1/21

Contents

Title and Copyright Information

Preface

• Audience
• Documentation Accessibility
• Related Documents
• Conventions

Changes in This Release for Oracle Database Advanced Security Guide

• Changes in Oracle Database Advanced Security 12c Release 2 (12.2.0.1)
  • New Features
    • Ability to Encrypt Existing Tablespaces and Fully Encrypt Databases
    • Additional Supported Encryption Algorithms
    • Ability to Force Software Keystore Operations
    • Ability to Use an External Store for Software Keystore Passwords
    • New Way to Specify Oracle Key Vault as a Keystore
    • Ability to Redact Data Based on Different Runtime Conditions
    • Ability to Centrally Manage Data Redaction Policy Expressions within a Database
    • Ability to Use NULL as the Redacted Value
    • Enhanced Support for Redacting Unstructured Data

1 Introduction to Oracle Advanced Security

• Transparent Data Encryption
• Oracle Data Redaction

Part I Using Transparent Data Encryption

2 Introduction to Transparent Data Encryption

• What Is Transparent Data Encryption?
• Benefits of Using Transparent Data Encryption
• Who Can Configure Transparent Data Encryption?
• Types and Components of Transparent Data Encryption
  • About Transparent Data Encryption Types and Components
  • How Transparent Data Encryption Column Encryption Works
  • How Transparent Data Encryption Tablespace Encryption Works
  • How the Keystore for the Storage of TDE Master Encryption Keys Works
    • About the Keystore Storage of TDE Master Encryption Keys
    • Benefits of the Keystore Storage Framework
    • Types of Keystores
  • Supported Encryption and Integrity Algorithms

3 Configuring Transparent Data Encryption

• Configuring a Software Keystore
  • About Configuring a Software Keystore
  • Step 1: Set the Keystore Location in the sqlnet.ora File
    • About the Keystore Location in the sqlnet.ora File
    • Configuring the sqlnet.ora File for a Software Keystore Location
    • Configuring an External Store for a Keystore Password
    • Example: Configuring a Software Keystore for a Regular File System
    • Example: Configuring a Software Keystore When Multiple Databases Share the sqlnet.ora File
    • Example: Configuring a Software Keystore for Oracle Automatic Storage Management
    • Example: Configuring a Software Keystore for an Oracle Automatic Storage Management Disk Group
  • Step 2: Create the Software Keystore
    • About Creating Software Keystores
    • Creating a Password-Based Software Keystore
    • Creating an Auto-Login or a Local Auto-Login Software Keystore
  • Step 3: Open the Software Keystore
    • About Opening Software Keystores
    • Opening a Software Keystore
  • Step 4: Set the Software TDE Master Encryption Key
    • About Setting the Software TDE Master Encryption Key
    • Setting the TDE Master Encryption Key in the Software Keystore
  • Step 5: Encrypt Your Data
• Configuring a Hardware Keystore
  • About Configuring a Hardware (External) Keystore
  • Step 1: Set the Hardware Keystore Type in the sqlnet.ora File
  • Step 2: Configure the Hardware Security Module
  • Step 3: Open the Hardware Keystore
    • About Opening Hardware Keystores
    • Opening a Hardware Keystore
  • Step 4: Set the Hardware Keystore TDE Master Encryption Key
