环境准备
一个容器数据库,带一个PDB:orclpdb1。
目前没有进行任何加密设置。
sql
SQL> show pdbs;
CON_ID CON_NAME OPEN MODE RESTRICTED
---------- ------------------------------ ---------- ----------
2 PDB$SEED READ ONLY NO
3 ORCLPDB1 READ WRITE NO
SQL> show parameter wallet_root;
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
wallet_root string
SQL> show parameter tde_configuration
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
tde_configuration string
配置Key Store
connect / as sysdba
ALTER SYSTEM SET wallet_root='$ORACLE_BASE/wallet' SCOPE=SPFILE;
shutdown immediate;
startup
!mkdir $ORACLE_BASE/wallet
ALTER SYSTEM SET tde_configuration="keystore_configuration=file" SCOPE=BOTH;
目前位置,$ORACLE_BASE/wallet中还没有任何文件。
创建Key Store
sql
connect / as sysdba
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY keypwd;
此时,key store文件有了:
bash
SQL> !ls $ORACLE_BASE/wallet
tde
SQL> !ls $ORACLE_BASE/wallet/tde
ewallet.p12
但key store的状态是关闭的:
sql
SQL> select con_id, status from V$ENCRYPTION_WALLET;
CON_ID STATUS
---------- ------------------------------
1 CLOSED
2 CLOSED
3 CLOSED
打开key store:
sql
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY keypwd;
此时,根数据库的key store状态变成OPEN_NO_MASTER_KEY:
sql
SQL> select con_id, status from V$ENCRYPTION_WALLET;
CON_ID STATUS
---------- ------------------------------
1 OPEN_NO_MASTER_KEY
2 CLOSED
3 CLOSED
创建Master Key:
sql
ADMINISTER KEY MANAGEMENT SET KEY
FORCE KEYSTORE
IDENTIFIED BY keypwd
WITH BACKUP USING 'mekbkp';
我们可以看到备份,而且key store的状态变为:
sql
SQL> !ls $ORACLE_BASE/wallet/tde
ewallet_2023091407054383_mekbkp.p12 ewallet.p12
SQL> select con_id, status from V$ENCRYPTION_WALLET;
CON_ID STATUS
---------- ------------------------------
1 OPEN
2 CLOSED
3 CLOSED
当前系统表状态
Oracle 19c Advanced Security Guide 文档列出了TDE相关的系统表。我们大致看一下。
V$ENCRYPTION_WALLET和key store相关:
sql
SQL>
set lines 120
col status for a10
select CON_ID, WRL_TYPE, STATUS, WALLET_TYPE, WALLET_ORDER, KEYSTORE_MODE from V$ENCRYPTION_WALLET;
CON_ID WRL_TYPE STATUS WALLET_TYPE WALLET_OR KEYSTORE
---------- -------------------- ---------- -------------------- --------- --------
1 FILE OPEN PASSWORD SINGLE NONE
2 FILE CLOSED UNKNOWN SINGLE UNITED
3 FILE CLOSED UNKNOWN SINGLE UNITED
V$DATABASE_KEY_INFO与系统表空间加密有关:
sql
SQL> select * from V$DATABASE_KEY_INFO;
ENCRYPT ENCRYPTEDKEY
------- ------------------------------------------------------------------------------------------------
MASTERKEYID MAS CON_ID
-------------------------------- --- ----------
AES128 77B4410C25AFD59E983669101DE55EB20000000000000000000000000000000000000000000000000000000000000000
24F4F8FE12434F18BF88049E85E70C82 YES 1
NONE 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000 NO 2
NONE 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000 NO 3
V$ENCRYPTION_KEYS和master key有关:
sql
col creation_time for a20
col activation_time for a20
col creator_pdbname for a12
col origin for a10
alter session set nls_date_format = 'MM/DD/YYYY HH24:MI';
select cast(creation_time as date) as creation_time, cast(activation_time as date) as activation_time , key_use, keystore_type, origin, backed_up, creator_pdbname from V$ENCRYPTION_KEYS;
CREATION_TIME ACTIVATION_TIME KEY_USE KEYSTORE_TYPE ORIGIN BACKED_UP CREATOR_PDBN
-------------------- -------------------- ---------- ----------------- ---------- --------- ------------
09/14/2023 07:05 09/14/2023 07:05 TDE IN PDB SOFTWARE KEYSTORE LOCAL NO CDB$ROOT
加解密PDB中的表空间
连接到PDB。
sql
SQL> connect sys@orclpdb1 as sysdba
Enter password:
Connected.
