Table of Contents
- Title and Copyright Information
- Preface
- Changes in This Release for Oracle Database Advanced Security Guide
- 1 Introduction to Oracle Advanced Security
-
Part I Using Transparent Data Encryption
-
2
Introduction to Transparent Data Encryption
- What Is Transparent Data Encryption?
- Benefits of Using Transparent Data Encryption
- Who Can Configure Transparent Data Encryption?
- Types and Components of Transparent Data Encryption
- How the Multitenant Option Affects Transparent Data Encryption
-
3
Configuring Transparent Data Encryption
- About Configuring Transparent Data Encryption
- Transparent Data Encryption Keystore Search Order
- Configuring a Software Keystore
- Configuring a Hardware Keystore
-
Encrypting Columns in Tables
- About Encrypting Columns in Tables
- Data Types That Can Be Encrypted with TDE Column Encryption
- Restrictions on Using TDE Column Encryption
-
Creating Tables with Encrypted Columns
- About Creating Tables with Encrypted Columns
- Creating a Table with an Encrypted Column Using the Default Algorithm
- Creating a Table with an Encrypted Column Using No Algorithm or a Non-Default Algorithm
- Using the NOMAC Parameter to Save Disk Space and Improve Performance
- Example: Using the NOMAC Parameter in a CREATE TABLE Statement
- Example: Changing the Integrity Algorithm for a Table
- Creating an Encrypted Column in an External Table
- Encrypting Columns in Existing Tables
- Creating an Index on an Encrypted Column
- Adding Salt to an Encrypted Column
- Removing Salt from an Encrypted Column
- Changing the Encryption Key or Algorithm for Tables with Encrypted Columns
-
Encryption Conversions for Tablespaces and Databases
- About Encryption Conversion for Tablespaces and Databases
- Impact of a Closed TDE Keystore on Encrypted Tablespaces
- Restrictions on Using Transparent Data Encryption Tablespace Encryption
- Creating an Encrypted New Tablespace
- Encrypting Future Tablespaces
- Encrypted Sensitive Credential Data in the Data Dictionary
- Encryption Conversions for Existing Offline Tablespaces
- Encryption Conversions for Existing Online Tablespaces
- Encryption Conversions for Existing Databases
- Transparent Data Encryption Data Dynamic and Data Dictionary Views
-
4
Managing the Keystore and the Master Encryption Key
-
Managing the Keystore
- Performing Operations That Require a Keystore Password
- Changing the Password of a Software Keystore
- Changing the Password of a Hardware Keystore
- Configuring an External Store for a Keystore Password
- Backing Up Password-Protected Software Keystores
- How the V$ENCRYPTION_WALLET View Interprets Backup Operations
- Backups of the Hardware Keystore
- Merging Software Keystores
- Moving a TDE Master Encryption Key into a New Keystore
- Moving a Software Keystore to a New Location
- Moving a Software Keystore Out of Automatic Storage Management
- Migrating Between a Software Password Keystore and a Hardware Keystore
- Migration of Keystores to and from Oracle Key Vault
-
Configuring Keystores for Automatic Storage Management
- About Configuring Keystores for Automatic Storage Management
- Configuring a Keystore on a Standalone Database to Point to an ASM Location
- Configuring a Keystore in a Multitenant Environment to Point to an ASM Location
- Configuring a Keystore to Point to an ASM Location When the WALLET_ROOT Location Does Not Follow OMF Guidelines
- Closing a Keystore
- Backup and Recovery of Encrypted Data
- Dangers of Deleting Keystores
-
Managing the TDE Master Encryption Key
- Creating User-Defined TDE Master Encryption Keys
- Creating TDE Master Encryption Keys for Later Use
- Activating TDE Master Encryption Keys
- TDE Master Encryption Key Attribute Management
- Creating Custom TDE Master Encryption Key Attributes for Reports
- Setting or Rekeying the TDE Master Encryption Key in the Keystore
-
Exporting and Importing the TDE Master Encryption Key
- About Exporting and Importing the TDE Master Encryption Key
- About Exporting TDE Master Encryption Keys
- Exporting a TDE Master Encryption Key