    • About Setting the Hardware Keystore TDE Master Encryption Key
    • Setting a TDE Master Encryption Key if You Have Not Previously Configured One
    • Migration of a Previously Configured TDE Master Encryption Key
  • Step 5: Encrypt Your Data
• Encrypting Columns in Tables
  • About Encrypting Columns in Tables
  • Data Types That Can Be Encrypted with TDE Column Encryption
  • Restrictions on Using Transparent Data Encryption Column Encryption
  • Creating Tables with Encrypted Columns
    • About Creating Tables with Encrypted Columns
    • Creating a Table with an Encrypted Column Using the Default Algorithm
    • Creating a Table with an Encrypted Column Using No Algorithm or a Non-Default Algorithm
    • Using the NOMAC Parameter to Save Disk Space and Improve Performance
    • Example: Using the NOMAC Parameter in a CREATE TABLE Statement
    • Example: Changing the Integrity Algorithm for a Table
    • Creating an Encrypted Column in an External Table
  • Encrypting Columns in Existing Tables
    • About Encrypting Columns in Existing Tables
    • Adding an Encrypted Column to an Existing Table
    • Encrypting an Unencrypted Column
    • Disabling Encryption on a Column
  • Creating an Index on an Encrypted Column
  • Adding Salt to an Encrypted Column
  • Removing Salt from an Encrypted Column
  • Changing the Encryption Key or Algorithm for Tables with Encrypted Columns
• Encryption Conversions for Tablespaces and Databases
  • About Encryption Conversions for Tablespaces and Databases
  • Restrictions on Using Transparent Data Encryption Tablespace Encryption
  • Creating an Encrypted New Tablespace
    • Step 1: Set the COMPATIBLE Initialization Parameter for Tablespace Encryption
      • About Setting the COMPATIBLE Initialization Parameter for Tablespace Encryption
      • Setting the COMPATIBLE Initialization Parameter for Tablespace Encryption
    • Step 2: Set the Tablespace TDE Master Encryption Key
    • Step 3: Create the Encrypted Tablespace
      • About Creating Encrypted Tablespaces
      • Creating an Encrypted Tablespace
      • Example: Creating an Encrypted Tablespace That Uses AES192
      • Example: Creating an Encrypted Tablespace That Uses the Default Algorithm
  • Encrypting Future Tablespaces
    • About Encrypting Future Tablespaces
    • Setting Future Tablespaces to be Encrypted
  • Encryption Conversions for Existing Offline Tablespaces
    • About Encryption Conversions for Existing Offline Tablespaces
    • Encrypting an Existing User-Defined Tablespace with Offline Conversion
    • Decrypting an Existing Tablespace with Offline Conversion
  • Encryption Conversions for Existing Online Tablespaces
    • Encrypting an Existing Tablespace with Online Conversion
    • About Encryption Conversions for Existing Online Tablespaces
    • Rekeying an Existing Tablespace with Online Conversion
    • Decrypting an Existing Tablespace with Online Conversion
    • Finishing an Interrupted Online Encryption Conversion
  • Encryption Conversions for Existing Databases
    • About Encryption Conversions for Existing Databases
    • Encrypting an Existing Database with Offline Conversion
    • Encrypting an Existing Database with Online Conversion
• Transparent Data Encryption Data Dynamic and Data Dictionary Views