目前PDB中还没有master key,因此无法加密:
sql
SQL> alter tablespace users encryption online encrypt;
alter tablespace users encryption online encrypt
*
ERROR at line 1:
ORA-28361: master key not yet set
SQL> select status from V$ENCRYPTION_WALLET;
STATUS
----------
CLOSED
设置PDB中的master key:
sql
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY keypwd;
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY keypwd WITH BACKUP USING 'pdbmekbkp';
现在PDB的master key已经设置好:
sql
SQL> select status from V$ENCRYPTION_WALLET;
STATUS
------------------------------
OPEN
SQL> !ls -l1 $ORACLE_BASE/wallet/tde
total 16
-rw-------. 1 oracle oinstall 2555 Sep 14 07:05 ewallet_2023091407054383_mekbkp.p12
-rw-------. 1 oracle oinstall 3995 Sep 14 08:42 ewallet_2023091408425331_pdbmekbkp.p12
-rw-------. 1 oracle oinstall 5467 Sep 14 08:42 ewallet.p12
现在加解密都没有问题了:
sql
-- 在线加密
SQL> alter tablespace users encryption online encrypt;
Tablespace altered.
SQL> alter tablespace users encryption online decrypt;
Tablespace altered.
-- 离线加密
SQL> alter tablespace users offline;
Tablespace altered.
SQL> alter tablespace users encryption offline encrypt;
Tablespace altered.
SQL> alter tablespace users online;
Tablespace altered.
当前系统表状态
以下SQL语句均在CDB$ROOT中执行。
V$ENCRYPTION_WALLET和key store相关,其中PDB相关的行变化了:
sql
SQL>
set lines 120
col status for a10
select CON_ID, WRL_TYPE, STATUS, WALLET_TYPE, WALLET_ORDER, KEYSTORE_MODE from V$ENCRYPTION_WALLET;
CON_ID WRL_TYPE STATUS WALLET_TYPE WALLET_OR KEYSTORE
---------- -------------------- ---------- -------------------- --------- --------
1 FILE OPEN PASSWORD SINGLE NONE
2 FILE CLOSED UNKNOWN SINGLE UNITED
3 FILE OPEN PASSWORD SINGLE UNITED
V$DATABASE_KEY_INFO与系统表空间加密有关,也是和PDB相关的行变化了:
sql
SQL> select * from V$DATABASE_KEY_INFO;
ENCRYPT ENCRYPTEDKEY
------- ------------------------------------------------------------------------------------------------
MASTERKEYID MAS CON_ID
-------------------------------- --- ----------
AES128 77B4410C25AFD59E983669101DE55EB20000000000000000000000000000000000000000000000000000000000000000
24F4F8FE12434F18BF88049E85E70C82 YES 1
NONE 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000 NO 2
AES128 69A8A389784AFCD06F84FE3EB12F3E8A0000000000000000000000000000000000000000000000000000000000000000
64D9F54F8A354F36BFECB3955CDD77DA YES 3
V$ENCRYPTION_KEYS和master key有关:
sql
col creation_time for a20
col activation_time for a20
col creator_pdbname for a12
col origin for a10
alter session set nls_date_format = 'MM/DD/YYYY HH24:MI';
