说明
此文档虽然是针对non CDB而写,但是对于CDB的操作过程也是类似的,即在CDB$ROOT中设置完成wallet设置后,在PDB中设置和打开MEK即可。
先决条件
请确保目录$ORACLE_SID/admin/$ORACLE_SID
存在,例如此目录为:
- /u01/app/oracle/admin/noncdb
配置Wallet和秘钥
配置TDE过程:
sql
connect / as sysdba
-- WALLET_ROOT的默认值为空
-- wallet目录不必预先建立
ALTER SYSTEM SET WALLET_ROOT = '/u01/app/oracle/admin/noncdb/wallet' SCOPE = SPFILE SID = '*';
-- 重启数据库
shutdown immediate
startup
-- TDE_CONFIGURATION的默认值为空
ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" SCOPE = BOTH SID = '*';
-- create key store
-- 这一步自动创建了目录$WALLET_ROOT/wallet/tde,并创建了文件ewallet.p12
-- keypwd是保护wallet的口令,可以选取您中意的口令
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY keypwd;
-- 目前,wallet的状态为CLOSE。我们需要打开他
-- SELECT STATUS FROM V$ENCRYPTION_WALLET;
-- 打开后,wallet的状态为OPEN_NO_MASTER_KEY,其它PDB的状态仍为CLOSE
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY keypwd;
-- 创建MEK
-- 创建后,wallet状态变为OPEN
-- SELECT STATUS FROM V$ENCRYPTION_WALLET;
ADMINISTER KEY MANAGEMENT SET KEY
FORCE KEYSTORE
IDENTIFIED BY keypwd
WITH BACKUP USING 'emp_key_backup';
加密表空间
下面开始加密数据库的users表空间:
sql
-- 离线表空间,Elapsed: 00:00:02.67
ALTER TABLESPACE users OFFLINE NORMAL;
-- 一定一定记得开启此选项,我们要计时的!!!
set timing on
-- 离线加密,一定记得记录输出的时间!!!
ALTER TABLESPACE users ENCRYPTION OFFLINE ENCRYPT;
Elapsed: 00:16:53.44
-- 如果此时再次加密,则报错,因为已经加密过了
ORA-28431: cannot encrypt an already encrypted data file USERS
-- 恢复表空间在线
ALTER TABLESPACE users ONLINE;
-- 至此,加密结束
-- 验证
SQL> select TS#, ENCRYPTIONALG, ENCRYPTEDTS, STATUS, CON_ID from V$ENCRYPTED_TABLESPACES;
TS# ENCRYPT ENC STATUS CON_ID
---------- ------- --- ---------- ----------
5 AES128 YES NORMAL 4
SQL> show con_id
CON_ID
------------------------------
4
-- ts# 等于前面输出中的ts#
SQL> select name from v$tablespace where ts# = 5;
NAME
------------------------------
USERS
加密过程中的监控:
sql
SQL> connect sys@jiamipdb as sysdba
SQL> SELECT t.name, e.encryptedts, e.status FROM v$tablespace t, v$encrypted_tablespaces e WHERE t.ts#=e.ts# ;
NAME ENC STATUS
------------------------------ --- ----------
USERS NO ENCRYPTING
select tablespace_name,name,encrypted from v$datafile_header where tablespace_name like '%USERS%';
select count(*) from v$datafile_header where tablespace_name like '%USERS%' and encrypted='NO';