构筑TDE 环境的例子:
测试环境:12.1.0.2
$ cd $ORACLE_HOME/network/admin
$ vim sqlnet.ora
$ pwd
/u01/app/oracle/product/12.1.0/dbhome_1/network/admin
sqlnet.ora 需要配置:
$ cat sqlnet.ora
ENCRYPTION_WALLET_LOCATION =
(SOURCE =(METHOD = FILE)(METHOD_DATA =
(DIRECTORY = /u01/app/oracle/admin/$ORACLE_SID/encryption_keystore/)
创建相应的目录:
$ mkdir -p /u01/app/oracle/admin/$ORACLE_SID/encryption_keystore
创建 KEYSTORE:
$ sqlplus / as sysdba
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/u01/app/oracle/admin/ora12102/encryption_keystore/' IDENTIFIED BY myPassword;
SQL> HOST ls /u01/app/oracle/admin/ora12102/encryption_keystore/
ewallet.p12 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< 发现生成了相关的文件
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY myPassword CONTAINER=ALL;
SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY myPassword WITH BACKUP CONTAINER=ALL;
确认结果:
SQL> SET LINESIZE 100
SQL> SELECT con_id, key_id FROM v$encryption_keys;
CON_ID
----------
KEY_ID
----------------------------------------------------------------------------------------------------
0
AclrihXAik+1vxl5oahS/ukAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0
AUgIBXZg2E9rvzdpDEfXjVIAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0
AekjUfUQkE9Mv+hfTnnWDfIAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
SQL> SET LINESIZE 200
SQL> COLUMN wrl_parameter FORMAT A50
SQL> SELECT * FROM v$encryption_wallet;
WRL_TYPE WRL_PARAMETER
------------------------------------------------------------ --------------------------------------------------
STATUS WALLET_TYPE WALLET_ORDER
------------------------------------------------------------------------------------------ ------------------------------------------------------------ ---------------------------
FULLY_BACKED_UP CON_ID
--------------------------- ----------
FILE /u01/app/oracle/admin/ora12102/encryption_keystore
/
OPEN PASSWORD SINGLE
NO 0
SQL> CONN sys@mypdb1 AS SYSDBA
SQL> SELECT con_id, key_id FROM v$encryption_keys;
CON_ID
----------
KEY_ID
------------------------------------------------------------------------------------------------------------------------------------------------------------
0
AUgIBXZg2E9rvzdpDEfXjVIAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
SQL> grant dba to test identified by test;
SQL> conn test/test@mypdb1
SQL> CREATE TABLE tde_test (
id NUMBER(10),
data VARCHAR2(50) ENCRYPT
);
SQL> INSERT INTO tde_test VALUES (1, 'This is a secret!');
SQL> commit;
SQL> conn sys@mypdb1 AS SYSDBA
创建 TDE 表领域:
SQL> CREATE TABLESPACE encrypted_ts
DATAFILE '/home/oracle/tbs01.dbf' SIZE 128K
AUTOEXTEND ON NEXT 64K
ENCRYPTION USING 'AES256'
DEFAULT STORAGE(ENCRYPT);
SQL> ALTER USER test QUOTA UNLIMITED ON encrypted_ts;
然后,可以使用TDE 表领域来创建和使用表了:
SQL> CONN test/test@mypdb1
SQL> CREATE TABLE tde_ts_test (
id NUMBER(10),
data VARCHAR2(50)
) TABLESPACE encrypted_ts;
SQL> INSERT INTO tde_ts_test VALUES (1, 'This is also a secret!');
SQL> commit;
参考:https://oracle-base.com/articles/12c/multitenant-transparent-data-encryption-tde-12cr1