select cast(creation_time as date) as creation_time, cast(activation_time as date) as activation_time , key_use, keystore_type, origin, backed_up, creator_pdbname from V$ENCRYPTION_KEYS;
CREATION_TIME ACTIVATION_TIME KEY_USE KEYSTORE_TYPE ORIGIN BACKED_UP CREATOR_PDBN
-------------------- -------------------- ---------- ----------------- ---------- --------- ------------
09/14/2023 07:05 09/14/2023 07:05 TDE IN PDB SOFTWARE KEYSTORE LOCAL YES CDB$ROOT
09/14/2023 08:42 09/14/2023 08:42 TDE IN PDB SOFTWARE KEYSTORE LOCAL NO ORCLPDB1
以下SQL语句均在PDB中执行:
sql
SQL> select encrypted from user_tablespaces where tablespace_name = 'USERS';
ENC
---
YES
SQL> select TS#, ENCRYPTIONALG, ENCRYPTEDTS, STATUS, CON_ID from V$ENCRYPTED_TABLESPACES;
TS# ENCRYPT ENC STATUS CON_ID
---------- ------- --- ---------- ----------
5 AES128 YES NORMAL 3
Key Store改为自动登录
目前表空间可以加解密,但有一个问题。即如果数据库重启,我们还需要手工打开Key Store。
sql
connect / as sysdba
ADMINISTER KEY MANAGEMENT CREATE
AUTO_LOGIN KEYSTORE FROM KEYSTORE
IDENTIFIED BY keypwd;
现在Key Store的WALLET_TYPE由PASSWORD变为AUTOLOGIN:
sql
set lines 120
col status for a10
select CON_ID, WRL_TYPE, STATUS, WALLET_TYPE, WALLET_ORDER, KEYSTORE_MODE from V$ENCRYPTION_WALLET;
CON_ID WRL_TYPE STATUS WALLET_TYPE WALLET_OR KEYSTORE
---------- -------------------- ---------- -------------------- --------- --------
1 FILE OPEN AUTOLOGIN SINGLE NONE
2 FILE OPEN AUTOLOGIN SINGLE UNITED
3 FILE OPEN AUTOLOGIN SINGLE UNITED
重启数据库后,Key Store状态自动变为打开:
sql
SQL> select status from V$ENCRYPTION_WALLET;
STATUS
----------
OPEN
OPEN
OPEN
SQL> !ls -l1 $ORACLE_BASE/wallet/tde
total 24
-rw-------. 1 oracle oinstall 5512 Sep 14 08:59 cwallet.sso
-rw-------. 1 oracle oinstall 2555 Sep 14 07:05 ewallet_2023091407054383_mekbkp.p12
-rw-------. 1 oracle oinstall 3995 Sep 14 08:42 ewallet_2023091408425331_pdbmekbkp.p12
-rw-------. 1 oracle oinstall 5467 Sep 14 08:42 ewallet.p12
自动登录的Key Store文件为cwallet.sso。
备份Key Store
此操作需在CDB$ROOT中进行,否则报错:
sql
SQL> ADMINISTER KEY MANAGEMENT BACKUP KEYSTORE USING 'bkp230914' IDENTIFIED BY keypwd;
ADMINISTER KEY MANAGEMENT BACKUP KEYSTORE USING 'bkp230914' IDENTIFIED BY keypwd
*
ERROR at line 1:
ORA-65040: operation not allowed from within a pluggable database
必须用FORCE KEYSTORE子句:
sql
SQL> ADMINISTER KEY MANAGEMENT BACKUP KEYSTORE USING 'bkp230914' IDENTIFIED BY keypwd;
ADMINISTER KEY MANAGEMENT BACKUP KEYSTORE USING 'bkp230914' IDENTIFIED BY keypwd
*
ERROR at line 1:
ORA-28417: password-based keystore is not open
SQL> ADMINISTER KEY MANAGEMENT BACKUP KEYSTORE USING 'bkp230914' FORCE KEYSTORE IDENTIFIED BY keypwd;
keystore altered.
