在Oracle 11g 数据库上设置透明数据加密(TDE)

本文回答2个问题:

  1. 11g下简明的TDE设置过程
  2. 由于11g不支持在线TDE,介绍2中11g下的加密表空间的迁移方法

设置表空间TDE之前

表空间没有加密时,很容易探测到明文数据:

sql 复制代码
create tablespace unsectbs datafile 'unsectbs.dbf' size 10m autoextend on next 10m maxsize unlimited;
create table unsectbl tablespace unsectbs as select * from dba_users;
create unique index idx1 on unsectbl(user_id);

SQL> select TABLESPACE_NAME from user_tables where table_name = 'UNSECTBL';

TABLESPACE_NAME
------------------------------
UNSECTBS

SQL> !strings /home/oracle/app/oracle/product/11.2.0/dbhome_1/dbs/unsectbs.dbf
}|{z
h7/dORCL
UNSECTBS
SPATIAL_WFS_ADMIN_USR
EXPIRED & LOCKED
USERS
TEMP
DEFAULT
DEFAULT_CONSUMER_GROUP
10G 11G
PASSWORD,
SPATIAL_CSW_ADMIN_USR
EXPIRED & LOCKED
USERS
TEMP
...

设置表空间TDE

compatibility 需设为11.2或以上:

sql 复制代码
SQL> show parameter compatible

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
compatible                           string      11.2.0.4.0

通过tnsping,可以得到sqlnet.ora的路径:

bash 复制代码
$ tnsping orcl

TNS Ping Utility for Linux: Version 11.2.0.4.0 - Production on 17-NOV-2023 12:39:17

Copyright (c) 1997, 2013, Oracle.  All rights reserved.

Used parameter files:
/home/oracle/app/oracle/product/11.2.0/dbhome_1/network/admin/sqlnet.ora


Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = instance-20231116-1239-db11g)(PORT = 1521))) (CONNECT_DATA = (SERVICE_NAME = orcl)))
OK (0 msec)

$ vi /home/oracle/app/oracle/product/11.2.0/dbhome_1/network/admin/sqlnet.ora

在sqlnet.ora中追加以下语句,指定wallet的位置。

sql 复制代码
ENCRYPTION_WALLET_LOCATION=
  (SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/home/oracle/app/oracle/wallet)))

执行以下命令,创建加密的wallet,以及master key:

sql 复制代码
-- 目录必须存在,否则报错ORA-28368
SQL> !mkdir /home/oracle/app/oracle/wallet

SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "Easy2rem";

System altered.

SQL> !ls /home/oracle/app/oracle/wallet
ewallet.p12

创建加密表空间:

sql 复制代码
alter system set db_create_file_dest='/home/oracle/app/oracle/oradata/orcl';

CREATE TABLESPACE sectbs
DATAFILE 'secure01.dbf'
SIZE 150M
ENCRYPTION
DEFAULT STORAGE(ENCRYPT);

确认已加密:

sql 复制代码
SQL> select TABLESPACE_NAME, ENCRYPTED from user_tablespaces;

TABLESPACE_NAME                ENC
------------------------------ ---
SYSTEM                         NO
SYSAUX                         NO
UNDOTBS1                       NO
TEMP                           NO
USERS                          NO
SECTBS                    YES

6 rows selected.

SQL> create table sectbl tablespace sectbs as select * from dba_users;

Table created.

设置表空间TDE之后

sql 复制代码
SQL> !strings /home/oracle/app/oracle/product/11.2.0/dbhome_1/dbs/secure01.dbf
}|{z
h7/dORCL
SECTBS
Zdp!
2VN?
9&*.
 2vq
[f9k
z=G=
23WV-
@Y6w
/2.-
m:Wp.
Z-]
D''8
$gU%
?       5T
...

加密已有的表空间

11g不支持加密已有的表空间,只支持新建。

但我们可以将未加密表空间中的表迁移到加密的表空间中:

sql 复制代码
SQL> alter table unsectbl move tablespace sectbs;

Table altered.

SQL> select TABLESPACE_NAME from user_tables where table_name = 'UNSECTBL';

TABLESPACE_NAME
------------------------------
SECTBS

注意,表的索引会变为无效,因此需要rebuild。详见这里

sql 复制代码
SQL> select status from user_indexes where index_name = 'IDX1';

STATUS
--------
UNUSABLE

SQL> alter index idx1 rebuild;

Index altered.

