7 General Considerations of Using Transparent Data Encryption
When you use Transparent Data Encryption, you should consider factors such as security, performance, and storage overheads.
- Compression and Data Deduplication of Encrypted Data
With tablespace encryption, Oracle Database compresses tables and indexes before encrypting the tablespace. - Security Considerations for Transparent Data Encryption
As with all Oracle Database features, you should consider security when you create TDE policies. - Performance and Storage Overhead of Transparent Data Encryption
The performance of Transparent Data Encryption can vary. - Modifying Your Applications for Use with Transparent Data Encryption
You can modify your applications to use Transparent Data Encryption. - How ALTER SYSTEM and orapki Map to ADMINISTER KEY MANAGEMENT
Many of the clauses from theALTER SYSTEM
statement correspond to theADMINISTER KEY MANAGEMENT
statement. - Data Loads from External Files to Tables with Encrypted Columns
You can use SQL*Loader to perform data loads from files to tables that have encrypted columns. - Transparent Data Encryption and Database Close Operations
You should ensure that the software or external keystore is open before you close the database.
Parent topic: Using Transparent Data Encryption
7.1 Compression and Data Deduplication of Encrypted Data
With tablespace encryption, Oracle Database compresses tables and indexes before encrypting the tablespace.
This ensures that you receive the maximum space and performance benefits from compression, while also receiving the security of encryption at rest. In the CREATE TABLESPACE
SQL statement, include both the COMPRESS
and ENCRYPT
clauses.
With column encryption, Oracle Database compresses the data after it encrypts the column. This means that compression will have minimal effectiveness on encrypted columns. There is one notable exception: if the column is a SecureFiles LOB, and the encryption is implemented with SecureFiles LOB Encryption, and the compression (and possibly deduplication) are implemented with SecureFiles LOB Compression & Deduplication, then compression is performed before encryption. Similar to the CREATE TABLESPACE
statement for tablespace encryption, include both the COMPRESS
and ENCRYPT
clauses.
See Also:
-
Oracle Database Backup and Recovery User’s Guide for more information about the Advanced Compression Option
-
Oracle Database SecureFiles and Large Objects Developer's Guide for information about SecureFiles LOB storage
-
Oracle Database SecureFiles and Large Objects Developer's Guide for information about SecureFiles Compression
7.2 Security Considerations for Transparent Data Encryption
As with all Oracle Database features, you should consider security when you create TDE policies.
- Transparent Data Encryption General Security Advice
Security considerations for Transparent Data Encryption (TDE) operate within the broader area of total system security. - Transparent Data Encryption Column Encryption-Specific Advice
Additional security considerations apply to normal database and network operations when using TDE. - Managing Security for Plaintext Fragments
You should remove old plaintext fragments that can appear over time.
7.2.1 Transparent Data Encryption General Security Advice
Security considerations for Transparent Data Encryption (TDE) operate within the broader area of total system security.
Follow these general guidelines:
-
Identify the degrees of sensitivity of data in your database, the protection that they need, and the levels of risk to be addressed. For example, highly sensitive data requiring stronger protection can be encrypted with the AES256 algorithm. A database that is not as sensitive can be protected with no salt or the
nomac
option to enable performance benefits. -
Evaluate the costs and benefits that are acceptable to data and keystore protection. Protection of keys determines the type of keystore to be used: auto-login software keystores, password-based software keystores, or external keystores.
-
Consider having separate security administrators for TDE and for the database.
-
Consider having a separate and exclusive keystore for TDE.
-
Implement protected back-up procedures for your encrypted data.
Parent topic: Security Considerations for Transparent Data Encryption
7.2.2 Transparent Data Encryption Column Encryption-Specific Advice
Additional security considerations apply to normal database and network operations when using TDE.
Encrypted column data stays encrypted in the data files, undo logs, redo logs, and the buffer cache of the system global area (SGA). However, data is decrypted during expression evaluation, making it possible for decrypted data to appear in the swap file on the disk. Privileged operating system users can potentially view this data.
Column values encrypted using TDE are stored in the data files in encrypted form. However, these data files may still contain some plaintext fragments, called ghost copies, left over by past data operations on the table. This is similar to finding data on the disk after a file was deleted by the operating system.