- Example: Exporting a TDE Master Encryption Key by Using a Subquery
- Example: Exporting a List of TDE Master Encryption Key Identifiers to a File
- Example: Exporting All TDE Master Encryption Keys of the Database
- About Importing TDE Master Encryption Keys
- Importing a TDE Master Encryption Key
- Example: Importing a TDE Master Encryption Key
- How Keystore Merge Differs from TDE Master Encryption Key Export or Import
- Management of TDE Master Encryption Keys Using Oracle Key Vault
-
Storing Oracle Database Secrets
- About Storing Oracle Database Secrets in a Keystore
- Storage of Oracle Database Secrets in a Software Keystore
- Example: Adding an HSM Password to a Software Keystore
- Example: Changing an HSM Password Stored as a Secret in a Software Keystore
- Example: Deleting an HSM Password Stored as a Secret in a Software Keystore
- Storage of Oracle Database Secrets in a Hardware Keystore
- Example: Adding an Oracle Database Secret to a Hardware Keystore
- Example: Changing an Oracle Database Secret in a Hardware Keystore
- Example: Deleting an Oracle Database Secret in a Hardware Keystore
- Configuring Auto-Login Hardware Security Modules
- Storing Oracle GoldenGate Secrets in a Keystore
-
Managing the Keystore
-
5
Managing Keystores and TDE Master Encryption Keys in United Mode
- About Managing Keystores and TDE Master Encryption Keys in United Mode
- Operations That Are Allowed in United Mode
- Operations That Are Not Allowed in a United Mode PDB
- Configuring the Keystore Location and Type for United Mode
- Configuring a Software Keystore for Use in United Mode
- Configuring a Hardware Keystore in United Mode
-
Administering Keystores and TDE Master Encryption Keys in United Mode
- Changing the Keystore Password in United Mode
- Backing Up a Password-Protected Software Keystore in United Mode
- Closing Keystores in United Mode
- Creating a User-Defined TDE Master Encryption Key in United Mode
- Example: Creating a Master Encryption Key in All PDBs
- Creating a TDE Master Encryption Key for Later Use in United Mode
- Activating a TDE Master Encryption Key in United Mode
- Rekeying the TDE Master Encryption Key in United Mode
- Finding the TDE Master Encryption Key That Is in Use in United Mode
- Creating a Custom Attribute Tag in United Mode
- Moving a TDE Master Encryption Key into a New Keystore in United Mode
- Automatically Removing Inactive TDE Master Encryption Keys in United Mode
- Isolating a Pluggable Database Keystore
-
Administering Transparent Data Encryption in United Mode
- Moving PDBs from One CDB to Another in United Mode
-
Unplugging and Plugging a PDB with Encrypted Data in a CDB in United Mode
- Unplugging a PDB That Has Encrypted Data in United Mode
- Plugging a PDB That Has Encrypted Data into a CDB in United Mode
- Unplugging a PDB That Has Master Encryption Keys Stored in a Hardware Keystore in United Mode
- Plugging a PDB That Has Master Encryption Keys Stored in a Hardware Keystore in United Mode
- Managing Cloned PDBs with Encrypted Data in United Mode
- How Keystore Open and Close Operations Work in United Mode
- Finding the Keystore Status for All of the PDBs in United Mode
-
6
Managing Keystores and TDE Master Encryption Keys in Isolated Mode
- About Managing Keystores and TDE Master Encryption Keys in Isolated Mode
- Operations That Are Allowed in Isolated Mode
- Operations That Are Not Allowed in an Isolated Mode PDB
- Configuring the Keystore Location and Type for Isolated Mode
-
Configuring a Keystore and TDE Master Encryption Key in Isolated Mode
- About Configuring a Software Keystore in Isolated Mode
- Step 1: Create a Software Keystore in a PDB Configured in Isolated Mode
- Step 2: Open the Software Keystore in an Isolated Mode PDB
- Step 3: Set the TDE Master Encryption Key in the Software Keystore of the Isolated Mode PDB
- Step 4: Encrypt Your Data in Isolated Mode
-
Configuring a Hardware Keystore in Isolated Mode
- About Configuring a Hardware Keystore in Isolated Mode
- Step 1: Configure the Hardware Security Module for the Isolated Mode PDB
