Contributions by Angela Golla
Tech Article: Oracle Transparent Data Encryption - Experience from the Trenches
One user's experience implementing Oracle TDE reveals some helpful advice about the best approach to encrypting existing data.
Wednesday, January 21, 2009
Subscribe to:
Post Comments (Atom)
Official, Youbetcha Legalese
This blog is provided for information purposes only and the contents hereof are subject to change without notice. This blog contains links to articles, sites, blogs, that are created by entities other than Oracle. These links may contain advice, information, and opinion that is incorrect or untested. This blog, links, and other materials contained or referenced in this blog are not warranted to be error-free, nor are they subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this blog, links and other materials contained or referenced in this blog, and no contractual obligations are formed either directly or indirectly by this blog, link or other materials. This blog may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. The opinions and recommendations contained in this blog(including links) do not represent the position of Oracle Corporation.
Oracle, JD Edwards, PeopleSoft, and Siebel are registered trademarks of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.
Oracle, JD Edwards, PeopleSoft, and Siebel are registered trademarks of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.
2 comments:
When you use TDE, the keys will typically be stored on the machine in the so-called Oracle e-Wallet. While Oracle has taken it as far as they can with a software solution (and they've done a brilliant job), storing keys in software isn't best security practice because you shouldn’t keep the key and the database in the same place. When you back up the machine, the key will be backed up with the database. Also, you will find it difficult to demonstrate a separation of duties between database security administration for compliance.
Oracle 11g supports the use of hardware security modules (HSMs) that protect the keys, separate security and DB administration, and ensure that keys are never stored with the data. HSMs will also offer you to manage keys across database servers, reducing your total cost of ownership.
I work for Thales e-Security (formerly nCipher), who offers such a solution. If you’re interested, please check out: http://www.ncipher.com/en/Solutions/Business%20Solutions/Databases.aspx
Comments are moderated, and it looked like there were two identical comments, so this is the second one that was posted. Thanks for your input. I'd really like to see more discussion going on here so people can interact directly with Priority Support, other parts of Oracle and the largest group of Oracle experts in the world--our customers.
Post a Comment