Re: Transparent Data Encryption

From: Charles Schultz <sacrophyte_at_gmail.com>
Date: Thu, 12 Mar 2015 10:05:08 -0500
Message-ID: <CAPZQniXnXWLto1GNjQoR3wxqHnV=5EH1VJ3c+rusAVmEPnRSFw_at_mail.gmail.com>

I was just thinking about long-term LTC myself. The documentation for backup/recovery of the keys makes my head hurt:

http://docs.oracle.com/cd/E11882_01/network.112/e40393/asotrans.htm#ASOAG9548

I am very confused why RMAN does not back up the wallet if the wallet is critical to the operation of the database. But in any event, in my dream I would store all my wallets in the default location ($ORACLE_BASE/admin/$ORACLE_SID/wallet/) and just backup the wallet at the default location whenever I do a database backup; if there is no wallet, no backup of wallet, no problem.

Database cloning is an issue as well, as we typically do several a week. I have to read up, but my gut says we can use a copy of the wallet/master key. I might be totally wrong, but I will find out later today when I test it. :)

By the way, Jeremy, I think some of your observations might be wrong or slightly incorrect. :) For instance, querying V$ENCRYPTION_WALLET does not seem to trigger an open of the wallet for me (11.2.0.4); it merely reports the status of the wallet, which is good. V$WALLET seems totally useless to me.

On Thu, Mar 12, 2015 at 9:50 AM, David Mann <dmann99_at_gmail.com> wrote:

> Thanks Jeremy for your insights and Charles for your questions.
>
> I'm moving forward with working TDE support into an 11gR2 project as well.
>
> Implementation and care and feeding of the wallets when creating, cloning,
> etc has been going OK. I haven't found enough people that use it in order
> to discuss long term handling of the wallets with.
>
> As we only have a handful of databases (<5% of enterprise) which will be
> using TDE we can't justify the expense of Key Vault or other 3rd party
> products. I want to protect the wallets at a local and remote site but my
> challenge is getting the DB ops teams to make sure when they get a ticket
> that they know they are operating on a TDE encrypted database and they
> should backup the wallet at key times (after creation, before/after
> password changes, etc).
>
> I had a dream about a shell script which would return TDE status of a
> database and offer to make a backup of the wallet to a secure area. Without
> Key Vault are folks just doing these steps manually or is there a good
> basic level of automation I should be striving for?
>
> -Dave
>
> --
> Dave Mann
> General Geekery | www.brainio.us
> Database Geekery | www.ba6.us | _at_ba6dotus | http://www.ba6.us/rss.xml
>

-- 
Charles Schultz

--
http://www.freelists.org/webpage/oracle-l

Received on Thu Mar 12 2015 - 16:05:08 CET

This message: [ Message body ]
Next message: Courtney Llamas: "RE: EM 12cR4 Metric Collection - Excluding tablespaces from %used metric"
Previous message: Stéphane Faroult: "Re: Query help"
In reply to: David Mann: "Re: Transparent Data Encryption"
Next in thread: Jeremy Schneider: "Re: Transparent Data Encryption"
Reply: Jeremy Schneider: "Re: Transparent Data Encryption"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message