Parent topic: Security Considerations for Transparent Data Encryption
7.2.3 Managing Security for Plaintext Fragments
You should remove old plaintext fragments that can appear over time.
Old plaintext fragments may be present for some time until the database overwrites the blocks containing such values. If privileged operating system users bypass the access controls of the database, then they might be able to directly access these values in the data file holding the tablespace.
To minimize this risk:
-
Create a new tablespace in a new data file.
You can use the
CREATE TABLESPACE
statement to create this tablespace. -
Move the table containing encrypted columns to the new tablespace. You can use the
ALTER TABLE.....MOVE
statement.Repeat this step for all of the objects in the original tablespace.
-
Drop the original tablespace.
You can use the
DROP TABLESPACE
tablespace
INCLUDING CONTENTS KEEP DATAFILES
statement. Oracle recommends that you securely delete data files using platform-specific utilities. -
Use platform-specific and file system-specific utilities to securely delete the old data file. Examples of such utilities include
shred
(on Linux) andsdelete
(on Windows).
Parent topic: Security Considerations for Transparent Data Encryption
7.3 Performance and Storage Overhead of Transparent Data Encryption
The performance of Transparent Data Encryption can vary.
- Performance Overhead of Transparent Data Encryption
Transparent Data Encryption tablespace encryption has small associated performance overhead. - Storage Overhead of Transparent Data Encryption
TDE tablespace encryption has no storage overhead, but TDE column encryption has some associated storage overhead.
7.3.1 Performance Overhead of Transparent Data Encryption
Transparent Data Encryption tablespace encryption has small associated performance overhead.
The actual performance impact on applications can vary. TDE column encryption affects performance only when data is retrieved from or inserted into an encrypted column. No reduction in performance occurs for operations involving unencrypted columns, even if these columns are in a table containing encrypted columns. Accessing data in encrypted columns involves small performance overhead, and the exact overhead you observe can vary.
The total performance overhead depends on the number of encrypted columns and their frequency of access. The columns most appropriate for encryption are those containing the most sensitive data.
Enabling encryption on an existing table results in a full table update like any other ALTER TABLE
operation that modifies table characteristics. Keep in mind the potential performance and redo log impact on the database server before enabling encryption on a large existing table.
A table can temporarily become inaccessible for write operations while encryption is being enabled, TDE table keys are being rekeyed, or the encryption algorithm is being changed. You can use online table redefinition to ensure that the table is available for write operations during such procedures.
If you enable TDE column encryption on a very large table, then you may need to increase the redo log size to accommodate the operation.
Encrypting an indexed column takes more time than encrypting a column without indexes. If you must encrypt a column that has an index built on it, you can try dropping the index, encrypting the column with NO SALT
, and then re-creating the index.
If you index an encrypted column, then the index is created on the encrypted values. When you query for a value in the encrypted column, Oracle Database transparently encrypts the value used in the SQL query. It then performs an index lookup using the encrypted value.
Note:
If you must perform range scans over indexed, encrypted columns, then use TDE tablespace encryption in place of TDE column encryption.
See Also:
-
Oracle Database Administrator’s Guide for information about redefining tables online
7.3.2 Storage Overhead of Transparent Data Encryption
TDE tablespace encryption has no storage overhead, but TDE column encryption has some associated storage overhead.
Encrypted column data must have more storage space than plaintext data. In addition, TDE pads out encrypted values to multiples of 16 bytes. This means that if a credit card number requires nine bytes for storage, then an encrypted credit card value will require an additional seven bytes.
Each encrypted value is also associated with a 20-byte integrity check. This does not apply if you have encrypted columns using the NOMAC
parameter. If data was encrypted with salt, then each encrypted value requires an additional 16 bytes of storage.
The maximum storage overhead for each encrypted value is from one to 52 bytes.
Related Topics
7.4 Modifying Your Applications for Use with Transparent Data Encryption
You can modify your applications to use Transparent Data Encryption.
-
Configure the software or external keystore for TDE, and then set the master encryption key.
See the following sections for more information:
-
Verify that the master encryption key was created by querying the
KEY_ID
column of theV$ENCRYPTION_KEYS
view. -
Identify the sensitive columns (such as those containing credit card data) that require Transparent Data Encryption protection.
-
Decide whether to use TDE column encryption or TDE tablespace encryption.