查看生成的备份文件,看来在tag中加入日期是多此一举:
sql
SQL> !ls -l1 $ORACLE_BASE/wallet/tde
total 32
-rw-------. 1 oracle oinstall 5512 Sep 14 09:04 cwallet.sso
-rw-------. 1 oracle oinstall 2555 Sep 14 07:05 ewallet_2023091407054383_mekbkp.p12
-rw-------. 1 oracle oinstall 3995 Sep 14 08:42 ewallet_2023091408425331_pdbmekbkp.p12
-rw-------. 1 oracle oinstall 5467 Sep 14 09:04 ewallet_2023091409040585_bkp230914.p12
-rw-------. 1 oracle oinstall 5467 Sep 14 09:04 ewallet.p12
也可以备份到指定位置:
sql
SQL> connect / as sysdba;
Connected.
SQL> ADMINISTER KEY MANAGEMENT BACKUP KEYSTORE USING 'bkp230914' FORCE KEYSTORE IDENTIFIED BY keypwd to '/tmp';
keystore altered.
SQL> !ls /tmp/*bkp*
/tmp/ewallet_2023091402173955_bkp230914.p12
修改Wallet类型为Local Auto Login
当前类型为Auto Login,但Local Auto Login更安全,因为只能在本机使用。
sql
SQL> select WALLET_TYPE from V$ENCRYPTION_WALLET;
WALLET_TYPE
--------------------
AUTOLOGIN
过程:
sql
-- 关闭key store
SQL> administer key management set keystore close;
keystore altered.
SQL> show parameter wallet_root
NAME TYPE VALUE
------------------------------------ ----------- ----------------------------------
wallet_root string /u01/app/oracle/admin/ORCL/wallet
-- 必须将原有的auto login key store移走,否则后续建立时报错
-- ORA-46630: keystore cannot be created at the specified location
SQL> !cd /u01/app/oracle/admin/ORCL/wallet
SQL> !mv cwallet.sso cwallet.sso.bak
SQL> administer key management set keystore open force keystore identified by keypwd;
keystore altered.
SQL> administer key management create local auto_login keystore from keystore identified by keypwd;
keystore altered.
修改Key Store的口令
修改口令可以不备份,但必须使用FORCE KEYSTORE打开Key Store:
sql
connect / as sysdba
ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD
FORCE KEYSTORE
IDENTIFIED BY
keypwd
SET newkeypwd;
修改口令不影响加解密操作。
不知为何,修改口令时,第一次不要求备份,而第二次要求:
sql
ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD
FORCE KEYSTORE
IDENTIFIED BY
newkeypwd
5 SET keypwd;
ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD
*
ERROR at line 1:
ORA-46631: keystore needs to be backed up
SQL>
ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD
FORCE KEYSTORE
IDENTIFIED BY
newkeypwd
SET keypwd
WITH BACKUP USING 'chgpwd';
SQL> !ls -l1 $ORACLE_BASE/wallet/tde
total 40
-rw-------. 1 oracle oinstall 5512 Sep 14 09:20 cwallet.sso
-rw-------. 1 oracle oinstall 2555 Sep 14 07:05 ewallet_2023091407054383_mekbkp.p12
-rw-------. 1 oracle oinstall 3995 Sep 14 08:42 ewallet_2023091408425331_pdbmekbkp.p12
-rw-------. 1 oracle oinstall 5467 Sep 14 09:04 ewallet_2023091409040585_bkp230914.p12
-rw-------. 1 oracle oinstall 5467 Sep 14 09:20 ewallet_2023091409204262_chgpwd.p12
-rw-------. 1 oracle oinstall 5467 Sep 14 09:20 ewallet.p12
Master Key的 Rekey(轮换)
Rekey操作会新建一个master key,并激活他。
CDB$ROOT和PDB有各自的Master Key,本例仅针对PDB。
sql
SQL> alter session set container=orclpdb1;
Session altered.
