oracle Wallet的使用(即内部加密技术TDE(Transparent Data Encryption ))

1. TDE是Oracle10gR2中推出的一个新功能,使用时要保证Oracle版本是在10gR2或者以上

--查看oracle版本:

select * from v$version;

2、创建一个新目录,并指定为Wallet目录

D:\oracle\product\10.2.0\admin\ora10\ora_wallet

3. 设置wallet目录,在参数文件sqlnet.ora中(window+f,在你安装盘区查找sqlnet.ora),按照下面的格式加入信息:

ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)

(METHOD_DATA=(DIRECTORY=D:\oracle\product\10.2.0\admin\ora10\ora_wallet)))

4. 创建master key文件,指定wallet密码,使用SYS用户登入系统,建立加密文件

SQL> alter system set encryption key identified by "wallet";

System altered

-- 密码"wallet"不加引号时,后面使用时也不需要用引号

此时在设置的目录下,多出一个Personal Information Exchange类型的文件,相当于我们生成的master key文件。D:\oracle\product\10.2.0\admin\ora10\ora_wallet\ewallet.p12

5、启动、关闭Wallet

SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "wallet";

ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "wallet"

ORA-28354: wallet 已经打开

SQL> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE; --关闭

System altered

SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "wallet"; --打开

System altered

到此,已经成功配置了Wallet,创建了master key。

使用datapump传输加密表请先确认TDE Encryption wallet状态 2014-10-07 17:30:02

分类: Oracle

这里讨论的是列加密模式,即具有TDE encrypted column的表如何在源库、目标库之间通过expdp、impdp进行传输。前提是源库和目标库上的encryption wallet都必须处于open状态,如果源库或者目标库有任何一侧的wallet没有open,都会引起导入或者导出操作的失败。以下列举了容易引起导入导出失败的一些场景,帮我们更进一步的理解TDE的工作过程。

场景1:导出时源库encryption wallet处于open状态,不对导出的dumpfile文件进行加密;导入时目标库wallet处于open状态

---源库wallet处于open状态下进行导出

alter system set encryption wallet open identified by "tde_1234";

select * from v$encryption_wallet;

WRL_TYPE

--------------------

WRL_PARAMETER

--------------------------------------------------------------------------------

STATUS

------------------

file

/oradata06/wallet

OPEN

create table t13 (c1 varchar2(1) encrypt,c2 varchar2(2)) tablespace ts_info_dat_01;

insert into t13 values('A','11');

commit;

expdp scott/abcd_1234 directory=hisdmp dumpfile=t13.dmp tables=t13 logfile=exp_t13.log reuse_dumpfiles=yes

Starting "SCOTT"."SYS_EXPORT_TABLE_01": scott/******** directory=hisdmp dumpfile=t13.dmp tables=t13 logfile=exp_t13.log reuse_dumpfiles=yes

Estimate in progress using BLOCKS method...

Processing object type TABLE_EXPORT/TABLE/TABLE_DATA

Total estimation using BLOCKS method: 8 MB

Processing object type TABLE_EXPORT/TABLE/TABLE

. . exported "SCOTT"."T13" 5.406 KB 1 rows

ORA-39173: Encrypted data has been stored unencrypted in dump file set.

Master table "SCOTT"."SYS_EXPORT_TABLE_01" successfully loaded/unloaded

******************************************************************************

Dump file set for SCOTT.SYS_EXPORT_TABLE_01 is:

/oradata01/hisdmp/monthly/t13.dmp

Job "SCOTT"."SYS_EXPORT_TABLE_01" completed with 1 error(s) at 16:21:16

scp /oradata01/hisdmp/monthly/t13.dmp oracle@10.10.141.221:/oradata01/hisdmp/monthly/

---目标库wallet处于open状态,成功导入

alter system set encryption wallet open identified by "tde_1234";

select * from v$encryption_wallet;

WRL_TYPE

--------------------

WRL_PARAMETER

--------------------------------------------------------------------------------

STATUS

------------------

file

/oradata06/wallet

OPEN

impdp scott/abcd_1234 directory=hisdmp dumpfile=t13.dmp tables=t13 logfile=imp_t13.log

Master table "SCOTT"."SYS_IMPORT_TABLE_01" successfully loaded/unloaded

Starting "SCOTT"."SYS_IMPORT_TABLE_01": scott/******** directory=hisdmp dumpfile=t13.dmp tables=t13 logfile=imp_t13.log

Processing object type TABLE_EXPORT/TABLE/TABLE

Processing object type TABLE_EXPORT/TABLE/TABLE_DATA

. . imported "SCOTT"."T13" 5.406 KB 1 rows

Job "SCOTT"."SYS_IMPORT_TABLE_01" successfully completed at 16:20:47

场景2:导出时源库encryption wallet处于open状态,不对导出的dumpfile文件进行加密;导入时目标库wallet处于close状态

---源库wallet处于open状态下进行导出

步骤同场景1

--目标库wallet处于close状态,导入失败

alter system set encryption wallet close identified by "tde_1234";

select * from v$encryption_wallet;