4 Managing the Keystore and the TDE Master Encryption Key

• Managing the Keystore
  • Performing Operations That Require a Keystore Password
  • Changing the Password of a Software Keystore
    • About Changing the Password of a Password-Based Software Keystore
    • Changing the Password-Based Software Keystore Password
  • Changing the Password of a Hardware Keystore
  • Backing Up Password-Based Software Keystores
    • About Backing Up Password-Based Software Keystores
    • Creating a Backup Identifier String for the Backup Keystore
    • How the V$ENCRYPTION_WALLET View Interprets Backup Operations
    • Backing Up a Password-Based Software Keystore
  • Backups of the Hardware Keystore
  • Merging Software Keystores
    • About Merging Software Keystores
    • Merging Two Software Keystores into a Third New Keystore
    • Merging One Software Keystore into an Existing Software Keystore
    • Merging an Auto-Login Software Keystore into an Existing Password-Based Software Keystore
    • Reversing a Software Keystore Merge Operation
  • Moving a Software Keystore to a New Location
  • Moving a Software Keystore Out of Automatic Storage Management
  • Migrating Between a Software Password Keystore and a Hardware Keystore
    • Migrating from a Password-Based Software Keystore to a Hardware Keystore
      • Step 1: Convert the Software Keystore to Open with the Hardware Keystore
      • Step 2: Configure sqlnet.ora for the Migration of the Password-Based Software Keystore
      • Step 3: Perform the Hardware Keystore Migration
    • Migrating from a Hardware Keystore to a Password-Based Software Keystore
      • About Migrating Back from a Hardware Keystore
      • Step 1: Configure sqlnet.ora for the Reverse Migration
      • Step 2: Configure the Keystore for the Reverse for the Reverse Migration
      • Step 3: Configure the Hardware Keystore to Open with the Software Keystore
    • Keystore Order After a Migration
  • Migration of Keystores to and from Oracle Key Vault
  • Closing a Keystore
    • About Closing Keystores
    • Closing a Software Keystore
    • Closing a Hardware Keystore
  • Using a Software Keystore That Resides on ASM Volumes
  • Backup and Recovery of Encrypted Data
  • Deletion of Keystores
• Managing the TDE Master Encryption Key
  • Creating TDE Master Encryption Keys for Later Use
    • About Creating a TDE Master Encryption Key for Later Use
    • Creating a TDE Master Encryption Key for Later Use
    • Example: Creating a TDE Master Encryption Key in a Single Database
    • Example: Creating a TDE Master Encryption Key in All PDBs
  • Activation of TDE Master Encryption Keys
    • About Activating TDE Master Encryption Keys
    • Activating a TDE Master Encryption Key
    • Example: Activating a TDE Master Encryption Key
  • TDE Master Encryption Key Attribute Management
    • TDE Master Encryption Key Attributes
    • Finding the TDE Master Encryption Key That Is in Use
  • Creating Custom TDE Master Encryption Key Attributes for Reporting Purposes
    • About Creating Custom Attribute Tags
    • Creating a Custom Attribute Tag
  • Setting or Rotating the TDE Master Encryption Key in the Keystore
    • About Setting or Rotating the TDE Master Encryption Key in the Keystore
    • Creating and Backing Up a TDE Master Encryption Key and Applying a Tag to It
    • About Rotating the TDE Master Encryption Key
    • Rotating the TDE Master Encryption Key
    • Rotating the TDE Master Encryption Key for a Tablespace
  • Exporting and Importing the TDE Master Encryption Key
    • About Exporting and Importing the TDE Master Encryption Key
    • About Exporting TDE Master Encryption Keys
    • Exporting a TDE Master Encryption Key
    • Example: Exporting a TDE Master Encryption Key by Using a Subquery
    • Example: Exporting a List of TDE Master Encryption Key Identifiers to a File
    • Example: Exporting All TDE Master Encryption Keys of the Database
    • About Importing TDE Master Encryption Keys
    • Importing a TDE Master Encryption Key
    • Example: Importing a TDE Master Encryption Key
    • How Keystore Merge Differs from TDE Master Encryption Key Export or Import
  • Management of TDE Master Encryption Keys Using Oracle Key Vault
• Storing Secrets Used by Oracle Database
  • About Storing Oracle Database Secrets in a Keystore
  • Storage of Oracle Database Secrets in a Software Keystore
  • Example: Adding an HSM Password to a Software Keystore
  • Example: Changing an HSM Password Stored as a Secret in a Software Keystore
  • Example: Deleting an HSM Password Stored as a Secret in a Software Keystore
  • Storage of Oracle Database Secrets in a Hardware Keystore
  • Example: Adding an Oracle Database Secret to a Hardware Keystore
  • Example: Changing an Oracle Database Secret in a Hardware Keystore
  • Example: Deleting an Oracle Database Secret in a Hardware Keystore
  • Configuring Auto-Login Hardware Security Modules
    • About Configuring Auto-Login Hardware Security Modules
    • Configuring an Auto-Login Hardware Security Module
• Storing Oracle GoldenGate Secrets in a Keystore
  • About Storing Oracle GoldenGate Secrets in Keystores
  • Oracle GoldenGate Extract Classic Capture Mode TDE Requirements
  • Configuring TDE Keystore Support for Oracle GoldenGate
    • Step 1: Decide on a Shared Secret for the Keystore
    • Step 2: Configure Oracle Database for TDE Support for Oracle GoldenGate
    • Step 3: Store the TDE GoldenGate Shared Secret in the Keystore
    • Step 4: Set the TDE Oracle GoldenGate Shared Secret in the Extract Process