See the following sections for more information:
-
Open the keystore.
See the following sections for more information:
-
Encrypt the columns or tablespaces.
See the following sections for more information:
7.5 How ALTER SYSTEM and orapki Map to ADMINISTER KEY MANAGEMENT
Many of the clauses from the ALTER SYSTEM
statement correspond to the ADMINISTER KEY MANAGEMENT
statement.
Table 7-1 compares the Transparent Data Encryption usage of the ALTER SYSTEM
statement and the orapki
utility from previous releases with the ADMINISTER KEY MANAGEMENT
statement.
Table 7-1 How ALTER SYSTEM and orapki Map to ADMINISTER KEY MANAGEMENT
Behavior | ALTER SYSTEM or orapki | ADMINISTER KEY MANAGEMENT |
---|---|---|
Creating a keystore |
For software keystores (called wallets in previous releases): ALTER SYSTEM SET ENCRYPTION KEY ["certificate_ID"] IDENTIFIED BY keystore_password; For external keystores, the keystore is available after you configure the external keystore. |
For software keystores: ADMINISTER KEY MANAGEMENT CREATE KEYSTORE 'keystore_location' IDENTIFIED BY software_keystore_password For external keystores, the keystore is available after you configure the external keystore. |
Creating an auto-login keystore |
orapki wallet create -wallet wallet_location -auto_login [-pwd password] |
For software keystores: ADMINISTER KEY MANAGEMENT CREATE [LOCAL] AUTO_LOGIN KEYSTORE FROM KEYSTORE 'keystore_location' IDENTIFIED BY software_keystore_password; This type of keystore applies to software keystores only. |
Opening a keystore |
ALTER SYSTEM SET [ENCRYPTION]
WALLET OPEN IDENTIFIED BY
password; |
ADMINISTER KEY MANAGEMENT SET KEYSTORE
OPEN IDENTIFIED BY keystore_password
[CONTAINER = ALL | CURRENT]; |
Closing a keystore |
ALTER SYSTEM SET [ENCRYPTION]
WALLET CLOSE IDENTIFIED BY
password; |
For both software and external keystores: ADMINISTER KEY MANAGEMENT SET KEYSTORE
CLOSE IDENTIFIED BY keystore_password
[CONTAINER = ALL | CURRENT]; |
Migrating from an external keystore to a software keystore |
With Oracle patch 20181737:
|
ADMINISTER KEY MANAGEMENT SET [ENCRYPTION] KEY IDENTIFIED BY software_keystore_password REVERSE MIGRATE USING "external_key_manager_password" WITH BACKUP [USING 'backup_identifier']; |
Migrating from a software keystore to Oracle Key Vault |
ALTER SYSTEM SET [ENCRYPTION] KEY IDENTIFIED BY "Oracle_Key_Vault_password" MIGRATE USING wallet_password; |
ADMINISTER KEY MANAGEMENT SET [ENCRYPTION] KEY IDENTIFIED BY "Oracle_Key_Vault_password" MIGRATE USING wallet_password; |
Changing a keystore password |
orapki wallet change_pwd -wallet wallet_location [-oldpwd password ] [-newpwd password] |
For password-based software keystores: ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD IDENTIFIED BY software_keystore_old_password SET software_keystore_new_password [WITH BACKUP [USING 'backup_identifier']]; For external keystores, you close the keystore, change it in the external key manager interface, and then reopen the keystore. |
Backing up a password-based software keystore |
No |
ADMINISTER KEY MANAGEMENT BACKUP KEYSTORE [USING 'backup_identifier'] IDENTIFIED BY software_keystore_password [TO 'keystore_location']; |
Merging two software keystores into a third new keystore |
No |
ADMINISTER KEY MANAGEMENT MERGE KEYSTORE 'keystore1_location' [IDENTIFIED BY software_keystore1_password] AND KEYSTORE 'keystore2_location' [IDENTIFIED BY software_keystore2_password] INTO NEW KEYSTORE 'keystore3_location' IDENTIFIED BY software_keystore3_password; |
Merging one software keystore into another existing keystore |
No |
ADMINISTER KEY MANAGEMENT MERGE KEYSTORE 'keystore1_location' [IDENTIFIED BY software_keystore1_password] INTO EXISTNG KEYSTORE 'keystore2_location' IDENTIFIED BY software_keystore2_password [WITH BACKUP [USING 'backup_identifier']]; |