WRL_TYPE

--------------------

WRL_PARAMETER

--------------------------------------------------------------------------------

STATUS

------------------

file

/oradata06/wallet

CLOSED

---ORA-28365因wallet close所以无法创建encrypted column

impdp scott/abcd_1234 directory=hisdmp dumpfile=t13.dmp tables=t13 logfile=imp_t13.log;

Master table "SCOTT"."SYS_IMPORT_TABLE_01" successfully loaded/unloaded

Starting "SCOTT"."SYS_IMPORT_TABLE_01": scott/******** directory=hisdmp dumpfile=t13.dmp tables=t13 logfile=imp_t13.log

Processing object type TABLE_EXPORT/TABLE/TABLE

ORA-39083: Object type TABLE:"SCOTT"."T13" failed to create with error:

ORA-28365: wallet is not open

Failing sql is:

CREATE TABLE "SCOTT"."T13" ("C1" VARCHAR2(1 BYTE) ENCRYPT USING 'AES192' 'SHA-1', "C2" VARCHAR2(2 BYTE)) SEGMENT CREATION IMMEDIATE PCTFREE 10 PCTUSED 40 INITRANS 1 MAXTRANS 255 NOCOMPRESS LOGGING STORAGE(INITIAL 8388608 NEXT 8388608 MINEXTENTS 1 MAXEXTENTS 2147483645 PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1 BUFFER_POOL DEFAULT FLASH_CACHE DEFAULT CELL_FLASH_CACHE DEFAULT) TABLESPACE "TS_

Processing object type TABLE_EXPORT/TABLE/TABLE_DATA

Job "SCOTT"."SYS_IMPORT_TABLE_01" completed with 1 error(s) at 16:22:17

场景3:导出时源库encryption wallet处于close状态,不对导出的dumpfile文件进行加密;导入时目标库wallet处于open状态

---源库导出时wallet处于close状态

alter system set encryption wallet open identified by "tde_1234";

select * from v$encryption_wallet;

WRL_TYPE

--------------------

WRL_PARAMETER

--------------------------------------------------------------------------------

STATUS

------------------

file

/oradata06/wallet

OPEN

create table t14 (c1 varchar2(1) encrypt,c2 varchar2(2)) tablespace ts_info_dat_01;

insert into t14 values('B','22');

commit;

alter system set encryption wallet close identified by "tde_1234";

select * from v$encryption_wallet;

WRL_TYPE

--------------------

WRL_PARAMETER

--------------------------------------------------------------------------------

STATUS

------------------

file

/oradata06/wallet

CLOSED

---因为wallet处于close,所以无法对表中加密列的数据进行解密,在接下来导入的时候可以看到仅导入了表结构

expdp scott/abcd_1234 directory=hisdmp dumpfile=t14.dmp tables=t14 logfile=exp_t14.log reuse_dumpfiles=yes;

Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production

With the Partitioning, OLAP, Data Mining and Real Application Testing options

Starting "SCOTT"."SYS_EXPORT_TABLE_01": scott/******** directory=hisdmp dumpfile=t14.dmp tables=t14 logfile=exp_t14.log reuse_dumpfiles=yes

Estimate in progress using BLOCKS method...

Processing object type TABLE_EXPORT/TABLE/TABLE_DATA

Total estimation using BLOCKS method: 8 MB

Processing object type TABLE_EXPORT/TABLE/TABLE

ORA-31693: Table data object "SCOTT"."T14" failed to load/unload and is being skipped due to error:

ORA-29913: error in executing ODCIEXTTABLEPOPULATE callout

ORA-28365: wallet is not open

ORA-39173: Encrypted data has been stored unencrypted in dump file set.

Master table "SCOTT"."SYS_EXPORT_TABLE_01" successfully loaded/unloaded

******************************************************************************

Dump file set for SCOTT.SYS_EXPORT_TABLE_01 is:

/oradata01/hisdmp/monthly/t14.dmp

Job "SCOTT"."SYS_EXPORT_TABLE_01" completed with 2 error(s) at 16:31:12

scp /oradata01/hisdmp/monthly/t14.dmp oracle@10.10.141.221:/oradata01/hisdmp/monthly/

---目标库导入

alter system set encryption wallet open identified by "tde_1234";

select * from v$encryption_wallet;

WRL_TYPE

--------------------

WRL_PARAMETER

--------------------------------------------------------------------------------

STATUS

------------------

file

/oradata06/wallet

OPEN

---导入部分成功,字段维持加密状态

impdp scott/abcd_1234 directory=hisdmp dumpfile=t14.dmp tables=t14 logfile=imp_t14.log

Master table "SCOTT"."SYS_IMPORT_TABLE_01" successfully loaded/unloaded

Starting "SCOTT"."SYS_IMPORT_TABLE_01": scott/******** directory=hisdmp dumpfile=t14.dmp tables=t14 logfile=imp_t14.log

Processing object type TABLE_EXPORT/TABLE/TABLE

Job "SCOTT"."SYS_IMPORT_TABLE_01" successfully completed at 16:32:50

select owner,table_name,column_name from dba_encrypted_columns where table_name='T14';