5 General Considerations of Using Transparent Data Encryption

• Compression and Data Deduplication of Encrypted Data
• Security Considerations for Transparent Data Encryption
  • Transparent Data Encryption General Security Advice
  • Transparent Data Encryption Column Encryption-Specific Advice
  • Managing Security for Plaintext Fragments
• Performance and Storage Overhead of Transparent Data Encryption
  • Performance Overhead of Transparent Data Encryption
  • Storage Overhead of Transparent Data Encryption
• Modifying Your Applications for Use with Transparent Data Encryption
• How ALTER SYSTEM and orapki Map to ADMINISTER KEY MANAGEMENT
• Using Transparent Data Encryption with PKI Encryption
  • Software Master Encryption Key Use with PKI Key Pairs
  • TDE Tablespace and Hardware Keystores with PKI Encryption
  • Backup and Recovery of a PKI Key Pair
• Data Loads from External Files to Tables with Encrypted Columns
• Transparent Data Encryption and Database Close Operations

6 Using Transparent Data Encryption with Other Oracle Features

• How Transparent Data Encryption Works with Export and Import Operations
  • About Exporting and Importing Encrypted Data
  • Exporting and Importing Tables with Encrypted Columns
  • Using Oracle Data Pump to Encrypt Entire Dump Sets
• How Transparent Data Encryption Works with Oracle Data Guard
• How Transparent Data Encryption Works with Oracle Real Application Clusters
  • About Using Transparent Data Encryption with Oracle Real Application Clusters
  • Using a Non-Shared File System to Store a Software Keystore in Oracle RAC
• How Transparent Data Encryption Works with SecureFiles
  • About Transparent Data Encryption and SecureFiles
  • Example: Creating a SecureFiles LOB with a Specific Encryption Algorithm
  • Example: Creating a SecureFiles LOB with a Column Password Specified
• How Transparent Data Encryption Works in a Multitenant Environment
  • About Using Transparent Data Encryption in a Multitenant Environment
  • Operations That Must Be Performed in Root
  • Operations That Can Be Performed in Root or in a PDB
  • Moving PDBs from One CDB to Another
  • Exporting and Importing TDE Master Encryption Keys for a PDB
    • About Exporting and Importing TDE Master Encryption Keys for a PDB
    • Exporting or Importing a TDE Master Encryption Key for a PDB
    • Example: Exporting a TDE Master Encryption Key from a PDB
    • Example: Importing a TDE Master Encryption Key into a PDB
  • Unplugging and Plugging a PDB with Encrypted Data in a CDB
    • Unplugging a PDB That Has Encrypted Data
    • Plugging a PDB That Has Encrypted Data into a CDB
    • Unplugging a PDB That Has Master Keys Stored in an HSM
    • Plugging a PDB That Has Master Keys Stored in an HSM
  • Managing Cloned PDBs with Encrypted Data
    • About Managing Cloned PDBs That Have Encrypted Data
    • Cloning a PDB with Encrypted Data in a CDB
  • How Keystore Open and Close Operations Work in a Multitenant Environment
  • Finding the Keystore Status for All of the PDBs in a Multitenant Environment
• How Transparent Data Encryption Works with Oracle Call Interface
• How Transparent Data Encryption Works with Editions
• Configuring Transparent Data Encryption to Work in a Multidatabase Environment

7 Frequently Asked Questions About Transparent Data Encryption

• Transparency Questions About Transparent Data Encryption
• Performance Questions About Transparent Data Encryption

Part II Using Oracle Data Redaction

8 Introduction to Oracle Data Redaction

• What Is Oracle Data Redaction?
• When to Use Oracle Data Redaction
• Benefits of Using Oracle Data Redaction
• Target Use Cases for Oracle Data Redaction
  • Oracle Data Redaction Use with Database Applications
  • Oracle Data Redaction with Ad Hoc Database Queries Considerations

9 Oracle Data Redaction Features and Capabilities

• Full Data Redaction to Redact All Data
• Partial Data Redaction to Redact Sections of Data
• Regular Expressions to Redact Patterns of Data
• Redaction Using Null Values
• Random Data Redaction to Generate Random Values
• Comparison of Full, Partial, and Random Redaction Based on Data Types
  • Oracle Built-in Data Types Redaction Capabilities
  • ANSI Data Types Redaction Capabilities
  • Built-in and ANSI Data Types Full Redaction Capabilities
  • User-Defined Data Types or Oracle Supplied Types Redaction Capabilities
• No Redaction for Testing Purposes
• Central Management of Named Data Redaction Policy Expressions

