 |
Transparent Data Encryption |
 |
Oracle Database 11g Transparent Data Encryption, introduced with Oracle Database 10gR2 as a component of Oracle Advanced Security, supports your PCI compliance efforts by transparently encrypting data when it is written to disk and decrypting it when it is read back to the authorized user. Applications don't have to be modified, and authorized users won't even notice the fact that the data has been encrypted on the storage media. |
After only 4 easy steps, your sensitive columns will be protected by Transparent Data Encryption.
New in Oracle Database 11g: Tablespace encryption
Tablespace encryption makes Transparent Data Encryption even easier: Without any storage increase, define a tablespace as 'encrypted' and use it to store your sensitive data; the limitations of column-based Transparent Data Encryption in terms of foreign keys, range scans and un-supported data types don't apply anymore. There are no functional differences between un-encrypted and encrypted tablespaces, even execution plans don't change.
New in Oracle Database 11g: Hardware Security Module support
For even better security, the master key for column-level TDE can now be stored in Hardware Security Modules (HSM) supporting the PKCS#11 interface. Once the key has been created inside the device, it will never leave it in clear text. Due to the open PKCS#11 interface, customers can choose from a wide variety of HSM vendors.
New in Oracle Database 11g: 'SecureFile' LOB encryption
Sensitive documents (contracts, X-ray images etc.) are often scanned and stored electronically. Now they can benefit from the increased security of the Oracle Database: The new 'SecureFile' LOB in Oracle Database 11g can be encrpypted.
For backward compatibility, both the DBMS_OBFUSCATION_TOOLKIT and the newer, more powerful DBMS_CRYPTO package are still available with Oracle Databases 11g Release 1.
(1) provided for backward compatilibiliy, don't use.
(2) Used internally, not available to the developer
| Package Feature
| DBMS_OBFUSCATION_TOOLKIT
(Oracle8i through 11g R1) |
DBMS_CRYPTO
(Oracle 10g R1 through 11g R1) |
Transparent Data Encryption (column)
(Oracle 10g R2 and 11g R1 Adv. Sec. Option) |
Transparent Data Encryption (tablespace)
(Oracle 11g R1 Adv. Sec. Option) |
| Cryptographic algorithms |
DES, 3DES |
DES, 3DES, AES, RC4, 3DES_2KEY(1) |
3DES168, AES (128, 192 (default), and 256 bit) |
3DES168, AES (128 (default), 192, and 256 bit) |
| Padding forms |
none supported |
PKCS5, zeroes |
PKCS5(2) |
|
| Block cipher chaining modes |
CBC |
CBC, CFB, ECB, OFB |
CBC(2) |
|
| Cryptographic hash algorithms |
MD5 |
SHA-1, MD4(1), MD5(1) |
SHA-1(2) |
|
| Keyed hash (MAC) algorithms |
none supported |
HMAC_MD5, HMAC_SH1 |
n/a |
|
| Cryptographic pseudo-random number generator |
RAW, VARCHAR2 |
RAW, NUMBER, BINARY_INTEGER |
n/a |
|
| Database types |
RAW, VARCHAR2 |
RAW, CLOB, BLOB |
All but: OBJ., ADT, LOB (SecureFile supported in 11gR1) |
All |
While data encryption should not be used as a substitute for access control, storing data encrypted does provide an additional layer of protection on storage media, including backups generated with Oracle RMAN or Oracle Secure Backup. This helps protect sensitive data such as credit card numbers in the event of media theft. Media theft can occur due to poor physical security, operating system configuration or backup processes.
|
Bookmark
