oracle 11g TDE (transparent data encryption)

encryption_spec

 

TheENCRYPT clause lets you use the transparent data encryption feature to encrypt thecolumn you are defining. You can encrypt columns of type CHAR, NCHAR, VARCHAR2,NVARCHAR2, NUMBER, DATE, LOB, and RAW. The data does not appear in itsencrypted form to authorized users, such as the user who encrypts the column.

 

加密子句的功能是让你使用透明数据加密方法去加密你所指定的数据列，你可以加密的列的数据类型包括CHAR,NCHAR, VARCHAR2, NVARCHAR2, NUMBER, DATE, LOB, and RAW.当合法授权用户，比如加密数据用户查看数据时，加密的数据不展现其密文形式。

 

Note: Column encryption requires that a systemadministrator with appropriate privileges has initialized the security module,opened a wallet, and set an encryption key. Refer to Oracle Database Advanced SecurityAdministrator's Guide for general information on encryption and tosecurity_clauses on page 11-68 for related ALTER SYSTEM statements.

 

列数据加密要求系统管理员具备合适的权限，权限包括初始化安全模型、打开wallet、设置加密密钥。更多的加密相关信息可参考Oracle公司的数据库高级安全管理员手册，即<Oracle Database Advanced Security Administrator's Guide >和本手册的第11章的第68页的安全子句（security_clauses）和相关的ALTERSYSTEM句子。

 

USING 'encrypt_algorithm' Use this clause to specify thename of the algorithm to be used. Valid algorithms are AES256, AES192, AES128and 3DES168. If you omit this clause, then the database uses AES192. If youencrypt more than one column in the same table, and if you specify the USINGclause for one of the columns, then you must specify the same encryptionalgorithm for all the encrypted columns.

 

USING 'encrypt_algorithm'该子句是用来指定所采用的加密算法的名称，有效的算法名称是：

AES256, AES192, AES128 and 3DES168.如果你省略了该子句，则数据库默认采用AES192；如果你的表要加密多列，则多列中的USING'encrypt_algorithm'所采用的算法必须一致；

 

IDENTIFIED BY password If you specify this clause, thenthe database derives the column key from the specified password.

IDENTIFIED BY password，如果你采用了该子句，则数据库将用你所指定的密钥对列进行加密。

 

SALT | NO SALT By default the database appends a randomstring, called "salt", to the clear text of the column beforeencrypting it. This default behavior imposes some limitations on encryptedcolumns:

 

加盐/不加盐选项：默认情况下数据库附加了一个随机串，被称之为“盐”，目的是增强加密的安全性，这个加盐/不加盐行为受多方面的限制，如下：

 

■ If you want to use thecolumn as an index key, then you must specify NO SALT. Refer to Oracle DatabaseAdvanced Security Administrator's Guide for a description of "salt"in this context.

如果你希望一个列是索引主列，则该列加密时不可以指定加盐，具体参考Oracle公司的数据库高级安全管理员手册，即< Oracle Database Advanced SecurityAdministrator's Guide >。

 

■ If you specify SALT during columnencryption, then the database does not compress the data in the encrypted columneven if you specify table compression for the table. However, the database doescompress data in unencrypted columns and encrypted columns without the SALTparameter. You cannot specify SALT or NO SALT for LOB encryption.

如果你加密一个列时加盐了，则该列数据在做数据压缩时不会压缩该加盐的加密列，即便你指定压缩全表数据。然而，数据库依旧会压缩非加密列和加密不加盐的列。当你在为LOB类型的数据进行加密时，不可以指定加盐/不加盐选项。

 

Restrictions on encryption_clause: The followingrestrictions apply to column encryption:

对于加密子句的约束：

■ Transparent data encryption is not supportedby the traditional import and export utilities or bytransportable-tablespace-based export. Use the Data Pump import and exportutilities with encrypted columns instead.

透明数据加密不支持通过传统的数据导入导出工具进行导入导出，当需要导入导出加密数据时，请采用Data Pump导入导出工具。

■ To encrypt a column in an external table,the table must use ORACLE_DATAPUMP as its access type.

需要加密一个外部表是，表的类型必须是ORACLE_DATAPUMP类型。

■ You cannot encrypt a column in tables ownedby SYS.

你不可以加密SYS所有的列。也就是SYS模式下的表的任何列都是不可以加密的。

■ You cannot encrypt a foreign key column.