OWNER TABLE_NAME COLUMN_NAME

------------------------------ ------------------------------ ------------------------------

SCOTT T14 C1

---但查询无内容,只把表结构导入了进来,没有任何数据

select * from scott.t14

no rows selected

---检查t14表的加密key并和orapki命令输出的相比较,impdp后表encrypted column自动使用了目标库的masterkey进行加密,证明源和目标库上的masterkey无需保持一致

col object_name format a13

col owner format a13

set linesize 120

select obj#,mkeyid,object_name,owner from enc$,dba_objects where object_id=obj#;

OBJ# MKEYID OBJECT_NAME OWNER

---------- ---------------------------------------------------------------- ------------- -------------

5553580 AZHXajyQJ08Iv5X80kXWLBQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA T14 SCOTT

orapki wallet display -wallet /oradata06/wallet

Requested Certificates:

Subject: CN=oracle

User Certificates:

Oracle Secret Store entries:

ORACLE.SECURITY.DB.ENCRYPTION.AZHXajyQJ08Iv5X80kXWLBQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY

ORACLE.SECURITY.TS.ENCRYPTION.BS8N9QmwrZrPOcpY6aJPnZYCAwAAAAAAAAAAAAAAAAAAAAAAAAAA

Trusted Certificates:

场景4:导出时源库encryption wallet处于close状态,不对导出的dumpfile文件进行加密;导入时目标库wallet处于close状态

---源库导出时wallet处于close状态

导出步骤同场景3,

---目标库导入

alter system set encryption wallet close identified by "tde_1234";

select * from v$encryption_wallet;

WRL_TYPE

--------------------

WRL_PARAMETER

--------------------------------------------------------------------------------

STATUS

------------------

file

/oradata06/wallet

CLOSED

drop table scott.t14;

***目标库的encryption wallet close,出现ORA-28353在意料之中

impdp scott/abcd_1234 directory=hisdmp dumpfile=t14.dmp tables=t14 logfile=imp_t14.log

Master table "SCOTT"."SYS_IMPORT_TABLE_01" successfully loaded/unloaded

Starting "SCOTT"."SYS_IMPORT_TABLE_01": scott/******** directory=hisdmp dumpfile=t14.dmp tables=t14 logfile=imp_t14.log

Processing object type TABLE_EXPORT/TABLE/TABLE

ORA-39083: Object type TABLE:"SCOTT"."T14" failed to create with error:

ORA-28365: wallet is not open

Failing sql is:

CREATE TABLE "SCOTT"."T14" ("C1" VARCHAR2(1 BYTE) ENCRYPT USING 'AES192' 'SHA-1', "C2" VARCHAR2(2 BYTE)) SEGMENT CREATION IMMEDIATE PCTFREE 10 PCTUSED 40 INITRANS 1 MAXTRANS 255 NOCOMPRESS LOGGING STORAGE(INITIAL 8388608 NEXT 8388608 MINEXTENTS 1 MAXEXTENTS 2147483645 PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1 BUFFER_POOL DEFAULT FLASH_CACHE DEFAULT CELL_FLASH_CACHE DEFAULT) TABLESPACE "TS_

Job "SCOTT"."SYS_IMPORT_TABLE_01" completed with 1 error(s) at 16:37:21

场景5:导出时源库encryption wallet处于open状态,使用ENCRYPTION=ENCRYPTED_COLUMNS_ONLY在dumpfile中对加密列以加密方式存储;导入时目标库wallet处于open状态

---源库导出,wallet处于open状态

alter system set encryption wallet open identified by "tde_1234";

select * from v$encryption_wallet;

WRL_TYPE

--------------------

WRL_PARAMETER

--------------------------------------------------------------------------------

STATUS

------------------

file

/oradata06/wallet

OPEN

create table t15 (c1 varchar2(1) encrypt,c2 varchar2(2)) tablespace ts_info_dat_01;

insert into t15 values('C','33');

commit;

---注意这里只能使用password模式,不能使用transparent和dual模式

expdp scott/abcd_1234 directory=hisdmp dumpfile=t15.dmp tables=t15 logfile=exp_t15.log reuse_dumpfiles=yes encryption=ENCRYPTED_COLUMNS_ONLY encryption_password=tde_1234;

Starting "SCOTT"."SYS_EXPORT_TABLE_01": scott/******** directory=hisdmp dumpfile=t15.dmp tables=t15 logfile=exp_t15.log reuse_dumpfiles=yes encryption=ENCRYPTED_COLUMNS_ONLY encryption_password=********

Estimate in progress using BLOCKS method...

