Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.tools -> Re: Are there inherent or 3rd-party tools for encrypting data inOracle?

Re: Are there inherent or 3rd-party tools for encrypting data inOracle?

From: John Peterson <johnp_at_azstarnet.com>
Date: Fri, 23 Feb 2001 08:42:46 -0700
Message-ID: <t9d17mjo3v5mca@corp.supernews.com> 






Hello, Mark!



Thank you for your detailed reply!  I had a couple of additional questions,
please see inline:



"Mark Townsend" <markbtownsend_at_home.com> wrote in message
news:B6BB31C5.3BE2%markbtownsend_at_home.com...



> Oracle8i Release 3 (8.1.7) offers a data encryption package that can be

 used


> to selectively encrypt data in the database called DBMS_OBFUSTICATION.




Aha!  That sounds promising!  I'd much prefer to use something inherent to
Oracle8i, if at all possible.  I haven't yet begun searching for a
third-party tool to help with our encryption scenario, but maybe it will be
moot.  :-)



> However, the operative word is selectively. You do not want to encrypt all

> data for a number of reasons:-

> 1) Encrypting any data column that is involved in an index or a query path

> will cause a performance degradation. Selective column encryption is

> designed for sensitive data that needs to be kept private from DBA's,

 other


> users etc - i.e Social Security numbers, Credit Card numbers etc. It's not

> designed to just encrypt all data in the database

> 2) At this stage, it's not going to be transparent to the application -

 you


> will need to manage the encryption keys yourself (i.e outside of the

> database) and the application will need to be changed to encyrpt and

 decypt


> the data on every SELECT and DML operation. You must also back up the

> encryption keys yourself (if you lose them, the data cannot be decrypted)




Agreed.  Good point about the concerns regarding disaster recovery and
encryption.  I hadn't considered that.



> For on-the-wire encryption between the client and the database, look at

 the


> capabilities provided by the Advanced Security Option in Oracle8i (and

 also


> earlier versions). Note that this is a chargeable item




Ah!  That's interesting!  I'll refer to the URLs you provided and see how
the pricing is structured with this Advanced Security Option.  If it isn't
too costly, a combination of this and the DBMS_OBFUSTICATION feature just
might fit the bill!



> Also look at the virtual private database capabilities in Oracle8i. While

> not data encryption, it does allow you to apply granular security policies

> to rows of data, which may be all you need to satisfy your users

> requirements




Will do!



> For an overview of all of the above, have a look at

> http://www.oracle.com/ip/solve/security/index.html

>

> For some examples and more technical content, see (you will need a free

> account)

> http://technet.oracle.com/deploy/security/

>


 http://technet.oracle.com/sample_code/deploy/security/sample_code_index.htm


> http://technet.oracle.com/doc/oracle8i_816/network.816/index.htm

> http://technet.oracle.com/products/oracle8i/pdf/816isdfo.pdf



> http://technet.oracle.com/products/oracle8i/pdf/816scnew.pdf

> http://technet.oracle.com/products/oracle8i/pdf/eu.pdf




Thank you again for your help!  I'll certainly be visiting these URLs for a
more detailed description of these features.  :-)



John Peterson



> > From: "John Peterson" <johnp_at_azstarnet.com>

> > Organization: Posted via Supernews, http://www.supernews.com

> > Newsgroups:

> >



comp.databases.oracle.misc,comp.databases.oracle.server,comp.databases.oracl
e.


> > tools

> > Date: Thu, 22 Feb 2001 21:09:06 -0700

> > Subject: Are there inherent or 3rd-party tools for encrypting data in

 Oracle?


> >

> > Hello, all!

> >

> > Please forgive my extensive cross-posting, but I wasn't certain what

 forum


> > to post my question.  This is my first visit to these groups, but I hope

 to


> > become a "regular" (and better determine where to place my posts in the

> > future ;-).

> >

> > My background in databases has been largely limited to Microsoft SQL

 Server,


> > but I have started a new job with a company that uses Oracle 8i on Red

 Hat


> > Linux 6.2.  As such, I'm trying to learn as much as I can about Oracle

 using


> > my knowledge of SQL Server as sort of a starting point.  ;-)

> >

> > I have been tasked to investigate the feasibility of encrypting data in

> > Oracle.  Are there any tools (off-the-shelf or internal to Oracle) that

> > might help to accomplish this?  We use JDBC as our data access

 mechanism, so


> > we would prefer to NOT have to change the application, but to arrange

 for


> > the data to be encrypted between the Client Library (JDBC in our

> > application) and the Oracle server (we want the data across the wire to

 be


> > encrypted AND the data on the disk to be encrypted).

> >

> > Also, I would appreciate any thoughts as to the pros/cons of this

 approach.


> > My natural inclination is to NOT encrypt the data in the database, but

> > rather to rely on the security safeguards that are in place with the

> > operating system and the database server.  It seems to me that it would

 be


> > difficult to perform OLAP tasks or determine data patterns on data

 that's


> > encrypted (even partially), not to mention the performance ramifications

 of


> > said.  However, our "hands may be tied", as this is a client imperative.

> > But, I'm hopeful that with some compelling evidence (one way or

 another),


> > they might change their stance accordingly.

> >

> > Thank you in advance for your time!  :-)

> >

> > John Peterson

> >

> >

>

Received on Fri Feb 23 2001 - 09:42:46 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US