21-4 - Get Your Database Vaccinated - Oracle Transparent Data Encryption With Almost Zero Downtime - v1
21-4 - Get Your Database Vaccinated - Oracle Transparent Data Encryption With Almost Zero Downtime - v1
▪ What is TDE
▪ Types of TDE
▪ Methods to implement TDE
▪ TDE Encryption Algorithms
▪ Oracle Wallet and Keys
▪ TDE Table Space Encryption- Fast-Offline Method
▪ Performance Checklist
▪ Post TDE Buddy Checks
▪ Project and Release Management
▪ Post TDE Issues & Backout Plan
▪ Wallet Management
What is TDE
3
Oracle Transparent Data Encryption (TDE) enables the organizations to encrypt sensitive application data on storage media completely
transparent to the application.
▪ Sensitive data is safe in case the storage media or data file gets stolen.
▪ Key management operations are automated. The user or application does not need to manage encryption keys.
Types of TDE
4
▪ Although longer key lengths theoretically provide greater security, there may be trade-off in CPU overhead
AES256: Enables you to use AES to encrypt a block size of 256 bits.
AES192: Enables you to use AES to encrypt a block size of 192 bits.
AES128: Enables you to use AES to encrypt a block size of 128 bits.
▪ The sqlnet.ora should be placed in $TNS_ADMIN location and should point to the location where the wallet files are to be managed.
▪ Make sure that the wallet location exists. If a non-default wallet location must be used then specify it in the sqlnet.ora file
▪ The wallet location should be a secure location with read and write permission to oracle rdbms os id. As per best practices, it is not
recommended to have it under $ORACLE_HOME or $ORACLE_BASE to prevent accidental backup of this secure file to media.
▪ Create the corresponding directory on all nodes with the proper ORACLE_SID.
Initiate a new SQL*Plus session. This causes the changes to sqlnet.ora to be picked up by the new session.
Oracle Wallets and Keys
10
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN identified by “********"; ------- 11.2.0.4
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/etc/oracle/WALLETS/$ORACLE_SID' IDENTIFIED BY “******!"; ----- 12.1.0.2
SQL>ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY “*******"; --- 12.1.0.2
SQL>ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY “****" WITH BACKUP USING 'TDE’; --- 12.1.0.2
▪ Ensure that the password string is contained in double quotation marks (" ").
▪ Reduce permissions on the wallet file from the initial value, determined by ‘umask’ for the ‘Oracle’ user, to:
$ cd /etc/ORACLE/WALLETS/<$ORACLE_SID>
$ chmod 600 ewallet.p12
Oracle Wallets and Keys
11
▪ To protect the Oracle TDE Wallets from being inadvertently deleted, make them ‘immutable’.
# chattr +i ewallet.p12
# chattr +i cwallet.sso
Oracle Wallets and Keys
12
▪ Copy the files generated in the keystore directory to all nodes of the primary and standby.
Pre-requisites
▪ There is an existing physical standby database for no downtime method.
▪ A current backup has been taken of the database prior to converting data files.
▪ The patch 23315889 described in MOS 2148746.1 has been applied to both primary and standby RDBMS installation.
-Incase there is any one-off patches already applied to Oracle Home, request Oracle for a merge patch
▪ COMPATIBLE is set to 12.1.0.2 or 11.2.0.4 respectively.
▪ Require the primary database to have forced logging enabled.
▪ To ensure there are no unrecoverable blocks the following query at the primary database should return no rows.
See MOS 290161.1 for additional details on nologging operations and handling.
SQL> select NAME from V$DATAFILE where UNRECOVERABLE_CHANGE#>0;
Note: If UNRECOVERABLE_CHANGE# is >0 for any datafile, compare the value on the primary to the value on the standby.
If they are the same the datafile was copied after the unrecoverable change and no action is necessary.
TDE Tablespace Encryption – Fast-Offline Method
15
▪ It requires a certain PSU or a one-off patch or merge patch would need to be requested by Oracle.
▪ Encryption requires downtime unless dataguard is used, in that case only a quick downtime for switchover is required.
Performance Checklist
17
▪ Validate both the value of v$encryption_wallet and sqlnet.ora is having the same entry and the wallet status is OPEN.
