Re: cryptoperiod for TDE?

From: MacGregor Ian A. <"MacGregor>
Date: Thu, 11 Mar 2021 17:43:18 +0000
Message-ID: <BN7PR07MB51557DDF3E832DC57C746FB0E2909_at_BN7PR07MB5155.namprd07.prod.outlook.com>

I thought TDE provided for encryption of data at rest? Does the concept of a "crypto period" even apply? Is there really a requirement to routinely re-encrypt the data stored in the database?

Perhaps the questions about a crypto period refer to inflight encryption?

Ian A. MacGregor
SLAC IT
SLAC National Accelerator Laboratory

From: oracle-l-bounce_at_freelists.org <oracle-l-bounce_at_freelists.org> on behalf of Jared Still <jkstill_at_gmail.com> Sent: Thursday, March 11, 2021 8:25 AM
To: mcpeakm_at_tempus-consulting-group.com <mcpeakm_at_tempus-consulting-group.com> Cc: Jay.Miller_at_tdameritrade.com <Jay.Miller_at_tdameritrade.com>; oracle-l_at_freelists.org <oracle-l_at_freelists.org> Subject: Re: cryptoperiod for TDE?

Does anyone know of a study detailing the likelihood of a security event due to not rotating keys?

One with examples of it actually happening would make it more interesting.

On Fri, Mar 5, 2021 at 11:07 mcpeakm_at_tempus-consulting-group.com<mailto:mcpeakm_at_tempus-consulting-group.com> <mcpeakm_at_tempus-consulting-group.com<mailto:mcpeakm_at_tempus-consulting-group.com>> wrote: I think this is something you need to do manually, according to the security policies of your organization.

Chapter 4 of the Oracle Database Advanced Security Guide has a section on "Rotating the TDE Master Encryption Key" via the ADMINISTER KEY MANAGEMENT SET KEY statement.

On Friday, March 5, 2021, 01:56:38 PM EST, Jay.Miller <dmarc-noreply_at_freelists.org<mailto:dmarc-noreply_at_freelists.org>> wrote:

As part of a security review I�ve been asked the cryptoperiod of our Oracle encryption.

After some research to figure out what they were talking about it seems to be when a key expires and is replaced. I could not find any google or metalink hits in relation to transparent data encryption. Does anyone know if Is this something which is implemented automatically when the TDE wallet is created or, as I suspect, is it not part of the TDE implementation at all?

TIA, Jay Miller

--

Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist Principal Consultant at Pythian
Oracle ACE Alumni
Pythian Blog http://www.pythian.com/blog/author/still/ Github: https://github.com/jkstill

--

http://www.freelists.org/webpage/oracle-l Received on Thu Mar 11 2021 - 18:43:18 CET

This message: [ Message body ]
Next message: Mikhail Velikikh: "Re: does sga_target cause resizing of db_32k_cache_size"
Previous message: Jared Still: "Re: DML for PDB"
Maybe in reply to: Jay.Miller: "cryptoperiod for TDE?"
Next in thread: Jonathan Lewis: "Re: does sga_target cause resizing of db_32k_cache_size"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message