Re: encryption

From: Steve Montgomerie <stmontgo_at_gmail.com>
Date: Tue, 19 Mar 2013 14:24:03 -0400
Message-ID: <CAPWDEzg8WpVFD80-sVDR4-tu-Q_x1ZXrORQFMgeEjo1WQiATBA_at_mail.gmail.com>

Hi Brian
There are two concepts here: encrypting data at rest and encrypting the network traffic. ASO will do both. Transparent Data Encryption (TDE) is a solved problem in Oracle 11, just encrypt the application tablespaces and all of it's data will naturally be encrypted. If someone has access to your data files they can read the data files with a HEX tool, not the case with encrypted files. There is a catch to converting existing tablespaces to encrypted tablespaces as Oracle will effectively leave shadow copies of the encrypted files. There is a good note on this by Phythian I think. Let me know if you need help finding it. Also, key management is super critical. Lose your keys, lose you encrypted data. You really need to be mindful of that. Also , if you wish to your databases to autostart unattended after a reboot, you will want to consider a local wallet. If someone copies your data files and wallet to another server, they won't be able to open the database with out a password for the wallet.

In terms of network encryption, I would specify that the database server only allow encrypted connections and also specify the algorithms that are accepted. That may solve your Access problem if Access cannot connect to he DB though an encrypted ODBC connection.

HTH Steve

On Tue, Mar 19, 2013 at 12:44 PM, Zelli, Brian <Brian.Zelli_at_roswellpark.org> wrote:
> Ok, our "security" team is telling us we have to encrypt the databases. If people have sqlplus or sqldev access or what sucks is MS Access front ends to databases it would not be encrypted?
> Or would they need something on their machine to de-crypt?
>
> ciao,
> Brian
>
> ----------------------------------
> Brian Zelli
> Senior Database Administrator
> Enterprise Apps/Sys Integration
> Roswell Park Cancer Institute
> (716) 845-4460
> brian.zelli_at_roswellpark.org
> ----------------------------------
>
>
> -----Original Message-----
> From: TJ Kiernan [mailto:tkiernan_at_pti-nps.com]
> Sent: Tuesday, March 19, 2013 12:38 PM
> To: andy_at_oracledepot.com
> Cc: Zelli, Brian; gints.plivna_at_gmail.com; oracle-l_at_freelists.org; TJ Kiernan
> Subject: RE: encryption
>
> Fair point - the encrypted data is stored as RAW in the database, but at that point you might as well not rely on DBMS_CRYPTO for ongoing operations. You can certainly do your decryption AND encryption in the application (although DBMS_CRYPTO might still be useful for backfilling existing fields).
>
> Thanks,
> T. J.
>
>
>
> -----Original Message-----
> From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Andy Klock
> Sent: Tuesday, March 19, 2013 11:30 AM
> To: TJ Kiernan
> Cc: Zelli, Brian; gints.plivna_at_gmail.com; oracle-l_at_freelists.org
> Subject: Re: encryption
>
> On Tue, Mar 19, 2013 at 11:46 AM, TJ Kiernan <tkiernan_at_pti-nps.com> wrote:
>> DBMS_CRYPTO is server-side only (encrypting data at rest). If you're
>> looking to encrypt SQL*Net traffic, you're going to need Advanced
>> Security, which IIRC costs 1/4 a license (and EE).
>>
>> Thanks,
>> T. J.
>>
>>
> That's not necessarily true. DBMS_CRYPTO contains many of the same old algos that which can be decrypted in several programming languages.
>
> http://docs.oracle.com/cd/E11882_01/appdev.112/e16760/d_crypto.htm#BJFFAJCC
>
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>
>
> This email message may contain legally privileged and/or confidential information. If you are not the intended recipient(s), or the employee or agent responsible for the delivery of this message to the intended recipient(s), you are hereby notified that any disclosure, copying, distribution, or use of this email message is prohibited. If you have received this message in error, please notify the sender immediately by e-mail and delete this email message from your computer. Thank you.
> --
> http://www.freelists.org/webpage/oracle-l
>
>

--
http://www.freelists.org/webpage/oracle-l

Received on Tue Mar 19 2013 - 19:24:03 CET

This message: [ Message body ]
Next message: Niall Litchfield: "Re: Oracle 7 logon"
Previous message: Upendra N: "RE: encryption"
In reply to: Zelli, Brian: "RE: encryption"
Next in thread: wblanchard_at_oshkoshcorp.com: "Re: encryption"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message