10 Configuring Oracle Data Redaction Policies

• About Oracle Data Redaction Policies
• Who Can Create Oracle Data Redaction Policies?
• Planning an Oracle Data Redaction Policy
• General Syntax of the DBMS_REDACT.ADD_POLICY Procedure
• Using Expressions to Define Conditions for Data Redaction Policies
  • About Using Expressions in Data Redaction Policies
  • Supported Functions for Data Redaction Expressions
    • Expressions Using Namespace Functions
    • Expressions Using the SUBSTR Function
    • Expressions Using Length of Character String Functions
    • Expressions Using Oracle Application Express Functions
    • Expressions Using Oracle Label Security Functions
  • Applying the Redaction Policy Based on User Environment
  • Applying the Redaction Policy Based on Database Roles
  • Applying the Redaction Policy Based on Oracle Label Security Label Dominance
  • Applying the Redaction Policy Based on Application Express Session States
  • Applying the Redaction Policy to All Users
• Creating and Managing Multiple Named Policy Expressions
  • About Data Redaction Policy Expressions to Define Conditions
  • Creating and Applying a Named Data Redaction Policy Expression
  • Updating a Named Data Redaction Policy Expression
  • Dropping a Named Data Redaction Expression Policy
  • Tutorial: Creating and Sharing a Named Data Redaction Policy Expression
    • Step 1: Create Users for This Tutorial
    • Step 2: Create an Oracle Data Redaction Policy
    • Step 3: Test the Oracle Data Redaction Policy
    • Step 4: Create and Apply a Policy Expression to the Redacted Table Columns
    • Step 5: Test the Data Redaction Policy Expression
    • Step 6: Modify the Data Redaction Policy Expression
    • Step 7: Test the Modified Policy Expression
    • Step 8: Remove the Components of This Tutorial
• Creating a Full Redaction Policy and Altering the Full Redaction Value
  • Creating a Full Redaction Policy
    • About Creating Full Data Redaction Policies
    • Syntax for Creating a Full Redaction Policy
    • Example: Full Redaction Policy
    • Example: Fully Redacted Character Values
  • Altering the Default Full Data Redaction Value
    • About Altering the Default Full Data Redaction Value
    • Syntax for the DBMS_REDACT.UPDATE_FULL_REDACTION_VALUES Procedure
    • Modifying the Default Full Data Redaction Value
• Creating a DBMS_REDACT.NULLIFY Redaction Policy
  • About Creating a Policy That Returns Null Values
  • Syntax for Creating a Policy That Returns Null Values
  • Example: Redaction Policy That Returns Null Values
• Creating a Partial Redaction Policy
  • About Creating Partial Redaction Policies
  • Syntax for Creating a Partial Redaction Policy
  • Creating Partial Redaction Policies Using Fixed Character Formats
    • Settings for Fixed Character Formats
    • Example: Partial Redaction Policy Using a Fixed Character Format
  • Creating Partial Redaction Policies Using Character Data Types
    • Settings for Character Data Types
    • Example: Partial Redaction Policy Using a Character Data Type
  • Creating Partial Redaction Policies Using Number Data Types
    • Settings for Number Data Types
    • Example: Partial Redaction Policy Using a Number Data Type
  • Creating Partial Redaction Policies Using Date-Time Data Types
    • Settings for Date-Time Data Types
    • Example: Partial Redaction Policy Using Date-Time Data Type
• Creating a Regular Expression-Based Redaction Policy
  • About Creating Regular Expression-Based Redaction Policies
  • Syntax for Creating a Regular Expression-Based Redaction Policy
  • Regular Expression-Based Redaction Policies Using Formats
    • Regular Expression Formats
    • Example: Regular Expression Redaction Policy Using Formats
  • Custom Regular Expression Redaction Policies
    • Settings for Custom Regular Expressions
    • Example: Custom Regular Expression Redaction Policy
• Creating a Random Redaction Policy
  • Syntax for Creating a Random Redaction Policy
  • Example: Random Redaction Policy
• Creating a Policy That Uses No Redaction
  • Syntax for Creating a Policy with No Redaction
  • Example: Performing No Redaction
• Exemption of Users from Oracle Data Redaction Policies
• Altering an Oracle Data Redaction Policy
  • About Altering Oracle Data Redaction Policies
  • Syntax for the DBMS_REDACT.ALTER_POLICY Procedure
  • Parameters Required for DBMS_REDACT.ALTER_POLICY Actions
  • Tutorial: Altering an Oracle Data Redaction Policy
• Redacting Multiple Columns
  • Adding Columns to a Data Redaction Policy for a Single Table or View
  • Example: Redacting Multiple Columns
• Disabling and Enabling an Oracle Data Redaction Policy
  • Disabling an Oracle Data Redaction Policy
  • Enabling an Oracle Data Redaction Policy
• Dropping an Oracle Data Redaction Policy
• Tutorial: SQL Expressions to Build Reports with Redacted Values
• Oracle Data Redaction Policy Data Dictionary Views