col creation_time for a20
col activation_time for a20
col creator_pdbname for a12
col origin for a10
alter session set nls_date_format = 'MM/DD/YYYY HH24:MI';
select cast(creation_time as date) as creation_time, cast(activation_time as date) as activation_time , key_use, keystore_type, origin, backed_up, creator_pdbname from V$ENCRYPTION_KEYS;
CREATION_TIME ACTIVATION_TIME KEY_USE KEYSTORE_TYPE ORIGIN BACKED_UP CREATOR_PDBN
-------------------- -------------------- ---------- ----------------- ---------- --------- ------------
09/14/2023 08:42 09/14/2023 08:42 TDE IN PDB SOFTWARE KEYSTORE LOCAL YES ORCLPDB1
执行rekey操作:
sql
ADMINISTER KEY MANAGEMENT
SET ENCRYPTION KEY
FORCE KEYSTORE
IDENTIFIED BY keypwd
WITH BACKUP USING 'mekrekey';
keystore altered.
SQL> !ls -l1 $ORACLE_BASE/wallet/tde
total 48
-rw-------. 1 oracle oinstall 6776 Sep 14 09:28 cwallet.sso
-rw-------. 1 oracle oinstall 2555 Sep 14 07:05 ewallet_2023091407054383_mekbkp.p12
-rw-------. 1 oracle oinstall 3995 Sep 14 08:42 ewallet_2023091408425331_pdbmekbkp.p12
-rw-------. 1 oracle oinstall 5467 Sep 14 09:04 ewallet_2023091409040585_bkp230914.p12
-rw-------. 1 oracle oinstall 5467 Sep 14 09:20 ewallet_2023091409204262_chgpwd.p12
-rw-------. 1 oracle oinstall 5467 Sep 14 09:28 ewallet_2023091409281769_mekrekey.p12
-rw-------. 1 oracle oinstall 6731 Sep 14 09:28 ewallet.p12
此时,V$ENCRYPTION_KEYS表新增了一条记录:
sql
CREATION_TIME ACTIVATION_TIME KEY_USE KEYSTORE_TYPE ORIGIN BACKED_UP CREATOR_PDBN
-------------------- -------------------- ---------- ----------------- ---------- --------- ------------
09/14/2023 08:42 09/14/2023 08:42 TDE IN PDB SOFTWARE KEYSTORE LOCAL YES ORCLPDB1
09/14/2023 09:28 09/14/2023 09:28 TDE IN PDB SOFTWARE KEYSTORE LOCAL NO ORCLPDB1
很容易猜到,ACTIVATION_TIME最新,BACKED_UP为NO的应该就是当前的Master Key。
加密Key的Rekey
本例也是针对PDB。
Master Key的rekey不会重新解密和加密数据,但DEK(Data Encryption Key)的rekey会。
表空间加密使用alter tablespace,表加密则使用alter table。本例为前者,并使用在线的rekey:
sql
SQL> alter tablespace users encryption rekey;
Tablespace altered.