Setting or rekeying the master encryption key |
For software wallets: ALTER SYSTEM SET ENCRYPTION KEY ["certificate_ID"] IDENTIFIED BY keystore_password; For external keystores: ALTER SYSTEM SET ENCRYPTION KEY
IDENTIFIED BY "external_key_manager_password" Note: The |
ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY [USING TAG 'tag'] IDENTIFIED BY keystore_password WITH BACKUP [USING 'backup_identifier'] [CONTAINER = ALL | CURRENT]; After you rekey the encryption key, the |
Creating a master encryption key for later user |
No |
ADMINISTER KEY MANAGEMENT CREATE KEY [USING TAG 'tag'] IDENTIFIED BY keystore_password [WITH BACKUP [USING 'backup_identifier']] [CONTAINER = (ALL|CURRENT)]; |
Activating a master encryption key |
No |
ADMINISTER KEY MANAGEMENT USE KEY 'key_identifier' [USING TAG 'tag'] IDENTIFIED BY keystore_password [WITH BACKUP [USING 'backup_identifier']]; |
Creating custom tags for master encryption keys |
No |
ADMINISTER KEY MANAGEMENT SET TAG 'tag' FOR 'master_key_identifier' IDENTIFIED BY keystore_password [WITH BACKUP [USING 'backup_identifier']]; |
Exporting a master encryption key |
No |
ADMINISTER KEY MANAGEMENT EXPORT [ENCRYPTION] KEYS WITH SECRET "export_secret" TO 'file_path' IDENTIFIED BY software_keystore_password [WITH IDENTIFIER IN 'key_id1', 'key_id2', 'key_idn' | (SQL_query)] |
Importing a master encryption key |
No |
ADMINISTER KEY MANAGEMENT IMPORT [ENCRYPTION] KEYS WITH SECRET "import_secret" | FROM 'file_name' IDENTIFIED BY software_keystore_password [WITH BACKUP [USING 'backup_identifier']]; |
Storing Oracle Database secrets in a keystore |
No |
For software keystores: ADMINISTER KEY MANAGEMENT ADD SECRET|UPDATE SECRET|DELETE SECRET "secret" FOR CLIENT 'client_identifier' [USING TAG'tag'] IDENTIFIED BY keystore_password [WITH BACKUP [USING 'backup_identifier']; For external keystores: ADMINISTER KEY MANAGEMENT ADD SECRET|UPDATE SECRET|DELETE SECRET "secret" FOR CLIENT 'client_identifier' [USING TAG 'tag'] IDENTIFIED BY "external_key_manager_password" [WITH BACKUP [USING 'backup_identifier']; |
7.6 Data Loads from External Files to Tables with Encrypted Columns
You can use SQL*Loader to perform data loads from files to tables that have encrypted columns.
Be aware that with SQL*Loader, you cannot include the ENCRYPT
clause in the column definition of an external table of the type ORACLE_LOADER
, but you can include it in the column definitions of external tables of type ORACLE_DATAPUMP
.
-
External tables of type
ORACLE_LOADER
The reason that you cannot include the
ENCRYPT
clause in the column definitions of external tables of the typeORACLE_LOADER
is because the contents of an external table with theORACLE_LOADER
type must come from a user-specified plaintext "backing file," and such plaintext files cannot contain any TDE encrypted data.If you use the
ENCRYPT
clause in the definition of an external table of typeORACLE_LOADER
, then when you query the TDE-encrypted column in this external table, the query fails. This is because TDE expects the external data to have been encrypted, and automatically tries to decrypt it on load. This action fails because the "backing file" only contains plaintext. -
External tables of type
ORACLE_DATAPUMP
You can use TDE column encryption with external tables of type
ORACLE_DATAPUMP
. This is because for external tables ofORACLE_DATAPUMP
type, the "backing file" is always created by Oracle Database(during an unload operation) and thus does have support for being populated with encrypted data.
7.7 Transparent Data Encryption and Database Close Operations
You should ensure that the software or external keystore is open before you close the database.
The master encryption keys may be required during the database close operation. The database close operation automatically closes the software or external keystore.