Home » RDBMS Server » Security » data encryption (Oracle 11.2.0.3 on AIX 6.1)
data encryption [message #538952] Tue, 10 January 2012 08:51 Go to next message
caprikar
Messages: 222
Registered: March 2007
Senior Member
Hi,
I have oracle 11gR2 running on Unix and I need to encrypt some columns in a table which has about 100 million records. What is the best way to encrypt the data and approximately how long it will take to encrypt those existing data?
Thanks
Re: data encryption [message #538955 is a reply to message #538952] Tue, 10 January 2012 08:59 Go to previous messageGo to next message
Michel Cadot
Messages: 57599
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Quote:
I need to encrypt some columns in a table


Are you sure? What is the actual? What do you want to protect, against who, in which circonstances?

Quote:
What is the best way to encrypt the data


There is no best way otherwise the other ways would not exist.

Regards
Michel
Re: data encryption [message #538958 is a reply to message #538952] Tue, 10 January 2012 09:09 Go to previous messageGo to next message
John Watson
Messages: 4081
Registered: January 2010
Location: Global Village
Senior Member
Would this be for conformance with the PCI rules? If so, you have to do it.
I believe that this is a case where you should spend money to save money. Using Enterprise Edition and the Advanced Encryption option, you as DBA can set up the encryption declaratively. If you have Standard Edition, you have to do it programatically with DBMS_CRYPTO. There are techniques for making that sort-of transparent, but it isn't fun.

But if you don't have to do this, then don't.
Re: data encryption [message #538965 is a reply to message #538958] Tue, 10 January 2012 09:28 Go to previous messageGo to next message
caprikar
Messages: 222
Registered: March 2007
Senior Member
Hi,
I have to do this to make it PCI compliant and to protect sensitive data from all users, there should be a mechanism by which users can decrypt the data whenever they want but it has to be stored in the encrypted format.
Re: data encryption [message #538967 is a reply to message #538965] Tue, 10 January 2012 09:40 Go to previous messageGo to next message
John Watson
Messages: 4081
Registered: January 2010
Location: Global Village
Senior Member
The Advanced Encryption Option might have been made for retro-fitting PCI compliance to existing applications, we've worked on this for clients before. It's pretty quick to do. If you need consulting help, send me a PM.
Re: data encryption [message #538974 is a reply to message #538965] Tue, 10 January 2012 10:46 Go to previous messageGo to next message
Michel Cadot
Messages: 57599
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
caprikar wrote on Tue, 10 January 2012 16:28
Hi,
I have to do this to make it PCI compliant and to protect sensitive data from all users, there should be a mechanism by which users can decrypt the data whenever they want but it has to be stored in the encrypted format.


To protect from ALL users (inside the database) there are only 2 ways:
- Encrypt in the application
- Use Database Vault

If you want to protect from ALL users outside the database (theft of data files), you also have, in the second option, to use Oracle native encryption as John mentioned.

Of course, you also have to encrypt network (using Oracle native network encryption or SSL).

Regards
Michel

Re: data encryption [message #538979 is a reply to message #538974] Tue, 10 January 2012 10:53 Go to previous messageGo to next message
John Watson
Messages: 4081
Registered: January 2010
Location: Global Village
Senior Member
Quote:
Of course, you also have to encrypt network (using Oracle native network encryption or SSL).
This is where PCI is precise: the rule is that data must be encypted while "at rest". ie, it does NOT need to be encrypted on the network or in memory, only on disc. Data Vault is not needed for PCI, because the rules are not about access at that level.

The PCI rules are strange things.
Re: data encryption [message #538982 is a reply to message #538979] Tue, 10 January 2012 11:03 Go to previous messageGo to next message
Michel Cadot
Messages: 57599
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
I don't know the PCI rules, thanks for the clarification (and I agree this is strange).

Quote:
Data Vault is not needed for PCI

In this case you can't use TDE (Transparent Data Encryption) to protect against a DBA, you have to use a custom code (DBMS_CRYPTO or application language code) unless the protection is only against file theft and not also SQL accesses.

Regards
Michel
Re: data encryption [message #539127 is a reply to message #538982] Wed, 11 January 2012 08:35 Go to previous messageGo to next message
caprikar
Messages: 222
Registered: March 2007
Senior Member
Thanks guys
Re: data encryption [message #547159 is a reply to message #539127] Tue, 13 March 2012 02:30 Go to previous message
paddysmith
Messages: 2
Registered: March 2012
Location: USA
Junior Member
Encryption methods can be SYMMETRIC in which encryption and decryption keys are the same, or ASYMMETRIC (aka 'Public Key') in which encryption and decryption keys differ. 'Public Key' methods must be asymmetric, to the extent that the decryption key CANNOT be easily derived from the encryption key. Symmetric keys, however, usually encrypt more efficiently, so they lend themselves to encrypting large amounts of data.

[Updated on: Tue, 13 March 2012 02:46] by Moderator

Report message to a moderator

Previous Topic: password problem in new database
Next Topic: Grant to Select session details
Goto Forum:
  


Current Time: Wed Apr 16 07:03:00 CDT 2014

Total time taken to generate the page: 0.13971 seconds