▪ Check the Tablespace status for all tablespaces . It should show encrypted=Yes (except system,sysaux,undo and Temp) .
▪ The encryption algorithm used should be AES128. Validate: -
SELECT t.name , e.encryptionalg , e.encryptedts FROM v$tablespace t , v$encrypted_tablespaces e WHERE t.ts# = e.ts#;
▪ DB Verify logs should not report any error after datafile encryption and it should show used blocks are encrypted.
▪ Validate and Confirm that the encryption key files present in the wallet locations are immutable.
The permission of Wallet Directory should be 700 and permission of files should be 600 owned by oracle:oinstall.
# chattr +i ewallet.p12
# chattr +i cwallet.sso
▪ Changes in DB Size
▪ Changes in CPU Consumption
▪ Changes in Memory Consumption
▪ Changes in IO bottleneck
▪ Executing around the clock using 24/7 DBA/Infrastructure Support Teams
Post TDE Tablespace Encryption Issues
20
▪ Command to decrypt the database that was encrypted using fast-offline method
▪ When TDE is implemented master key is also noted in control file, system tablespace and hence cannot be
removed. Removing the wallet will cause damage to the system.
Wallet Management
22
# cd /etc
# mkdir –pv ORACLE/WALLETS/NASCXTHZNPRD
# chown –R oracle:oinstall ORACLE
# chmod –R 700 ORACLE
▪ The permission of Directory should be 700 and permission of files should be 600 owned by oracle:oinstall
$ cd /etc/ORACLE/WALLETS/<$ORACLE_UNQNAME>
$ chmod 600 ewallet.p12
▪ In order to protect the Oracle TDE Wallets from being inadvertently deleted, make them ‘immutable’.
▪ Always backup the wallet at the same time when backing up your database. However, do not include the wallet on the same media as the database backup.
▪ Separate wallet for separate databases in same server.
TDE Tablespace Encryption Restrictions
23
There are few restrictions with TDE tablespace encryption because encrypt/decrypt takes place during read/write as
opposed to the SQL layer with column encryption. TDE tablespace encryption restrictions are:
▪ External Large Objects (BFILEs) cannot be encrypted using TDE tablespace encryption because these files reside
outside the database.
▪ To perform import and export operations on TDE encrypted tablespaces, you must use Oracle Data Pump.
▪ The offline encryption process will use the AES128 encryption algorithm with the key identifier listed in
V$DATABASE_KEY_INFO.
▪ This process is only for application tablespace data files. SYSTEM, SYSAUX, UNDO, and TEMP tablespaces cannot
be encrypted with TDE.
TDE Online Encryption – 18c and above
24
▪ In previous releases, the SQLNET.ENCRYPTION_WALLET_LOCATION parameter was used to define the keystore
directory location. This parameter has been deprecated. Oracle recommends that you use the WALLET_ROOT
static initialization parameter and TDE_CONFIGURATION dynamic initialization parameter instead.
▪ This method creates a new datafile with encrypted data.
▪ Example Syntax: SQL> alter tablespace TDE_ORACLEDBWR_TBS encryption online using ‘AES192’ encrypt
file_name_convert=(‘/u02/app/oracle/oradata/ORADBWR/tde_tbs1.dbf’,’/u02/app/oracle/oradata/ORADBWR/tde_tbs
1_encrypted.dbf’);
Tablespace altered.
▪ If you’re not using Oracle Managed File (OMF), stating from 19c you can omit the FILE_NAME_CONVERT clause,
but if you’re using an Oracle 12.2 or 18c you still have to specify it, otherwise you’ll end up with an error:
ORA-28425: missing a valid FILE_NAME_CONVERT clause
▪ If you’re using Oracle Managed File (OMF) you can’t use the FILE_NAME_CONVERT, or you’ll face an error: ORA-
28437: unexpected FILE_NAME_CONVERT clause with Oracle Managed Files
▪ Online method requires twice the space as the tablespace been worked on as work (encryption or decryption)
happens out of place.
Heema Satapathy
Manager – Infrastructure & Cloud
Solutions
Computer Technology Resources Inc
[email protected]
+1(714)-665-6507 Ext 418
+1(714)-665-6507 ext 418
25