Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Protecting the encryption key from the DBA

Re: Protecting the encryption key from the DBA

From: Frank van Bortel <frank.van.bortel_at_gmail.com>
Date: Sat, 23 Jul 2005 14:16:26 +0200
Message-ID: <dbtc2u$b1l$1@news4.zwoll1.ov.home.nl> 





Frank van Bortel wrote:



> 

> I used grep -a on the datafile, expecting to find *no* match; I found

> a match, so I concluded no encryption had taken place.

> 




And I shouldn't have used grep - once the table has an encrypted
column, the original data is moved - it becomes inaccessible to
Oracle, but is still in the datafile.


The block dump shows this, the grep does not - it "sees" the moved
data, and I wrongly concluded TDE did not work.
Rest assured - it does, but has side effects you should worry about.



Looking at the whole now, I would recommend:
- move the new table, with encrypted data, to a fresh
  tablespace


- export, recreate the original tablespace, and import
alternatively, export/import all tables to a new tablespace, and
trash the old datafile(s).


- take a fresh, cold backup


- trash all your previous backups.



In that way you prevent flashback queries and data mining
on raw files to retrieve the unencrypted data.

-- 
Regards,
Frank van Bortel


Received on Sat Jul 23 2005 - 07:16:26 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US