7.2
keystore order after migration, 4.1.7.3
password key into hardware keystore, 4.1.7.1
moving software keystore to a new location, 4.1.6
opening hardware keystores, 3.2.4
opening software keystores, 3.1.4.1
Oracle Database secrets
about, 4.3.1
storing in hardware keystore, 4.3.4
storing in software keystore, 4.3.2
using auto-login hardware keystore, 4.3.6.1
keystores, software
configuration process, 3.1

M

masking
See Oracle Data Redaction
master encryption key
See TDE master encryption key
materialized views
Data Redaction guideline, 11.3
Transparent Data Encryption tablespace encryption, 6.2
multitenant container databases. See CDBs

N

nested functions
Data Redaction policies order of redaction, 8.7
NOMAC parameter (TDE), 3.3.4.4
NV public function (APEX_UTIL.GET_NUMERIC_SESSION_STATE function), Data Redaction policies, 9.4.4

O

opening hardware keystores, 3.2.4
opening software keystores, 3.1.4.1
ORA-00979
not a GROUP BY expression error, 11.1
ORA-28081
Insufficient privileges - the command references a redacted object error, 8.5
Oracle Application Express
filtering using by session state in Data Redaction policies, 9.4.4
Oracle Call Interface
Transparent Data Encryption, 6.6, 6.6
Oracle Data Guard
Transparent Data Encryption, 6.2, 6.2
Oracle Data Pump
encrypted columns, 6.1.2
encrypted data, 6.1.1
encrypted data with dump sets, 6.1.3
exported data from Data Redaction policies, 10.5.3
exporting Oracle Data Redaction objects, 10.5.2
Oracle Data Redaction security policy, 10.5.1
Oracle Data Redaction
about, 8.1
ad hoc tools, 8.9.2
aggregate functions, 8.11.3
benefits, 8.4
CDBs, 8.11.2
database applications, 8.9.1
DBMS_REDACT.ADD_POLICY procedure
using, 9.2
DBMS_REDACT.ALTER_POLICY procedure
about, 9.11.1
example, 9.11.4
parameters required for various actions, 9.11.3
syntax, 9.11.2
DBMS_REDACT.DISABLE_POLICY
about, 9.14
example, 9.14
syntax, 9.14
DBMS_REDACT.DROP_POLICY
about, 9.16
examples, 9.16
syntax, 9.16
DBMS_REDACT.ENABLE_POLICY
about, 9.15
example, 9.15
syntax, 9.15
DBMS_REDACT.UPDATE_FULL_REDACTION_VALUES procedure
about, 9.13.1
syntax, 9.13.2
using, 9.13.3
editions, 8.11.1
exporting data using Data Pump Export, 10.5.3
exporting objects using Data Pump, 10.5.2
full data redaction
about, 8.10.1
creating policy for, 9.5.1
examples, 9.5.3
modifying default value, 9.13.1
syntax, 9.5.2
how differs from Oracle Database Real Application Security masking, 10.3
how differs from Oracle Virtual Private Database masking, 10.1
inline views order of redaction, 8.7
nested functions order of redaction, 8.7
no data redaction
about, 8.10.6, 9.9.1
creating policies for, 9.9.1
example, 9.9.3
syntax, 9.9.2
Oracle Data Pump security policy, 10.5.1
Oracle Enterprise Manager Data Masking and Subsetting Pack, 10.2
partial data redaction
about, 8.10.2
character types, policies for, 9.6.4.1
data-time data types, 9.6.6.1
example using character data type, 9.6.4.2
example using data-time data type, 9.6.6.2
example using fixed character shortcut, 9.6.3.2
example using number data type, 9.6.5.2
number data types, 9.6.5.1
shortcuts, fixed character, 9.6.3.1
syntax, 9.6.2
privileges for creating policies, 8.2
random data redaction
about, 9.8.1
creating policies for, 9.8.1
example, 9.8.3
syntax, 9.8.2
randomized data redaction
about, 8.10.4
regular expression data redaction
creating policies for, 9.7.1
custom, creating policies for, 9.7.4
example, 9.7.3.2
example of custom, 9.7.4.2
settings for, 9.7.4.1
shortcuts, 9.7.3.1
shortcuts, creating policies for, 9.7.3
syntax, 9.7.2
regular expression redaction
about, 8.10.3
SYS schema objects, 8.6
SYSTEM schema objects, 8.6
use cases, 8.9
when to use, 8.3
WHERE clause redaction, 8.7
Oracle Data Redaction partial redaction
creating policies for, 9.6.1
Oracle Data Redaction policies
about, 9.1
altering, 9.11.1
building reports, 8.8
creating
examples, 9.5.3
general syntax, 9.3
procedure, 9.2
disabling, 9.14
dropping, 9.16
effect on view chain, 9.17
enabling, 9.15
exempting users from, 9.10
expressions
about, 9.4.1
by Application Express session state, 9.4.4
by database role, 9.4.3
by user environment, 9.4.2
filtering users
no filtering, 9.4.5
finding information about, 9.19
redacting multiple columns in one policy, 9.12
Oracle Database Real Application Security
Data Redaction, 10.3
Oracle Database Vault
using with Data Redaction, 9.18
Oracle Enterprise Manager Data Masking and Subsetting Pack
Oracle Data Redaction impact, 10.2
Oracle GoldenGate
storing secrets in Oracle keystores, 4.4.1
Oracle Real Application Clusters
non-shared file systems to store TDE keystores, 6.3.2
Transparent Data Encryption, 6.3.1
Oracle Recovery Manager
Transparent Data Encryption, 4.1.10
Oracle Securefiles
Transparent Data Encryption, 6.4
Oracle Virtual Private Database (VPD)
Data Redaction, 10.1
orapki utility
how compares with ADMINISTER KEY MANAGEMENT statement, 5.5
original import/export utilities, 3.3.3

