Simple Transparent Data Encryption (TDE) Questions
Date: Tue, 16 Dec 2014 13:25:09 -0600
Message-ID: <CAP79kiS3z1Fq+=RaNmcSAYrrG67sxsm=une+xwjxxaLWE5vkJQ_at_mail.gmail.com>
I'm hoping you guys can help me out here as I'm dipping my toes in the Data Encryption pool. What I'm looking for is a high level answer to the questions below *while* I read through the Advanced Security documentation.
I understand that TDE has 2 potential components - Tablespace Encryption and Table/Column Encryption.
I understand (I think) that Tablespace Encryption is invisible to applications & users - the data in encrypted as it is written to database files and unencrypted when the database engine reads that data back into the database as part of a query.
Now my questions are related to TABLE/COLUMN encryption and I'm a looking for a 10,000 foot view answer right now (not a highly detailed answer):
Questions:
1.) With TDE on Tables/Columns, and using a wallet that is setup, how does
a SPECIFIC user/application interface with the data that is encrypted and
authenticate to see the unecrypted data?
Example:
UNauthorized UserA looks up a Credit Card Number in TableA and sees data
that is encrypted and cannot read the number.
AUthorized UserB/Application looks up a CC# in TableA and sees the unecrypted data and can continue processing it in a meaningful way.
What I'm trying to figure out is if AUTHORIZED users/applications have to unlock the data (or re-authorize) each time they login to the database, or what? How do they "unlock" the data - an automated wallet setup, or do they have to execute a pl/sql block to authenticate?
2.) Can you use both Tablespace Encryption and Table/Column encryption? I'm curious how they work together if both are in use - is the data double encrypted when it gets written to disk?
Thanks for any help!!!
Chris Taylor
-- http://www.freelists.org/webpage/oracle-lReceived on Tue Dec 16 2014 - 20:25:09 CET