SQL> select status from user_indexes where index_name = 'IDX1';

STATUS
--------
VALID

另一种迁移方式是通过数据泵导出再导入。

表的导出:

bash 复制代码
$ expdp test/Welcome1@orcl tables=unsectbl

Export: Release 11.2.0.4.0 - Production on Mon Nov 20 05:30:50 2023

Copyright (c) 1982, 2011, Oracle and/or its affiliates.  All rights reserved.

Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
Starting "TEST"."SYS_EXPORT_TABLE_01":  test/********@orcl tables=unsectbl
Estimate in progress using BLOCKS method...
Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
Total estimation using BLOCKS method: 64 KB
Processing object type TABLE_EXPORT/TABLE/TABLE
Processing object type TABLE_EXPORT/TABLE/INDEX/INDEX
Processing object type TABLE_EXPORT/TABLE/INDEX/STATISTICS/INDEX_STATISTICS
. . exported "TEST"."UNSECTBL"                          14.32 KB      31 rows
Master table "TEST"."SYS_EXPORT_TABLE_01" successfully loaded/unloaded
******************************************************************************
Dump file set for TEST.SYS_EXPORT_TABLE_01 is:
  /home/oracle/app/oracle/admin/orcl/dpdump/expdat.dmp
Job "TEST"."SYS_EXPORT_TABLE_01" successfully completed at Mon Nov 20 05:30:54 2023 elapsed 0 00:00:04

表的导入(原表已先行删除):

bash 复制代码
$ impdp test/Welcome1@orcl remap_table=unsectbl:sectbl remap_tablespace=unsectbs:sectbs dumpfile=expdat.dmp

Import: Release 11.2.0.4.0 - Production on Mon Nov 20 05:54:24 2023

Copyright (c) 1982, 2011, Oracle and/or its affiliates.  All rights reserved.

Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
Master table "TEST"."SYS_IMPORT_FULL_01" successfully loaded/unloaded
Starting "TEST"."SYS_IMPORT_FULL_01":  test/********@orcl remap_table=unsectbl:sectbl remap_tablespace=unsectbs:sectbs dumpfile=expdat.dmp
Processing object type TABLE_EXPORT/TABLE/TABLE
Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
. . imported "TEST"."SECTBL"                            14.32 KB      31 rows
Processing object type TABLE_EXPORT/TABLE/INDEX/INDEX
Processing object type TABLE_EXPORT/TABLE/INDEX/STATISTICS/INDEX_STATISTICS
Job "TEST"."SYS_IMPORT_FULL_01" successfully completed at Mon Nov 20 05:54:24 2023 elapsed 0 00:00:00

这个实验说明了2点问题:

  1. expdp 表的导出也会导出索引
  2. 索引的名字

参考

相关推荐
毕业设计制作和分享5 小时前
ssm《数据库系统原理》课程平台的设计与实现+vue
前端·数据库·vue.js·oracle·mybatis
Dingww101110 小时前
梧桐数据库中的网络地址类型使用介绍分享
数据库·oracle·php
2401_8570262311 小时前
Spring Boot框架下的知识管理与多维分类
spring boot·后端·oracle
shiran小坚果18 小时前
AWS RDS MySQL内存使用
数据库·mysql·云计算·database·aws
刘艳兵的学习博客19 小时前
刘艳兵-DBA027-在Oracle数据库,通常可以使用如下方法来得到目标SQL的执行计划,那么通过下列哪些方法得到的执行计划有可能是不准确的?
数据库·oracle·面试·database·刘艳兵
秋意钟21 小时前
MySql事务
数据库·mysql·oracle
Mephisto.java21 小时前
【大数据学习 | HBASE】hbase的整体架构
大数据·sql·oracle·json·hbase·database
蚊子不吸吸1 天前
DevOps开发运维简述
linux·运维·ci/cd·oracle·kubernetes·gitlab·devops
Gauss松鼠会1 天前
GaussDB的向量化处理技术
运维·数据库·database·gaussdb
Ayka1 天前
Linux Qt 6安装Oracle QOCI SQL Driver插件(适用WSL)
linux·sql·qt·oracle·oci