Processing object type TABLE_EXPORT/TABLE/TABLE_DATA

Total estimation using BLOCKS method: 8 MB

Processing object type TABLE_EXPORT/TABLE/TABLE

. . exported "SCOTT"."T15" 5.460 KB 1 rows

Master table "SCOTT"."SYS_EXPORT_TABLE_01" successfully loaded/unloaded

******************************************************************************

Dump file set for SCOTT.SYS_EXPORT_TABLE_01 is:

/oradata01/hisdmp/monthly/t15.dmp

Job "SCOTT"."SYS_EXPORT_TABLE_01" successfully completed at 17:27:06

scp /oradata01/hisdmp/monthly/t15.dmp oracle@10.10.141.221:/oradata01/hisdmp/monthly/

---目标库wallet处于open状态,成功导入

alter system set encryption wallet open identified by "tde_1234";

select * from v$encryption_wallet;

WRL_TYPE

--------------------

WRL_PARAMETER

--------------------------------------------------------------------------------

STATUS

------------------

file

/oradata06/wallet

OPEN

impdp scott/abcd_1234 directory=hisdmp dumpfile=t15.dmp tables=t15 logfile=imp_t15.log encryption_password=tde_1234

Master table "SCOTT"."SYS_IMPORT_TABLE_01" successfully loaded/unloaded

Starting "SCOTT"."SYS_IMPORT_TABLE_01": scott/******** directory=hisdmp dumpfile=t15.dmp tables=t15 logfile=imp_t15.log encryption_password=********

Processing object type TABLE_EXPORT/TABLE/TABLE

Processing object type TABLE_EXPORT/TABLE/TABLE_DATA

. . imported "SCOTT"."T15" 5.460 KB 1 rows

Job "SCOTT"."SYS_IMPORT_TABLE_01" successfully completed at 17:28:58

场景6:导出时源库encryption wallet处于open状态,使用ENCRYPTION=ENCRYPTED_COLUMNS_ONLY在dumpfile中对加密列以加密方式存储;导入时目标库wallet处于close状态

---源库导出,wallet处于open状态

导出步骤同场景5

---关闭目标库的encryption wallet

alter system set encryption wallet close identified by "tde_1234";

select * from v$encryption_wallet;

WRL_TYPE

--------------------

WRL_PARAMETER

--------------------------------------------------------------------------------

STATUS

------------------

file

/oradata06/wallet

CLOSED

---ORA-28365因wallet close所以无法创建encrypted column

impdp scott/abcd_1234 directory=hisdmp dumpfile=t15.dmp tables=t15 logfile=imp_t15.log encryption_password=tde_1234

ORA-39002: invalid operation

ORA-39180: unable to encrypt ENCRYPTION_PASSWORD

ORA-28365: wallet is not open

场景7:导出时源库encryption wallet处于close状态,使用ENCRYPTION=ENCRYPTED_COLUMNS_ONLY在dumpfile中对加密列以加密方式存储;因导出即失败所以无法继续进行导入

---源库导出,导出时wallet处于close状态

alter system set encryption wallet open identified by "tde_1234";

select * from v$encryption_wallet;

WRL_TYPE

--------------------

WRL_PARAMETER

--------------------------------------------------------------------------------

STATUS

------------------

file

/oradata06/wallet

OPEN

create table t16 (c1 varchar2(1) encrypt,c2 varchar2(2)) tablespace ts_info_dat_01;

insert into t16 values('C','33');

commit;

alter system set encryption wallet close identified by "tde_1234";

select * from v$encryption_wallet;

WRL_TYPE

--------------------

WRL_PARAMETER

--------------------------------------------------------------------------------

STATUS

------------------

file

/oradata06/wallet

CLOSED

---注意这里只能使用password模式,不能使用transparent和dual模式,之所以报错是因为使用password对encrypted column在导出时进行加密之前必须先用masterkey对encrypted列进行解密,对解密的结果再进行加密,而这时wallet close无法获取到masterkey,所以加密过程就无法继续

expdp scott/abcd_1234 directory=hisdmp dumpfile=t16.dmp tables=t16 logfile=exp_t16.log reuse_dumpfiles=yes encryption=ENCRYPTED_COLUMNS_ONLY encryption_password=tde_1234;

ORA-39001: invalid argument value

ORA-39180: unable to encrypt ENCRYPTION_PASSWORD

ORA-28365: wallet is not open

场景8:导出时源库encryption wallet处于open状态,使用ENCRYPTION=ALL在dumpfile中对所有列以加密方式存储,又分别以encryption_mode=transparent和password两种模式生成两个dumpfile;导入时目标库wallet处于open状态,并分别对上述两种模式下导出的dumpfile进行导入

---源库导出,wallet处于open状态

alter system set encryption wallet open identified by "tde_1234";

select * from v$encryption_wallet;

WRL_TYPE

--------------------

WRL_PARAMETER

--------------------------------------------------------------------------------

STATUS

------------------

file

/oradata06/wallet

OPEN

create table t17 (c1 varchar2(1) encrypt,c2 varchar2(2)) tablespace ts_info_dat_01;

insert into t17 values('C','33');

commit;

---分别使用transparent和password两种模式进行导出

***transparent模式

expdp scott/abcd_1234 directory=hisdmp dumpfile=t17t.dmp tables=t17 logfile=exp_t17t.log reuse_dumpfiles=yes encryption=all encryption_mode=transparent

Starting "SCOTT"."SYS_EXPORT_TABLE_01": scott/******** directory=hisdmp dumpfile=t17t.dmp tables=t17 logfile=exp_t17t.log reuse_dumpfiles=yes encryption=all encryption_mode=transparent

Estimate in progress using BLOCKS method...