P

PDBs
Data Redaction policies, 8.11.2
finding TDE keystore status for all PDBs, 6.5.7
master encryption keys
exporting, 6.5.4.1
importing, 6.5.4.1
Transparent Data Encryption, 6.5.1
performance
Transparent Data Encryption, 5.3.1
PKI encryption
backup and recovery operations, 5.6.3
hardware keystores, 5.6.2
master encryption key, 5.6.1
tablespace encryption, 5.6.2
pluggable databases. See PDBs

R

recycle bin
Data Redaction policies and, 11.4
reports
based Data Redaction policies, 8.8
rotating
master encryption key, 4.2.5.4

S

salt (TDE)
adding, 3.3.7
removing, 3.3.7
secrets
storing Oracle Database secrets in keystore
about, 4.3.1
storing in hardware keystore, 4.3.4
storing in software keystore, 4.3.2
SecureFiles
Transparent Data Encryption, 6.4
synchronous change data capture, 3.3.3
SYS user
Data Redaction policies, 8.6
SYS_CONTEXT function
Data Redaction policies, 11.2
SYS_SESSION_ROLES namespace used in Data Redaction, 9.4.3
SYS_SESSION_ROLES SYS_CONTEXT namespace
Data Redaction, 9.4.3
SYSTEM user
Data Redaction policies, 8.6

