加密前
准备加密HR Schema中的表。
SQL> col table_name for a20
SQL> select table_name, tablespace_name from all_tables where owner='HR';TABLE_NAME TABLESPACE_NAME
-------------------- ------------------------------
DEPARTMENTS USERS
EMPLOYEES USERS
JOBS USERS
JOB_HISTORY USERS
LOCATIONS USERS
REGIONS USERS
COUNTRIES 7 rows selected.
除COUNTRIES表的显示为null外,其余都是USERS表空间。
查文档:
NULL for partitioned, temporary, and index-organized tables
果然,他是IOT表:
SQL> select table_name from dba_tables where owner='HR' and iot_type = 'IOT';TABLE_NAME
--------------------
COUNTRIES
其表空间也是USERS:
SQL> select tablespace_name from dba_segments where segment_name = 'COUNTRIES';TABLESPACE_NAME
------------------------------
USERS
USERS表空间还没有加密:
SQL> select tablespace_name, encrypted from user_tablespaces;TABLESPACE_NAME ENC
------------------------------ ---
SYSTEM NO
SYSAUX NO
UNDOTBS1 NO
TEMP NO
USERS NO
表空间对应的数据文件:
SQL> select file_name, bytes from dba_data_files where tablespace_name = 'USERS';FILE_NAME BYTES
------------------------------------------------------------ ----------
/opt/oracle/oradata/ORCLCDB/ORCLPDB1/users01.dbf 2313420800没加密时,电话号码可以查到:
$ strings /opt/oracle/oradata/ORCLCDB/ORCLPDB1/users01.dbf |more
}|{z
ORCLCDB
USERS
AAAAAAAA
DEF,
555,
Middle East and Africa,
Asia,
Americas,
Europe
AAAAAAAA
AAAAAAAA
BelgiumArgentina
Nigeria
Malaysia
Denmark
Israel
Kuwait
Mexico
Netherlands
Switzerland
Brazil
Egypt
Zambia
Germany
France
United KingdomSingapore
ZimbabweAustralia
India
China
Canada
United States of America
Japan
Italy
AAAAAAAA
Mariano Escobedo 9991
11932
Mexico City
Distrito Federal,
Pieter Breughelstraat 837
3029SK
...$ strings /opt/oracle/oradata/ORCLCDB/ORCLPDB1/users01.dbf |grep -i 6666
603.123.6666
205-167-6666
243-589-6666
697-394-6666
355-689-6666
489-117-6666
489-117-6666
加密中
秘钥配置
还没配:
SQL> show parameter wallet_rootNAME TYPE VALUE
------------------------------------ ----------- ------------------------------
wallet_root string
SQL> show parameter tde_configurationNAME TYPE VALUE
------------------------------------ ----------- ------------------------------
tde_configuration string
为简化,key store我们选用software keystore,即wallet。复杂生产环境(多数据库配置,ADG环境)还是建议用Key Vault。
具体配的过程参见Oracle 透明数据加密(TDE)的常见任务中的配置Key Store和创建Key Store部分。
加密表空间
也可以参见Oracle 透明数据加密(TDE)的常见任务中的加解密PDB中的表空间部分。
在线加密:
SQL> alter tablespace users encryption online encrypt;Tablespace altered.Elapsed: 00:00:40.91
在线解密:
SQL> alter tablespace users encryption online decrypt;Tablespace altered.Elapsed: 00:00:18.61
离线加密:
ALTER TABLESPACE users OFFLINE NORMAL;
SQL> alter tablespace users encryption offline encrypt;Tablespace altered.Elapsed: 00:00:09.46
离线解密:
SQL> alter tablespace users encryption offline decrypt;Tablespace altered.Elapsed: 00:00:05.77
再离线加密一次,然后表空间在线:
SQL> alter tablespace users encryption offline encrypt;Tablespace altered.Elapsed: 00:00:08.94ALTER TABLESPACE users ONLINE;
加密后
加密完成了,查看状态:
SQL> select TS#, ENCRYPTIONALG, ENCRYPTEDTS, STATUS, CON_ID from V$ENCRYPTED_TABLESPACES;TS# ENCRYPT ENC STATUS CON_ID
---------- ------- --- ---------- ----------5 AES128 YES NORMAL 3SQL> select name from v$tablespace where ts# = 5;NAME
------------------------------
USERSSQL> show con_idCON_ID
------------------------------
3SQL> select ENCRYPTED from user_tablespaces where TABLESPACE_NAME = 'USERS';ENC
---
YES
数据文件的大小不变:
SQL> select file_name, bytes from dba_data_files where tablespace_name = 'USERS';FILE_NAME BYTES
------------------------------------------------------------ ----------
/opt/oracle/oradata/ORCLCDB/ORCLPDB1/users01.dbf 2313420800
验证
电话号码看不到了:
$ strings /opt/oracle/oradata/ORCLCDB/ORCLPDB1/users01.dbf |grep -i 6666
$ echo $?
1$ strings /opt/oracle/oradata/ORCLCDB/ORCLPDB1/users01.dbf |more
}|{z
ORCLCDB
USERS
?4fc
u]DRZ
>o"%
/ g~198
afkY}
@)5;
=M}'
,k2<R
Jjt
>+|}/
XE[{
6Kh!
{+4?
4d&6o9
p0kM
Tody
N{ _M
^l_'
P,Dsc
A?L&
J`"W
$<ej
6.`'
BB2X
NuX`j
\7rR
JkPI
P0=h4
ym#}d
.Ov];}B
...