Processing object type TABLE_EXPORT/TABLE/TABLE_DATA

Total estimation using BLOCKS method: 8 MB

Processing object type TABLE_EXPORT/TABLE/TABLE

. . exported "SCOTT"."T17" 5.414 KB 1 rows

Master table "SCOTT"."SYS_EXPORT_TABLE_01" successfully loaded/unloaded

******************************************************************************

Dump file set for SCOTT.SYS_EXPORT_TABLE_01 is:

/oradata01/hisdmp/monthly/t17t.dmp

Job "SCOTT"."SYS_EXPORT_TABLE_01" successfully completed at 21:00:06

***password模式

expdp scott/abcd_1234 directory=hisdmp dumpfile=t17p.dmp tables=t17 logfile=exp_t17p.log reuse_dumpfiles=yes encryption=all encryption_mode=password encryption_password=tde_1234;

Starting "SCOTT"."SYS_EXPORT_TABLE_01": scott/******** directory=hisdmp dumpfile=t17p.dmp tables=t17 logfile=exp_t17p.log reuse_dumpfiles=yes encryption=all encryption_mode=password encryption_password=********

Estimate in progress using BLOCKS method...

Processing object type TABLE_EXPORT/TABLE/TABLE_DATA

Total estimation using BLOCKS method: 8 MB

Processing object type TABLE_EXPORT/TABLE/TABLE

. . exported "SCOTT"."T17" 5.414 KB 1 rows

Master table "SCOTT"."SYS_EXPORT_TABLE_01" successfully loaded/unloaded

******************************************************************************

Dump file set for SCOTT.SYS_EXPORT_TABLE_01 is:

/oradata01/hisdmp/monthly/t17p.dmp

Job "SCOTT"."SYS_EXPORT_TABLE_01" successfully completed at 21:01:18

scp /oradata01/hisdmp/monthly/t17t.dmp oracle@10.10.141.221:/oradata01/hisdmp/monthly/

scp /oradata01/hisdmp/monthly/t17p.dmp oracle@10.10.141.221:/oradata01/hisdmp/monthly/

---目标库wallet处于open状态,分别导入transparent、password模式导出的dmp

alter system set encryption wallet open identified by "tde_1234";

select * from v$encryption_wallet;

WRL_TYPE

--------------------

WRL_PARAMETER

--------------------------------------------------------------------------------

STATUS

------------------

file

/oradata06/wallet

OPEN

---导入以encryption_mode=transparent方式导出的t17t.dmp,因源、目标库的masterkey不一致发生了ORA-28362,进一步导致ORA-39189目标库无法解密由源库masterkey加密的dumpfile

impdp scott/abcd_1234 directory=hisdmp dumpfile=t17t.dmp tables=t17 logfile=imp_t17t.log

ORA-39002: invalid operation

ORA-39189: unable to decrypt dump file set

ORA-28362: master key not found

---导入以encryption_mode=password方式导出的t17p.dmp,导入成功

impdp scott/abcd_1234 directory=hisdmp dumpfile=t17p.dmp tables=t17 logfile=imp_t17p.log encryption_password=tde_1234

Master table "SCOTT"."SYS_IMPORT_TABLE_01" successfully loaded/unloaded

Starting "SCOTT"."SYS_IMPORT_TABLE_01": scott/******** directory=hisdmp dumpfile=t17p.dmp tables=t17 logfile=imp_t17p.log encryption_password=********

Processing object type TABLE_EXPORT/TABLE/TABLE

Processing object type TABLE_EXPORT/TABLE/TABLE_DATA

. . imported "SCOTT"."T17" 5.414 KB 1 rows

Job "SCOTT"."SYS_IMPORT_TABLE_01" successfully completed at 21:03:14

场景9:导出时源库encryption wallet处于open状态,使用ENCRYPTION=ALL在dumpfile中对所有列以加密方式存储,又分别以encryption_mode=transparent和password两种模式生成两个dumpfile;导入时目标库wallet处于close状态,并分别对上述两种模式下导出的dumpfile进行导入

--源库导出,wallet处于open状态

导出过程同场景8

--关闭目标库的encryption wallet,再次尝试以上两种导入

alter system set encryption wallet close identified by "tde_1234";

select * from v$encryption_wallet;

WRL_TYPE

--------------------

WRL_PARAMETER

--------------------------------------------------------------------------------

STATUS

------------------

file

/oradata06/wallet

CLOSED

---尝试导入以encryption=transparent方式导出的t17t.dmp,因目标库wallet close无法找到解密dmpfile所需的masterkey,导入失败

impdp scott/abcd_1234 directory=hisdmp dumpfile=t17t.dmp tables=t17 logfile=imp_t17t.log

ORA-39002: invalid operation

ORA-39189: unable to decrypt dump file set

ORA-28365: wallet is not open

---尝试导入以encryption=password方式导出的t17p.dmp,能够解密出dmpfile,但是因目标库wallet close,所以无法创建encrypted columns

impdp scott/abcd_1234 directory=hisdmp dumpfile=t17p.dmp tables=t17 logfile=imp_t17t.log encryption_password=tde_1234

