Re: Transparent Data Encryption

From: Stefan Knecht <knecht.stefan_at_gmail.com>
Date: Sat, 14 Mar 2015 01:46:40 +0700
Message-ID: <CAP50yQ_+AHGeU_437KWjngMBnS6apf5fqdtxdyB8bQ5MsHEW8w_at_mail.gmail.com>

What we used to do in some Swiss bank is to use USB sticks that had to be physically inserted into the server if you wanted to start the instance. Once it was up, the stick would disappear in a safety box. Copies were kept in another safe.

Though I seem to recall that a certain patch broke this, and the key is no longer guaranteed to be kept in memory, and eventually will have to be re-read. So not sure if this is still feasible today. On Mar 13, 2015 3:33 AM, "Jeremy Schneider" < jeremy.schneider_at_ardentperf.com> wrote:

> On Thu, Mar 12, 2015 at 10:05 AM, Charles Schultz <sacrophyte_at_gmail.com>
> wrote:
> > I am very confused why RMAN does not back up the wallet if the wallet is
> > critical to the operation of the database.
>
> one very important practice - and key sentence at the quote you cited:
>
> "The Oracle wallet should not be backed up with the encrypted data.
> The wallet should be backed up separately. This is especially true
> when using the auto login wallet, which does not require a password to
> open. In case the backup tape gets lost, a malicious user should not
> be able to get both the encrypted data and the wallet."
>
>
> http://docs.oracle.com/cd/E11882_01/network.112/e40393/asotrans.htm#ASOAG9546
>
> > Database cloning is an issue as well, as we typically do several a week.
> I
> > have to read up, but my gut says we can use a copy of the wallet/master
> key.
> > I might be totally wrong, but I will find out later today when I test
> it. :)
>
> Yes you can copy the key. I have created data guard copies of DBs
> with wallets within the past few weeks and verified that you just copy
> the wallet over to the standby and it can open the data; same would
> apply to an outright clone. Just don't try to move an individual
> tablespace (ala TTS)... that becomes fun very quickly :)
>
> > On Thu, Mar 12, 2015 at 9:50 AM, David Mann <dmann99_at_gmail.com> wrote:
> >> Without
> >> Key Vault are folks just doing these steps manually or is there a good
> basic
> >> level of automation I should be striving for?
>
> Key Vualt and other similar competing products are definitely nice -
> but I've also seen scripted management frameworks that automate wallet
> backups. Just remember it needs to be different destination than the
> DB backups themselves, and you'd better be very careful with
> redundancy and scripting logic... those wallets are *VERY* important
> and you must not lose them no matter what!!
>
> I don't know, but I bet some backup software solutions could also
> specify different media for db backups vs the wallet backups. Of
> course the tapes might be right next to each other so there's a risk
> of them being stolen together, but it might be good enough in some
> cases...
>
> -J
>
> --
> http://about.me/jeremy_schneider
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>

--
http://www.freelists.org/webpage/oracle-l

Received on Fri Mar 13 2015 - 19:46:40 CET

This message: [ Message body ]
Next message: Powell, Mark: "RE: Dormant database user accounts"
Previous message: Stefan Koehler: "Re: Oracle AWR - Time Model Statistics / background elapsed time < background cpu time"
In reply to: Jeremy Schneider: "Re: Transparent Data Encryption"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message