DATABASE

ENCRYPTION
 TOPICS
EN C RY PT I O N DIFFERE NT L EVEL S
E NCRYPT ION
Asymmetric encryption & usage's
Symmetric encryption & usage's Application-level
Hash encryption & usage's Filesystem-level

HOW TO USE
T RANSPARE NT DATA
E NCRYPT ION ON T HE
DATABASE
ENCRYPTION:
Is the process of protecting information or data by using mathematical models to scramble it in
such a way that only the parties who have the key to unscramble it can access it.

The original form of a data is known as plaintext, and the encrypted form is
called ciphertext
WHY DO WE USE ENCRYPTION:
• data cannot easily be read, modified, or fabricated

• Privacy : Encryption ensures that no one can read communications or data at

rest except the intended recipient or the rightful data owner

• Security : Encryption helps prevent data breaches

• Data integrity : Encryption also helps prevent malicious behavior

 01
symmetric (secret key)
Types of Symmetric encryption: one key encrypts and

encryption : decrypts

02
asymmetric (public key encryption)
Asymmetric encryption: one key encrypts, a different key
decrypts

03
hash
One-Way Encryption , ther is no decryption for it
 01 symmetric :
(secret key)

Symmetric encryption is a type of encryption algorithm where the same secret

key is used for both encryption and decryption of data.

In symmetric encryption, the data is transformed into ciphertext (encrypted form) using the
secret key, and then it can be transmitted over an insecure channel, such as the internet. The
receiver, who possesses the same secret key, can then decrypt the ciphertext back into its
original plaintext (unencrypted form) using the same key.
 02 asymmetric:
(public-key encryption)

is a cryptographic method that uses a pair of keys for encrypting and decrypting data
a public key and a private key

The public key is made available to anyone who wants to send encrypted data to the
owner of the key, while the private key is kept secret by the owner. The public key is
used for encryption, and the private key is used for decryption. This means that data
encrypted with the public key can only be decrypted with the corresponding private
key, and vice versa
 03 Hash Encryption :
Hash encryption is a type of encryption that uses a one-way function to convert plain text
into a fixed-length string of characters. The resulting hash value is unique to the input
data and cannot be reversed to obtain the original data. Hash encryption is often used for
password storage, as the hash value can be stored in the database instead of the actual
password.

How to use hash encryption ?

A website hash users passwords before storing them in a database. And when you logs
in, the website hash the entered password and compare it to the stored hash to verify the
user credential.
How to use Symmetric Encryption ?
an organization might use symmetric encryption by butting the key to encrypt in the
website in a way that no one can know the key ,and the website will encrypt the sensitive
information and but them in the database.
(Symmetric encryption has only one key to encrypt and decrypt , so the key must stay private )

How to use Asymmetric Encryption ?

Same as Symmetric but the difference here that there is more flexibility , for example the
organization can also share the public encryption key on ther employee and the decryption
key should remain private .
(Assymetric encryption have two keys one for encryption (public) and one for decryption (private) )
Application-level encryption
• The encryption of data is done by the Application and before storing
them in the database .
• It can happen on clients, making it client-side encryption
• You can choose what field or column to protect .
• It can make the database more srcure ,because if the hacker have
access to the database , the data in it will be crypted .

Filesystem-level & Application-level

encryption
 01 is a form of disk encryption where
Filesystem-level individual files or directories are
encrypted by the file system itself.

encryption 02 The encryption of data is done by the

Database

03 It provides automatic encryption when

data is being written to or read from a
disk, but it does not encrypt anything at
the file level.
04 It uses the same encryption key for the
whole disk, which is immediately
decrypted as soon as the device is
accessed with valid user credentials.

05 Like locking exterior doors to your

house without locking any of the
interior rooms.
How to use Transparent Data Encryption on the database
(Filesystem-level)
Transparent Data Encryption (TDE) is a feature of many popular
database management systems that allows for data encryption at the
filesystem-level. Here are the steps to use TDE on a database:
• Verify that your database system supports TDE
• Set Wallet Parameters
• Create Keystores
• Set TDE Master Key
• Encrypt DATA
Enabling TDE may impact the performance of the database system. Therefore, it is
recommended to test TDE in a non-production environment
• Verify that your database system supports TDE

1.Connect to the database with the SYSDBA privilege

2. Check the version of the Oracle database :
SELECT * FROM v$version ;
(Must be 11.2.0.2 or later, 11g Release 2 or later)
3.Verify that the database has the Advanced Security Option (ASO) enabled :
SELECT * FROM v$option WHERE parameter = 'Advanced Security' ;
(If returns TRUE, then ASO is enabled & TDE can be used. Else you need to enable ASO before using
TDE)
4.check if the required TDE-related initialization parameters are set
SELECT * FROM v$parameter WHERE name LIKE '%encryption%' ;
2.Set Wallet Parameters
1.Create a folder in C:\oracle\admin\orc1, with name "wallet" and another folder in it
called "tde".
2.specify the base location of wallet :
alter system set WALLET_ROOT='C:\oracle\admin\orc1\wallet' scope=spfile sid='*';
"scope=spfile" changes will be made in the server parameter file,
"sid='*'" change will apply to all instances of the database.
3.Restart the database(necessary): SHUTDOWN IMMEDIATE; then STARTUP;
4.check if changes done to the wallet_root : show parameter wallet_root;
(it must give you the location for the wallet that you entered )
5. modify the tde configuration : alter system set
tde_configuration="KEYSTORE_CONFIGURATION=FILE" scope=both sid='*';
"KEYSTORE_CONFIGURATION=FILE" keystore configuration is stored in a file.
"scope=both" changes will be made in both the current memory and the server parameter
3.Create Keystores
1.Create Password-Protected Keystore :
administer key management create keystore identified by pass;
2.Create Auto-Login Keystore : administer key management create auto_login keystore from
keystore identified by pass;
3.Check Keystore Files , Go to "C:\location \to\db_name\wallet\tde" , you should find two
files named : "cwallet.sso" and "ewallet.p12".
4.Set TDE Master Key
1.Open Keystore : administer key management set keystore open force keystore identified by
pass container=all;
2.Set Key : administer key management set key force keystore identified by pass with backup
container=all;
3.Check the keystor status: select con_id, wallet_type, status from v$encryption_wallet;
5.Encrypt DATA
Types of ecryption supported : • AES128 (AES256 is roughly considered 40%
• AES256 slower than AES128)

How to Encrypt Tablespace :

• using AES256 : create tablespace TDE_DATA datafile 'C:\oracle\tablespaces\
TDE_DATA_01.dbf' size 10m autoextend on next 10m maxsize unlimited
encryption using 'AES256' encrypt;
• Using AES128 : create tablespace TDE_DATA datafile
'+DATA/ORCLCDB/ORCLPDB/TDE_DATA_01.dbf' size 10m autoextend on
next 10m maxsize unlimited encryption encrypt;

To check the Tablespaces : SELECT tablespace_name, encrypted, status FROM

dba_tablespaces;
Do you have any questions?
Thank You.
Done by :
Lara Shahrori
Lana Khdair
Ali Abweh