Master table "SCOTT"."SYS_IMPORT_TABLE_01" successfully loaded/unloaded

Starting "SCOTT"."SYS_IMPORT_TABLE_01": scott/******** directory=hisdmp dumpfile=t17p.dmp tables=t17 logfile=imp_t17t.log encryption_password=********

Processing object type TABLE_EXPORT/TABLE/TABLE

ORA-39083: Object type TABLE:"SCOTT"."T17" failed to create with error:

ORA-28365: wallet is not open

Failing sql is:

CREATE TABLE "SCOTT"."T17" ("C1" VARCHAR2(1 BYTE) ENCRYPT USING 'AES192' 'SHA-1', "C2" VARCHAR2(2 BYTE)) SEGMENT CREATION IMMEDIATE PCTFREE 10 PCTUSED 40 INITRANS 1 MAXTRANS 255 NOCOMPRESS LOGGING STORAGE(INITIAL 8388608 NEXT 8388608 MINEXTENTS 1 MAXEXTENTS 2147483645 PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1 BUFFER_POOL DEFAULT FLASH_CACHE DEFAULT CELL_FLASH_CACHE DEFAULT) TABLESPACE "TS_

Processing object type TABLE_EXPORT/TABLE/TABLE_DATA

Job "SCOTT"."SYS_IMPORT_TABLE_01" completed with 1 error(s) at 21:09:10

场景10:导出时源库encryption wallet处于close状态,使用ENCRYPTION=ALL在dumpfile中对所有列以加密方式存储,又分别以encryption_mode=transparent和password两种模式生成两个dumpfile;导入时目标库wallet处于open状态,并分别对上述两种模式下导出的dumpfile进行导入

---源库导出,导出时wallet处于close状态

alter system set encryption wallet open identified by "tde_1234";

select * from v$encryption_wallet;

WRL_TYPE

--------------------

WRL_PARAMETER

--------------------------------------------------------------------------------

STATUS

------------------

file

/oradata06/wallet

OPEN

create table t18 (c1 varchar2(1) encrypt,c2 varchar2(2)) tablespace ts_info_dat_01;

insert into t18 values('C','33');

commit;

alter system set encryption wallet close identified by "tde_1234";

select * from v$encryption_wallet;

WRL_TYPE

--------------------

WRL_PARAMETER

--------------------------------------------------------------------------------

STATUS

------------------

file

/oradata06/wallet

CLOSED

---分别使用transparent和password两种模式,前者需要masterkey加密dmpfile,后者需要先用masterkey解密encrypted columns后再用password加密,两者都需要wallet open,但实际wallet处于close状态,所以这两种导出都有问题

--transparent模式导出失败

expdp scott/abcd_1234 directory=hisdmp dumpfile=t18t.dmp tables=t18 logfile=exp_t18t.log reuse_dumpfiles=yes encryption=all encryption_mode=transparent

ORA-39002: invalid operation

ORA-39188: unable to encrypt dump file set

ORA-28365: wallet is not open

--password模式导出,仅导出了表结构,因为无法使用masterkey Decrypt加密列

expdp scott/abcd_1234 directory=hisdmp dumpfile=t18p.dmp tables=t18 logfile=exp_t18p.log reuse_dumpfiles=yes encryption=all encryption_mode=password encryption_password=tde_1234;

Starting "SCOTT"."SYS_EXPORT_TABLE_01": scott/******** directory=hisdmp dumpfile=t18p.dmp tables=t18 logfile=exp_t18p.log reuse_dumpfiles=yes encryption=all encryption_mode=password encryption_password=********

Estimate in progress using BLOCKS method...

Processing object type TABLE_EXPORT/TABLE/TABLE_DATA

Total estimation using BLOCKS method: 8 MB

Processing object type TABLE_EXPORT/TABLE/TABLE

ORA-31693: Table data object "SCOTT"."T18" failed to load/unload and is being skipped due to error:

ORA-29913: error in executing ODCIEXTTABLEPOPULATE callout

ORA-28365: wallet is not open

Master table "SCOTT"."SYS_EXPORT_TABLE_01" successfully loaded/unloaded

******************************************************************************

Dump file set for SCOTT.SYS_EXPORT_TABLE_01 is:

/oradata01/hisdmp/monthly/t18p.dmp

Job "SCOTT"."SYS_EXPORT_TABLE_01" completed with 1 error(s) at 21:17:11

scp /oradata01/hisdmp/monthly/t18p.dmp oracle@10.10.141.221:/oradata01/hisdmp/monthly/

---目标库wallet处于open状态,导入encryption_mode=transparent方式导出的t18p.dmp

因该方式下导出dmpfile失败,所以略去

---目标库wallet处于open状态,导入encryption_mode=password方式导出的t18p.dmp

alter system set encryption wallet open identified by "tde_1234";

select * from v$encryption_wallet;

WRL_TYPE

--------------------

WRL_PARAMETER

--------------------------------------------------------------------------------

STATUS

------------------

file

/oradata06/wallet

OPEN

impdp scott/abcd_1234 directory=hisdmp dumpfile=t18p.dmp tables=t18 logfile=imp_t18p.log encryption_password=tde_1234

