RE: TDE for data previously unencrypted

From: <rajendra.pande_at_ubs.com>
Date: Thu, 7 Mar 2013 13:24:20 -0500
Message-ID: <7E4D006EA3F0D445B62672082A16A565C78A57_at_NSTMC703PEX.ubsamericas.net>

Yes, I think Kevin said that :) (that he understood) I thought his point was that (maybe an enhancement request) where the cleaned out extents need to be zeroed out.

-----Original Message-----
From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Hemant K Chitale Sent: Thursday, March 07, 2013 1:19 PM
To: kevin.lidh_at_gmail.com
Cc: oracle-l_at_freelists.org
Subject: Re: TDE for data previously unencrypted

Since a MOVE (or a DROP or TRUNCATE) doesn't actually scrub the data; only
marking the extents as "free".
You would have to actually create one or more tables and populate them with
dummy data in an attempt to overwrite those blocks --- you still cannot control which blocks your new table(s) do overwrite. OR drop the old tablespace and datafile -- then you have to create new OS or datafiles(s)
in an attempt to overwrite the blocks (whether filesystem or raw) at the OS
level !
On Mar 8, 2013 2:10 AM, "Kevin Lidh" <kevin.lidh_at_gmail.com> wrote:
> I was researching TDE and set up a test in a small Oracle 11.2.0.3
database
> on RHEL. I created a table with two rows of "sensitive" unencrypted
> information. I opened up my datafile in a hex editor and found my
data. I
> then created an encrypted tablespace and "alter table move" the table
to
> the
> new tablespace and when I open that datafile, I can't find my data.
But
> when I open the original datafile, I can still see sensitive
information.
> I
> verified there were no extents remaining from that table. I
understand how
> it happened but I'm wondering if there's another way to either move
the
> data
> out which clears it or if there's a way to clear it after the fact. I
did
> a
> coalesce for fun and now my two sensitive pieces are right next to
each
> other in the unencrypted datafile.
>
> In our real world environment, the only method that comes to mind is
to
> move
> all the remaining and unencrypted data to yet another tablespace and
drop
> the original but that wouldn't be practical for some of our databases.
>
> Any ideas are surely welcome.
>
> Kevin
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>

--
http://www.freelists.org/webpage/oracle-l


Please visit our website at 
http://financialservicesinc.ubs.com/wealth/E-maildisclaimer.html 
for important disclosures and information about our e-mail 
policies. For your protection, please do not transmit orders 
or instructions by e-mail or include account numbers, Social 
Security numbers, credit card numbers, passwords, or other 
personal information.
--
http://www.freelists.org/webpage/oracle-l

Received on Thu Mar 07 2013 - 19:24:20 CET

This message: [ Message body ]
Next message: rajendra.pande_at_ubs.com: "RE: TDE for data previously unencrypted"
Previous message: Hemant K Chitale: "Re: Advanced Compression features on non-Engineered systems/storage"
In reply to: Hemant K Chitale: "Re: TDE for data previously unencrypted"
Next in thread: Hemant K Chitale: "RE: TDE for data previously unencrypted"
Reply: Hemant K Chitale: "RE: TDE for data previously unencrypted"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message