Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: Protecting the encryption key from the DBA
Maxim Demenko wrote:
> Frank van Bortel schrieb:
>
>> You only failed to show the correct blocks: in your encrypted >> part, you show the blocks from CC14BC0 onward, while the >> unencrypted part starts at CC14BB0. >>
Yes - and the 'm' on the next line.
In encrypted part those offsets are not shown explicitly
> because they are zeroed.
>
> CC12C80 00000000 00000000 00000000 00000000 [................]
> Repeat 499 times
> CC14BC0 02012C00 3402C102 EDE7161B 5DA564F3 [.,.....4.....d.]]
>
> 0xCC12C80 + ( 499 * 16 ) = 0xCC14BB0,
> that means the line starting with offset 0xCC14BB0 is the same as line
> starting with offset 0xCC12C80.
>
> Can you now point me , where i failed to show the correct blocks ?
> On another side , i am wondering , why you got a match ( i could assume
> an accident if that were such short and very common string as mine, but
> you had in your example relativ long sentences...) I'll try to reproduce
> your situation. Maybe in your case however the blocks were not yet
> written to file - you did not provide much details to your tests.
> Nethertheless , i think , to have a look on the blockdump is more
> precise than to grep a whole datafile.
The first has a .. repeat 499 times, the second repeat 498.
So I did not see any data - and expected to see data (be it
encrypted - it would still be there, and not nnulled)
>
> Additionally , i would like to know one thing more ;-)
> Could you access the encrypted table after wallet was closed or have i
> misunderstood it ? I got an ORA-28365 in that case... I mean the table
> can be accessed, if encrypted columns are excluded from select list, but
> not for select *
>
> Best regards
>
> Maxim
>
Yes - whatever I tried, I still got access to the data. But I have an auto-login wallet. Still have to set things up without an auto login wallet. Until then... see vanbortel.blogspot.com for what I did.
I would expect 28365 (The security module wallet has not been opened.), but never got it. Would have loved it, actually, as I would see that as an indication of TDE working.
Right now, I've been busy with HTMLDB and FOP in an Apache standalone environment, not much time for TDE; maybe the weekend.
-- Regards, Frank van BortelReceived on Thu Jul 21 2005 - 13:46:19 CDT