- Step 2: Open the Hardware Keystore in an Isolated Mode PDB
- Step 3: Set TDE Master Encryption Key in the Hardware Keystore of a PDB in Isolated Mode
- Step 4: Encrypt Your Data in Isolated Mode
-
Administering Keystores and TDE Master Encryption Keys in Isolated Mode
- Changing the Keystore Password in Isolated Mode
- Backing Up a Password-Protected Software Keystore in Isolated Mode
- Merging Software Keystores in Isolated Mode
- Closing Keystores in Isolated Mode
- Creating a User-Defined TDE Master Encryption Key in Isolated Mode
- Creating a TDE Master Encryption Key for Later Use in Isolated Mode
- Activating a TDE Master Encryption Key in Isolated Mode
- Rekeying the TDE Master Encryption Key in Isolated Mode
- Moving a TDE Master Encryption Key into a New Keystore in Isolated Mode
- Creating a Custom Attribute Tag in Isolated Mode
- Exporting and Importing the TDE Master Encryption Key in Isolated Mode
- Storing Oracle Database Secrets in Isolated Mode
- Migrating Keystores in Isolated Mode
- Automatically Removing Inactive TDE Master Encryption Keys in Isolated Mode
- Uniting a Pluggable Database Keystore
- Creating a Keystore When the PDB Is Closed
-
Administering Transparent Data Encryption in Isolated Mode
- Moving PDBs from One CDB to Another in Isolated Mode
- Unplugging and Plugging a PDB with Encrypted Data in a CDB in Isolated Mode
- Cloning a PDB with Encrypted Data in a CDB in Isolated Mode
- Performing a Remote Clone of PDB with Encrypted Data Between Two CDBs in Isolated Mode
- Relocating Across CDBs a Cloned PDB with Encrypted Data in Isolated Mode
- How Keystore Open and Close Operations Work in Isolated Mode
- Exporting and Importing Master Encryption Keys for a PDB in Isolated Mode
-
7
General Considerations of Using Transparent Data Encryption
- Compression and Data Deduplication of Encrypted Data
- Security Considerations for Transparent Data Encryption
- Performance and Storage Overhead of Transparent Data Encryption
- Modifying Your Applications for Use with Transparent Data Encryption
- How ALTER SYSTEM and orapki Map to ADMINISTER KEY MANAGEMENT
- Using Transparent Data Encryption with PKI Encryption
- Data Loads from External Files to Tables with Encrypted Columns
- Transparent Data Encryption and Database Close Operations
-
8
Using Transparent Data Encryption with Other Oracle Features
- How Transparent Data Encryption Works with Export and Import Operations
- How Transparent Data Encryption Works with Oracle Data Guard
- How Transparent Data Encryption Works with Oracle Real Application Clusters
- How Transparent Data Encryption Works with SecureFiles
- How Transparent Data Encryption Works with Oracle Call Interface
- How Transparent Data Encryption Works with Editions
- Configuring Transparent Data Encryption to Work in a Multidatabase Environment
-
9
Using sqlnet.ora to Configure Transparent Data Encryption Keystores
- About the Keystore Location in the sqlnet.ora File
- Configuring the sqlnet.ora File for a Software Keystore Location
- Example: Configuring a Software Keystore for a Regular File System
- Example: Configuring a Software Keystore When Multiple Databases Share the sqlnet.ora File
- Example: Configuring a Software Keystore for an Oracle Automatic Storage Management Disk Group
- 10 Frequently Asked Questions About Transparent Data Encryption
-
2
Introduction to Transparent Data Encryption
-
Part II Using Oracle Data Redaction
- 11 Introduction to Oracle Data Redaction
-
12
Oracle Data Redaction Features and Capabilities
- Full Data Redaction to Redact All Data
- Partial Data Redaction to Redact Sections of Data
- Regular Expressions to Redact Patterns of Data
- Redaction Using Null Values
- Random Data Redaction to Generate Random Values
- Comparison of Full, Partial, and Random Redaction Based on Data Types
- No Redaction for Testing Purposes
- Central Management of Named Data Redaction Policy Expressions
-
13
Configuring Oracle Data Redaction Policies
- About Oracle Data Redaction Policies
- Who Can Create Oracle Data Redaction Policies?
