Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: Protecting the encryption key from the DBA
Frank van Bortel wrote:
>
> I used grep -a on the datafile, expecting to find *no* match; I found
> a match, so I concluded no encryption had taken place.
>
And I shouldn't have used grep - once the table has an encrypted
column, the original data is moved - it becomes inaccessible to
Oracle, but is still in the datafile.
The block dump shows this, the grep does not - it "sees" the moved
data, and I wrongly concluded TDE did not work.
Rest assured - it does, but has side effects you should worry about.
Looking at the whole now, I would recommend:
- move the new table, with encrypted data, to a fresh
tablespace
- export, recreate the original tablespace, and import
alternatively, export/import all tables to a new tablespace, and
trash the old datafile(s).
- take a fresh, cold backup
- trash all your previous backups.
In that way you prevent flashback queries and data mining on raw files to retrieve the unencrypted data.
-- Regards, Frank van BortelReceived on Sat Jul 23 2005 - 07:16:26 CDT