Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Encrypting data witth TDE Oracle 10g

Re: Encrypting data witth TDE Oracle 10g

From: Frank van Bortel <frank.van.bortel_at_gmail.com>
Date: Wed, 23 Aug 2006 19:59:26 +0200
Message-ID: <eci4ou$h9n$1@news6.zwoll1.ov.home.nl> 





Fred schreef:


> Thanks a lot for theses explanations .

> 

> Ok, for TDE, i don't see interest because any user can see data.

> 

> So i can take DBMS_CRYPTO to encrypt data, but i want also that anybody

> 

> could see data , is it possible ? (DBA also).

> Just  one user can see his own data. do you see what i mean ? each user

> will see  their data in clear text, but the whole database will be

> encrypt.

> 

> I don't know if it's possible with 10g.

> 

> Thanks

> 

> 

> 

> frank.van.bortel_at_gmail.com wrote:


>> Fred schreef:
>>
>>> Hi,
>>>
>>> You're right, just a different key by lines and not an algorithm.
>>>
>>> Is it possible and how to implement it ?
>>>
>>> In fact we want to encrypt an big entire database. advice for that  ?
>>>
>>> Also, I don't see the difference between TDE and DBMS_CRYPTO.
>>> In one hand we crypt data into the database but user can see clear
>>> data.
>>> In the other hand how we can use DBMS_CRYPTO  to encrypt data of all
>>> columns on one table ?
>> Any idea what TDE does? I'll tell you a secret: it stands for
>> Transparant Data Encryption.
>> Transparant in a way, you can see the "clear data", but only when the
>> Wallet is activated.
>> Try to query your data with the Wallet disabled.
>> I have a write-up on TDE on
>> http://vanbortel.blogspot.com/2005_07_01_vanbortel_archive.html
>>
>> DBMS_CRYPTO needs to be called for every insert/query; you can call it
>> with a different key for eevry row - the problem I see is where to keep
>> your keys; you hardly want to store them in the same row (as I suspect
>> security is the issue here...)
>>
>> >From what I understand, DBMS_CRYPTO is the only way to go. It allows
>> the use of a different key eevry time it is called, and so enables you
>> to do what you propose.
>>
>> But encrypting a whole database?!? Why? Is *all* your data worth
>> encrypting?




> 



Hm seems my salutation is gone when posting through google groups, so
I'll respond to this one:



Like Ed said: VPD is what you want - it does not encrypt, but enforces
extensions to the where clause of every select you want.
Effectively, this means user A can only see what you design user A to
see.


I still fail to see why you would like to encrypt your data. Realize
there is a performance penalty in encrypting/decrypting.
It's a CPU intensive process!


-- 
Regards,
Frank van Bortel

Top-posting is one way to shut me up...


Received on Wed Aug 23 2006 - 12:59:26 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US