你不可以加密外键列。一个列是另外一个表的外键，则不可以加密。

 

security_clauses

The security_clauses let you control access to theinstance. They also allow you to enable or disable access to the encrypted datain the instance.

安全子句(security_clauses)的目的是为了让你控制对实例的访问，当然也可以设置限制访问或允许访问实例中的加密数据。

 

RESTRICTED SESSION

The RESTRICTED SESSION clause lets you restrict logon toOracle Database. You can use this clause regardless of whether your instancehas the database dismounted or mounted, open or closed.

约束会话子句( RESTRICTED SESSION clause)的目的是限制登录Oracle数据库，你可以使用该句子不论你的实例中的数据库处于卸载、装载状态，开启或关闭状态。

 

■ Specify ENABLE to allow only users withRESTRICTED SESSION system privilege to log on to Oracle Database. Existingsessions are not terminated. This clause applies only to the current instance.Therefore, in an Oracle RAC environment, authorized users without theRESTRICTED SESSION system privilege can still access the database by way ofother instances.

 

指定“ENABLE”则仅允许具备“RESTRICTEDSESSION”系统权限的用户去登录Oracle数据库，正在进行的任何会话不会终止，这个句子的影响范围进行该实例。因此在Oracle RAC（集群）环境中，没有被授予“RESTRICTEDSESSION”系统权限的用户可以通过其他的实例来访问同一个数据库。

 

■ Specify DISABLE to reverse the effect of theENABLE RESTRICTED SESSION clause, allowing all users with CREATE SESSION systemprivilege to log on to Oracle Database. This is the default.

指定“DISABLE”的效果和指定“ENABLE”的效力相反，它则是允许所有的具备“创建会话”系统权限的用户都可以登录数据库，不指定这个“ENABLE”和“DISABLE”时，“DISABLE”是系统默认的。

 

SET ENCRYPTION WALLET Clause Use this clause to managedatabase access to the transparent data encryption (TDE) master encryption key.The TDE master encryption key is stored in an external security module, whichcan be an encryption wallet or Hardware Security Module (HSM). Although thisstatement begins with the keyword ALTER, an ALTER SYSTEM SET

ENCRYPTION WALLET statement is not a DDL clause. However,you cannot roll back such a statement. Although this clause begins with the SETkeyword, do not confuse it with the alter_ system_set_clause on page 11-70,which allows you to use the SET keyword to set the value of initializationparameters. ENCRYPTION WALLET is not an initialization parameter. OPEN When youspecify this clause, the database uses the specified password to open theencryption wallet or HSM and load the TDE master key into database memory forthe duration of the instance.

设置加密钱包（SET ENCRYPTION WALLET）子句的目的是为了管理数据库透明数据加密的主密钥的，透明数据加密的主密钥存储在外部的安全模块，这个安全模块可以是加密钱包或者是硬件安全模块；尽管这个句子是以关键字“ALTER”打头的，但是“ALTER SYSTEM SET

ENCRYPTION WALLET”句子并不是一个DDL句子，尽管它不是DDL句子，但是你也是不可以回滚（rollback）该句子。尽管这个句子是含SETkeyword的句子，但是请不要与11章的第70页的alter_ system_set_clause的SETkeyword初始化参数句子混淆；ENCRYPTION WALLET并不是一个初始化参数。当你指定 ENCRYPTION WALLET  “OPEN”（打开）时，数据库则使用指定的口令去打开加密钱包或者硬件加密模块，然后将数据库的主密钥加载入内存中供数据库透明加密使用，直至整个实例关闭为止。

 

■ Specify wallet_password to retrieve themaster encryption key from the encryption wallet. If the encryption wallet isnot available or is already open, then the database returns an error. Thedouble quotation marks around wallet_password are required.

指定wallet_password是为了从加密钱包（encryptionwallet）获得加密的主密钥（master encryption key）。如果wallet_password不可用或者wallet已经处于打开状态，则数据库会返回一个错误。指定wallet_password时，双引号必不可少。

 

■ Specify HSM_credentials to make the HSMaccessible. HSM_credentials is of the form "user_id:password" where: See Also: "Restricting Sessions:Example" on page 11-74

指定硬件加密模块（HSM）credentials是为了采用硬件加密数据，硬件加密模块（HSM）credentials通常以“用户ID：口令”，具体参考11章的第74页的"RestrictingSessions: Example"例子。