Elapsed: 00:01:23.42
创建和激活Master Key
这个分两步进行的操作实际就是Rekey的过程。
虽然也可以针对CDB$ROOT,但本例针对PDB。
sql
SQL>
ADMINISTER KEY MANAGEMENT CREATE KEY
USING TAG 'newmek'
FORCE KEYSTORE
IDENTIFIED BY keypwd
WITH BACKUP USING 'newmek';
SQL> !ls -l1 $ORACLE_BASE/wallet/tde
total 60
-rw-------. 1 oracle oinstall 8216 Sep 14 09:58 cwallet.sso
-rw-------. 1 oracle oinstall 2555 Sep 14 07:05 ewallet_2023091407054383_mekbkp.p12
-rw-------. 1 oracle oinstall 3995 Sep 14 08:42 ewallet_2023091408425331_pdbmekbkp.p12
-rw-------. 1 oracle oinstall 5467 Sep 14 09:04 ewallet_2023091409040585_bkp230914.p12
-rw-------. 1 oracle oinstall 5467 Sep 14 09:20 ewallet_2023091409204262_chgpwd.p12
-rw-------. 1 oracle oinstall 5467 Sep 14 09:28 ewallet_2023091409281769_mekrekey.p12
-rw-------. 1 oracle oinstall 6731 Sep 14 09:58 ewallet_2023091409580241_newmek.p12
-rw-------. 1 oracle oinstall 8171 Sep 14 09:58 ewallet.p12
可以,看到此Master Key并没有激活(ACTIVATION_TIME为空):
sql
CREATION_TIME ACTIVATION_TIME KEY_USE KEYSTORE_TYPE ORIGIN BACKED_UP CREATOR_PDBN
-------------------- -------------------- ---------- ----------------- ---------- --------- ------------
09/14/2023 09:28 09/14/2023 09:28 TDE IN PDB SOFTWARE KEYSTORE LOCAL YES ORCLPDB1
09/14/2023 08:42 09/14/2023 08:42 TDE IN PDB SOFTWARE KEYSTORE LOCAL YES ORCLPDB1
09/14/2023 09:58 TDE IN PDB SOFTWARE KEYSTORE LOCAL NO ORCLPDB1
激活Master Key:
sql
SQL> select key_id from V$ENCRYPTION_KEYS where ACTIVATION_TIME is null;
KEY_ID
------------------------------------------------------------------------------
AYgYXF7JY08WvylfJIZ44LUAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
SQL>
ADMINISTER KEY MANAGEMENT USE KEY
'AYgYXF7JY08WvylfJIZ44LUAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
FORCE KEYSTORE
IDENTIFIED BY keypwd
WITH BACKUP USING 'newmek';
keystore altered.
SQL> !ls -l1 $ORACLE_BASE/wallet/tde
total 68
-rw-------. 1 oracle oinstall 8216 Sep 14 10:11 cwallet.sso
-rw-------. 1 oracle oinstall 2555 Sep 14 07:05 ewallet_2023091407054383_mekbkp.p12
-rw-------. 1 oracle oinstall 3995 Sep 14 08:42 ewallet_2023091408425331_pdbmekbkp.p12
-rw-------. 1 oracle oinstall 5467 Sep 14 09:04 ewallet_2023091409040585_bkp230914.p12
-rw-------. 1 oracle oinstall 5467 Sep 14 09:20 ewallet_2023091409204262_chgpwd.p12
-rw-------. 1 oracle oinstall 5467 Sep 14 09:28 ewallet_2023091409281769_mekrekey.p12
-rw-------. 1 oracle oinstall 6731 Sep 14 09:58 ewallet_2023091409580241_newmek.p12
-rw-------. 1 oracle oinstall 8171 Sep 14 10:11 ewallet_2023091410112509_newmek.p12
-rw-------. 1 oracle oinstall 8171 Sep 14 10:11 ewallet.p12
系统表中的状态变了。
sql
CREATION_TIME ACTIVATION_TIME KEY_USE KEYSTORE_TYPE ORIGIN BACKED_UP CREATOR_PDBN
-------------------- -------------------- ---------- ----------------- ---------- --------- ------------
09/14/2023 09:28 09/14/2023 09:28 TDE IN PDB SOFTWARE KEYSTORE LOCAL YES ORCLPDB1
09/14/2023 08:42 09/14/2023 08:42 TDE IN PDB SOFTWARE KEYSTORE LOCAL YES ORCLPDB1
09/14/2023 09:58 09/14/2023 10:11 TDE IN PDB SOFTWARE KEYSTORE LOCAL NO ORCLPDB1