Master table "SCOTT"."SYS_IMPORT_TABLE_01" successfully loaded/unloaded

Starting "SCOTT"."SYS_IMPORT_TABLE_01": scott/******** directory=hisdmp dumpfile=t18p.dmp tables=t18 logfile=imp_t18p.log encryption_password=********

Processing object type TABLE_EXPORT/TABLE/TABLE

Job "SCOTT"."SYS_IMPORT_TABLE_01" successfully completed at 21:22:05

***检查t18表无内容,仅有表结构,相当于expdp时指定了encryption=metadata_only

SQL> select * from scott.t18;

no rows selected

场景11:导出时源库encryption wallet处于close状态,使用ENCRYPTION=ALL在dumpfile中对所有列以加密方式存储,又分别以encryption_mode=transparent和password两种模式生成两个dumpfile;导入时目标库wallet处于close状态,并分别对上述两种模式下导出的dumpfile进行导入

---源库导出,导出时wallet处于close状态

导出步骤同场景10

--关闭目标库的encryption wallet,再次尝试以上导入

alter system set encryption wallet close identified by "tde_1234";

select * from v$encryption_wallet;

WRL_TYPE

--------------------

WRL_PARAMETER

--------------------------------------------------------------------------------

STATUS

------------------

file

/oradata06/wallet

CLOSED

---尝试导入encryption_mode=transparent方式导出的t18p.dmp

因该方式下导出dmpfile失败,所以略去

---尝试导入以encryption=password方式导出的t18p.dmp,因目标库wallet close,无法创建encrypted columns,导入失败

impdp scott/abcd_1234 directory=hisdmp dumpfile=t18p.dmp tables=t18 logfile=imp_t18t.log encryption_password=tde_1234

Master table "SCOTT"."SYS_IMPORT_TABLE_01" successfully loaded/unloaded

Starting "SCOTT"."SYS_IMPORT_TABLE_01": scott/******** directory=hisdmp dumpfile=t18p.dmp tables=t18 logfile=imp_t18t.log encryption_password=********

Processing object type TABLE_EXPORT/TABLE/TABLE

ORA-39083: Object type TABLE:"SCOTT"."T18" failed to create with error:

ORA-28365: wallet is not open

Failing sql is:

CREATE TABLE "SCOTT"."T18" ("C1" VARCHAR2(1 BYTE) ENCRYPT USING 'AES192' 'SHA-1', "C2" VARCHAR2(2 BYTE)) SEGMENT CREATION IMMEDIATE PCTFREE 10 PCTUSED 40 INITRANS 1 MAXTRANS 255 NOCOMPRESS LOGGING STORAGE(INITIAL 8388608 NEXT 8388608 MINEXTENTS 1 MAXEXTENTS 2147483645 PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1 BUFFER_POOL DEFAULT FLASH_CACHE DEFAULT CELL_FLASH_CACHE DEFAULT) TABLESPACE "TS_

Job "SCOTT"."SYS_IMPORT_TABLE_01" completed with 1 error(s) at 21:24:04

针对实验场景的结果归纳如下:

源库expdp时的encryption wallet状态

能否正常导出加密表

目标库impdp时的encryption wallet状态

Expdp参数Encryption_mode取值

Expdp参数Encryption取值

导入结果

Open

Open

正常

Open

Close

失败

Close

Open

仅表结构

Close

Close

失败

Open

Open

password

ENCRYPTED_COLUMNS_ONLY

正常

Open

Close

password

ENCRYPTED_COLUMNS_ONLY

失败

Close

-

password

ENCRYPTED_COLUMNS_ONLY

-

Open

Open

transparent

ALL

失败

Open

Open

password

ALL

正常

Open

Close

transparent

ALL

失败

Open

Close

password

ALL

失败

Close

-

transparent

ALL

-

Close

open

password

All

仅表结构

Close

Close

password

All

失败

总结:

含有加密列的表进行导出、导入时:

1、 源库上执行导出操作时encryption wallet只有处于open状态才能导出完整的内容,如果是close的情况下一般会把表结构导出(但encryption= ENCRYPTED_COLUMNS_ONLY和encryption_mode=transparent两种情况除外,这两种情况连表结构都不会导出,直接报错退出)

2、目标库执行导入操作时,需要先对dumpfile文件进行解密(如果expdp出来的时候进行了加密),再用自己的masterkey重新对表进行加密,这两个步骤中任意一个有问题都会引起导入失败

3、如果安全上允许建议启用auto login encryption wallet,数据库重启后会自动open

转://oracle Wallet在expdp/impdp中使用场景的更多相关文章

  1. Oracle数据迁移expdp/impdp

    Oracle数据迁移expdp/impdp目的:指导项目侧自行进行简单的数据泵迁移工作. 本文实验环境:Oracle 11.2.0.4,利用数据库自带的scott示例用户进行试验测试. 1.首先需要创 ...