11 Using Oracle Data Redaction in Oracle Enterprise Manager

• About Using Oracle Data Redaction in Oracle Enterprise Manager
• Oracle Data Redaction Workflow
• Management of Sensitive Column Types in Enterprise Manager
• Managing Oracle Data Redaction Formats Using Enterprise Manager
  • About Managing Oracle Data Redaction Formats Using Enterprise Manager
  • Creating a Custom Oracle Data Redaction Format Using Enterprise Manager
  • Editing a Custom Oracle Data Redaction Format Using Enterprise Manager
  • Viewing Oracle Data Redaction Formats Using Enterprise Manager
  • Deleting a Custom Oracle Data Redaction Format Using Enterprise Manager
• Managing Oracle Data Redaction Policies Using Enterprise Manager
  • About Managing Oracle Data Redaction Policies Using Enterprise Manager
  • Creating an Oracle Data Redaction Policy Using Enterprise Manager
  • Editing an Oracle Data Redaction Policy Using Enterprise Manager
  • Viewing Oracle Data Redaction Policy Details Using Enterprise Manager
  • Enabling or Disabling an Oracle Data Redaction Policy in Enterprise Manager
  • Deleting an Oracle Data Redaction Policy Using Enterprise Manager
• Managing Named Data Redaction Policy Expressions Using Enterprise Manager
  • About Named Data Redaction Policy Expressions in Enterprise Manager
  • Creating a Named Data Redaction Policy Expression in Enterprise Manager
  • Editing a Named Data Redaction Policy Expression in Enterprise Manager
  • Viewing Named Data Redaction Policy Expressions in Enterprise Manager
  • Deleting a Named Data Redaction Policy Expression in Enterprise Manager

12 Oracle Data Redaction Use with Oracle Database Features

• Oracle Data Redaction and DML and DDL Operations
• Oracle Data Redaction and Nested Functions, Inline Views, and the WHERE Clause
• Oracle Data Redaction and Database Links
• Oracle Data Redaction and Aggregate Functions
• Oracle Data Redaction and Object Types
• Oracle Data Redaction and XML Generation
• Oracle Data Redaction and Editions
• Oracle Data Redaction in a Multitenant Environment
• Oracle Data Redaction and Oracle Virtual Private Database
• Oracle Data Redaction and Oracle Database Real Application Security
• Oracle Data Redaction and Oracle Database Vault
• Oracle Data Redaction and Oracle Data Pump
  • Oracle Data Pump Security Model for Oracle Data Redaction
  • Export of Objects That Have Oracle Data Redaction Policies Defined
    • Finding Type Names Used by Oracle Data Pump
    • Exporting Only the Data Dictionary Metadata Related to Data Redaction Policies
    • Importing Objects Using the INCLUDE Parameter in IMPDP
  • Export of Data Using the EXPDP Utility access_method Parameter
  • Import of Data into Objects Protected by Oracle Data Redaction
• Oracle Data Redaction and Data Masking and Subsetting Pack
• Oracle Data Redaction and JSON

13 Security Considerations for Oracle Data Redaction

• Oracle Data Redaction General Usage Guidelines
• Restriction of Administrative Access to Oracle Data Redaction Policies
• How Oracle Data Redaction Affects the SYS, SYSTEM, and Default Schemas
• Policy Expressions That Use SYS_CONTEXT Attributes
• Oracle Data Redaction Policies on Materialized Views
• Dropped Oracle Data Redaction Policies When the Recycle Bin Is Enabled

Glossary

Index