- Planning an Oracle Data Redaction Policy
- General Syntax of the DBMS_REDACT.ADD_POLICY Procedure
-
Using Expressions to Define Conditions for Data Redaction Policies
- About Using Expressions in Data Redaction Policies
- Supported Functions for Data Redaction Expressions
- Applying the Redaction Policy Based on User Environment
- Applying the Redaction Policy Based on Database Roles
- Applying the Redaction Policy Based on Oracle Label Security Label Dominance
- Applying the Redaction Policy Based on Application Express Session States
- Applying the Redaction Policy to All Users
-
Creating and Managing Multiple Named Policy Expressions
- About Data Redaction Policy Expressions to Define Conditions
- Creating and Applying a Named Data Redaction Policy Expression
- Updating a Named Data Redaction Policy Expression
- Dropping a Named Data Redaction Expression Policy
-
Tutorial: Creating and Sharing a Named Data Redaction Policy Expression
- Step 1: Create Users for This Tutorial
- Step 2: Create an Oracle Data Redaction Policy
- Step 3: Test the Oracle Data Redaction Policy
- Step 4: Create and Apply a Policy Expression to the Redacted Table Columns
- Step 5: Test the Data Redaction Policy Expression
- Step 6: Modify the Data Redaction Policy Expression
- Step 7: Test the Modified Policy Expression
- Step 8: Remove the Components of This Tutorial
- Creating a Full Redaction Policy and Altering the Full Redaction Value
- Creating a DBMS_REDACT.NULLIFY Redaction Policy
-
Creating a Partial Redaction Policy
- About Creating Partial Redaction Policies
- Syntax for Creating a Partial Redaction Policy
- Creating Partial Redaction Policies Using Fixed Character Formats
- Creating Partial Redaction Policies Using Character Data Types
- Creating Partial Redaction Policies Using Number Data Types
- Creating Partial Redaction Policies Using Date-Time Data Types
- Creating a Regular Expression-Based Redaction Policy
- Creating a Random Redaction Policy
- Creating a Policy That Uses No Redaction
- Exemption of Users from Oracle Data Redaction Policies
- Altering an Oracle Data Redaction Policy
- Redacting Multiple Columns
- Disabling and Enabling an Oracle Data Redaction Policy
- Dropping an Oracle Data Redaction Policy
- Tutorial: SQL Expressions to Build Reports with Redacted Values
- Oracle Data Redaction Policy Data Dictionary Views
-
14
Managing Oracle Data Redaction Policies in Oracle Enterprise Manager
- About Using Oracle Data Redaction in Oracle Enterprise Manager
- Oracle Data Redaction Workflow
- Management of Sensitive Column Types in Enterprise Manager
-
Managing Oracle Data Redaction Formats Using Enterprise Manager
- About Managing Oracle Data Redaction Formats Using Enterprise Manager
- Creating a Custom Oracle Data Redaction Format Using Enterprise Manager
- Editing a Custom Oracle Data Redaction Format Using Enterprise Manager
- Viewing Oracle Data Redaction Formats Using Enterprise Manager
- Deleting a Custom Oracle Data Redaction Format Using Enterprise Manager
-
Managing Oracle Data Redaction Policies Using Enterprise Manager
- About Managing Oracle Data Redaction Policies Using Enterprise Manager
- Creating an Oracle Data Redaction Policy Using Enterprise Manager
- Editing an Oracle Data Redaction Policy Using Enterprise Manager
- Viewing Oracle Data Redaction Policy Details Using Enterprise Manager
- Enabling or Disabling an Oracle Data Redaction Policy in Enterprise Manager
- Deleting an Oracle Data Redaction Policy Using Enterprise Manager
-
Managing Named Data Redaction Policy Expressions Using Enterprise Manager
- About Named Data Redaction Policy Expressions in Enterprise Manager
- Creating a Named Data Redaction Policy Expression in Enterprise Manager
- Editing a Named Data Redaction Policy Expression in Enterprise Manager
- Viewing Named Data Redaction Policy Expressions in Enterprise Manager
- Deleting a Named Data Redaction Policy Expression in Enterprise Manager
-
15
Using Oracle Data Redaction with Oracle Database Features
- Oracle Data Redaction General Usage Guidelines
- Oracle Data Redaction and DML and DDL Operations
- Oracle Data Redaction and Nested Functions, Inline Views, and the WHERE Clause
- Oracle Data Redaction and Queries on Columns Protected by Data Redaction Policies
- Oracle Data Redaction and Database Links
- Oracle Data Redaction and Aggregate Functions
- Oracle Data Redaction and Object Types
- Oracle Data Redaction and XML Generation
- Oracle Data Redaction and Editions
- Oracle Data Redaction in a Multitenant Environment
- Oracle Data Redaction and Oracle Virtual Private Database
- Oracle Data Redaction and Oracle Database Real Application Security
- Oracle Data Redaction and Oracle Database Vault
- Oracle Data Redaction and Oracle Data Pump
- Oracle Data Redaction and Data Masking and Subsetting Pack
- Oracle Data Redaction and JSON
-
16
Security Considerations for Oracle Data Redaction
- Oracle Data Redaction General Security Guidelines
- Restriction of Administrative Access to Oracle Data Redaction Policies
- How Oracle Data Redaction Affects the SYS, SYSTEM, and Default Schemas
- Policy Expressions That Use SYS_CONTEXT Attributes
- Oracle Data Redaction Policies on Materialized Views
- REDACTION_COLUMNS Data Dictionary View Behavior When a View Is Invalid
- Dropped Oracle Data Redaction Policies When the Recycle Bin Is Enabled
- Glossary
- Index