  2. ORACLE 数据泵 expdp/impdp

    ORACLE 数据泵 expdp/impdp 一.概念 Oracle Database 10g 引入了最新的数据泵(Data Dump)技术,数据泵导出导入 (EXPDP 和 IMPDP)的作用: 1 ...

  3. Oracle expdp impdp中 exclude/include 的使用

    exclude和include参数能够在使用expdp或impdp是对特定的对象或对象类型进行筛选或过滤.比如因工作的需要导出特定的表或不导出特定的表.视图以及存储过程.索引.约束.授权统计信息等等. ...

  4. expdp impdp中 exclude/include 的使用

    exclude和include参数能够在使用expdp或impdp是对特定的对象或对象类型进行筛选或过滤.比如因工作的需要导出特定的表或不导出特定 的表.视图以及存储过程.索引.约束.授权统计信息等等 ...

  5. Oracle 11g 数据库 expdp/impdp 全量导入导出

    从一个用户导出导入到另一个用户 问题 环境:oracle 11g; redhat 6 usera是具有DBA权限,密码为usera 全量导出usera用户下的所有内容,并导入到新建的userb用户 解 ...

  6. oracle导出/导入 expdp/impdp

    Oracle使用EXPDP和IMPDP数据泵进行导出导入的方法(常用方法) 使用expdp和impdp时应该注重的事项: 1.exp和imp是客户端工具程序,它们既可以在客户端使用,也可以在服务端使用 ...

  7. Oracle数据库备份 expdp/impdp导出导入命令

    使用EXPDP和IMPDP时应该注意的事项: EXP和IMP是客户端工具程序,它们既可以在客户端使用,也可以在服务端使用. EXPDP和IMPDP是服务端的工具程序,他们只能在ORACLE服务端使用, ...

  8. Oracle exp,imp,expdp,impdp数据导入导出

    一.导出模式(三种模式)及命令格式 1. 全库模式 exp 用户名/密码@网络服务名 full=y file=路径\文件名.dmp log=路径\文件名.log 2. 用户模式(一般情况下采用此模式) ...

  9. Oracle简单常用的数据泵导出导入(expdp/impdp)命令举例(下)

    <Oracle简单常用的数据泵导出导入(expdp/impdp)命令举例(上)> <Oracle简单常用的数据泵导出导入(expdp/impdp)命令举例(下)> 目的:指导项 ...

随机推荐

  1. 聊聊ES7与ES8特性

    译者按: 转眼ES6发布2年了,是时候了解一下ES7与ES8特性了! 原文: ES7 and ES8 Features 译者: Fundebug 为了保证可读性,本文采用意译而非直译,并且对源代码进行 ...

  2. 预览github代码

    方法一:最简单的方法,在代码的url前面加上: http://htmlpreview.github.com/? 方法二: 使用Githubpages, 方法一有可能会修改css样式,不过方法二略复杂, ...

  3. git方式安装thinkphp5

    1.thinkphp 的github 代码版本地址:https://github.com/top-think 2. 点击think 复制 地址 3. 新建thinkphp5 文件夹 git clone ...

  4. 通过JS生成由字母与数字组合的随机字符串

    在项目中可能需要随机生成字母数字组成的字符,如生成3-32位长度的字母数字组合的随机字符串(位数不固定)或者生成43位随机字符串(位数固定) 使用Math.random()与toString()方法的 ...

  5. 【机器学习基本理论】详解最大似然估计(MLE)、最大后验概率估计(MAP),以及贝叶斯公式的理解

    [机器学习基本理论]详解最大似然估计(MLE).最大后验概率估计(MAP),以及贝叶斯公式的理解 https://mp.csdn.net/postedit/81664644 最大似然估计(Maximu ...

  6. 如何用ABP框架快速完成项目(9) - 用ABP一个人快速完成项目(5) - 不要执着于设计模式和DDD理论,避免原教旨主义

    为什么要写这节文章呢?   首先主动看我这系列文章和参加活动课程的同学, 肯定是积极好学的. 所以很大概率是学过设计模式和DDD理论的. 很大概率不是走一点都不懂设计模式和DDD理论这个极端, 而是走 ...

  7. Android图片的Base64编码与解码

    Base64是网络上最常见的用于传输8Bit字节码的编码方式之一,Base64就是一种基于64个可打印字符来表示二进制数据的方法. Base64编码是从二进制到字符的过程,可用于在HTTP环境下传递较 ...

  8. Android为TV端助力 史上最简单易懂的跨进程通讯(Messenger)!

    不需要AIDL也不需要复杂的ContentProvider,也不需要SharedPreferences或者共享存储文件! 只需要简单易懂的Messenger,它也称为信使,通过它可以在不同进程中传递m ...

  9. Node.js学习起步

    Node.js学习: 简单的说 Node.js 就是运行在服务端的 JavaScript.Node.js 是一个基于Chrome JavaScript 运行时建立的一个平台.Node.js是一个事件驱 ...

  10. leetcode-67.二进制求和

    leetcode-67.二进制求和 Points 数组 数学 题意 给定两个二进制字符串,返回他们的和(用二进制表示). 输入为非空字符串且只包含数字 1 和 0. 示例 1: 输入: a = &qu ...