T

tablespace encryption
about, 2.4.3
architecture, 2.4.3
creating encrypted tablespaces, 3.4.5.2
examples, 3.4.5.3
incompatibilities, 7.1
opening keystore, 3.4.3.2
performance overhead, 5.3.1
performance, optimum, 7.2
procedure, 3.4.3.1
restrictions, 3.4.2
security considerations for plaintext fragments, 5.2.3
setting tablespace key, 3.4.4
storage overhead, 5.3.2
tablespace master encryption key
setting, 3.4.4
TDE
See Transparent Data Encryption (TDE)
TDE master encryption keys
about use in keystore, 4.2.5.1
activating
about, 4.2.2.1
example, 4.2.2.3
procedure, 4.2.2.2
architecture, 2.4.2
attributes, 4.2.3.2
creating for later use
about, 4.2.1.1
examples, 4.2.1.3
procedure, 4.2.1.2
custom attribute tags
about, 4.2.4.1
creating, 4.2.4.2
exporting, 4.2.6.2
exporting in PDBs, 6.5.4.1
finding currently used key, 4.2.3.3
importing, 4.2.6.5
importing in PDBs, 6.5.4.1
keystore merge differing from import or export, 4.2.6.8
resetting in keystore, 4.2.5.3
rotating, 4.2.5.4
setting in keystore, 4.2.5.1
Transparent Data Encryption (TDE)
about, 2.1
benefits, 2.2
CDBs
operations in root or PDBs, 6.5.3
column encryption
about, 2.4.2, 3.3.1
adding encrypting column to existing table, 3.3.5.2
changing algorithm, 3.3.8
changing encryption key, 3.3.8
creating encrypted column in external table, 3.3.4.5
creating index on encrypted column, 3.3.6
creating tables with default encryption algorithm, 3.3.4.2
creating tables with non-default encryption algorithm, 3.3.4.3
creating tables without integrity checks (NOMAC), 3.3.4.4
data types supported, 3.3.2
disabling encryption in existing column, 3.3.5.4
encrypting columns in existing tables, 3.3.5.1
encrypting existing column, 3.3.5.3
encryption and integrity algorithms, 2.4.5
restrictions, 3.3.3
salt in encrypted columns, 3.3.7
compatibility with application software, 7.1
compatibility with Oracle Database tools, 7.1
compression of encrypted data, 5.1
configuring hardware keystores
about, 3.2.1
configuration step, 3.2.3
opening, 3.2.4
PKCS#11 library, 3.2.3
reconfiguring software keystore, 3.2.5.3
setting master encryption key, 3.2.5.1
sqlnet.ora configuration, 3.2.2
configuring software keystores
about, 3.1.1
creating auto-login keystore, 3.1.3.3
creating local auto-login keystore, 3.1.3.3
creating password-based keystore, 3.1.3.2
opening keystores, 3.1.4.1
setting software master encryption key, 3.1.5
sqlnet.ora file configuration, 3.1.2
data deduplication of encrypted data, 5.1
editions, 6.7
encryption and integrity algorithms, 2.4.5
finding information about, 3.5
frequently asked questions, 7
incompatiblilities, 7.1
keystore management
ASM-based keystore, 4.1.9
backing up password-based software keystores, 4.1.3.1
changing hardware keystore password, 4.1.2
changing password-based software keystore password, 4.1.1.1
closing hardware keystores, 4.1.8.1
closing software keystore, 4.1.8.1
master encryption key attributes, 4.2.3.2
merging keystores, about, 4.1.5
merging keystores, auto-login into password-based, 4.1.5
merging keystores, one into an existing, 4.1.5
merging keystores, reversing merge operation, 4.1.5
merging keystores, two into a third new keystore, 4.1.5
migrating password key and hardware keystore, master encryption key creation, 4.1.7.1
migrating password key and hardware keystore, reverse migration, 4.1.7.2
migrating password key and hardware keystore, sqlnet.ora configuration, 4.1.7.1
keystores
about, 2.4.4.1
benefits, 2.4.4.2
types, 2.4.4.3
master encryption key
rotating, 4.2.5.4
master encryption key attributes
about, 4.2.4.1
creating custom tags, 4.2.4.2
master encryption keys
exporting and importing, 4.2.6.1
resetting in keystore, 4.2.5.3
setting in keystore procedure, 4.2.5.1
setting in keystore, about, 4.2.5.1
modifying applications for use with, 5.4
multidatabase environments, 6.8
Oracle Call Interface, 6.6
Oracle Data Guard, 6.2
Oracle Data Pump
export and import operations on dump sets, 6.1.3
export and import operations on encrypted columns, 6.1.2
Oracle Data Pump export and import operations
about, 6.1.1
Oracle Real Application Clusters
about, 6.3.1
non-shared file systems to store keystores, 6.3.2
Oracle Recovery Manager, 4.1.10
keystores, 4.1.10
PDBs
about, 6.5.1
finding keystore status for all PDBs, 6.5.7
operations in root, 6.5.2
performance
database workloads, 7.2
decrypting entire data set, 7.2
optimum, 7.2
worst case scenario, 7.2
performance overheads
about, 5.3.1
typical, 7.2
PKI encryption, 5.6
privileges required, 2.3
SecureFiles, 6.4
security considerations
column encryption, 5.2.2
general advice, 5.2.1
platintext fragments, 5.2.3
storage overhead, 5.3.2
storing Oracle GoldenGate secrets, 4.4.1
tablespace encryption
about, 2.4.3, 3.4.1
creating, 3.4.5.1
encryption and integrity algorithms, 2.4.5
examples, 3.4.5.3
opening keystore, 3.4.3.2
restrictions, 3.4.2
setting COMPATIBLE parameter, 3.4.3.1
setting master encryption key, 3.4.4
views, 3.5
Transparent Data Encryption (TDE) keystores
deleting, 4.1.11
moving software keystore to a new location, 4.1.6
transportable tablespaces, 3.3.3

U

utilities, import/export, 3.3.3

V

V public function (APEX_UTIL.GET_SESSION_STATE function), Data Redaction policies, 9.4.4
V$ENCRYPTION_WALLET view
keystore order after migration, 4.1.7.3
views
Data Redaction, 9.19