Oracle TDE的学习

1. TDE的开启和关闭

设置wallet目录，在参数文件sqlnet.ora中，按照下面的格式加入信息

# Oracle Advanced Security Transparent Data Encryption

ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u01/app/oracle/product/11.2.4/db_1/network/admin/encryption_wallet)))

 
 

创建该目录

su - oracle

mkdir -p /u01/app/oracle/product/11.2.4/db_1/network/admin/encryption_wallet

 
 

创建master key文件，指定wallet密码，使用SYS用户登入系统，建立加密文件

ORA-28388: database is not open in read/write mode

创建万能密钥。

SQL>ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "junshi66";

[oracle@primary rpdm]$ cd /u01/app/oracle/product/11.2.4/db_1/network/admin/encryption_wallet/

[oracle@primary encryption_wallet]$ ll

总用量 4

-rw-r--r-- 1 oracle asmadmin 2845 1月 15 14:48 ewallet.p12

 
 

启动、关闭Wallet

打开钱包（第一次设置万能密钥会自动打开钱包）

SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "junshi66";

ORA-28354: wallet 已经打开

 
 

SQL> alter system set encryption wallet close identified by "junshi66"; --关闭

System altered

 
 

SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "junshi66"; --打开

System altered

到此，已经成功配置了Wallet，创建了master key。

 

注意：

如果是dg环境，需要把主库上的
这几个文件、目录都要同步过去。

 
 

 
 

1. 创建环境使用部分

   1. 加密表空间

创建加密表空间 S

CREATE TABLESPACE S DATAFILE '+DATA' SIZE 200M autoextend on maxsize unlimited ENCRYPTION DEFAULT STORAGE(ENCRYPT);

创建用户 suser

create user suser identified by oracle default tablespace S;

grant connect,resource to suser;

创建表 st1

conn suser/oracle

create table st1 (id number CONSTRAINT id_nn NOT NULL,

name VARCHAR2(40),

PRIMARY KEY (id)

);

插入数据

insert into st1 values (1,'aaa');

insert into st1 values (2,'bbb');

insert into st1 values (3,'ccc');

insert into st1 values (4,'ddd');

创建普通表空间 P

CREATE TABLESPACE P DATAFILE '+DATA' SIZE 200M autoextend on maxsize unlimited;

创建用户 puser

create user puser identified by oracle default tablespace P;

grant connect,resource to puser;

创建表 pt1

conn puser/oracle

create table pt1 (id number CONSTRAINT id_nn NOT NULL,

name VARCHAR2(40),

PRIMARY KEY (id)

);

插入数据

insert into pt1 values (1,'aaa');

insert into pt1 values (2,'bbb');

insert into pt1 values (3,'ccc');

insert into pt1 values (4,'ddd');

 
 

 
 

1. 加密列

suser 下创建表 stable1 、 stable2

conn suser/oracle

create table stable1 (id number ENCRYPT NOT NULL ,

name VARCHAR2(40) ENCRYPT

);

insert into stable1 values (1,'aaa');

insert into stable1 values (2,'bbb');

insert into stable1 values (3,'ccc');

insert into stable1 values (4,'ddd');

 
 

 
 

create table stable2 (id number NOT NULL,

name VARCHAR2(40) ENCRYPT

);

insert into stable2 values (1,'aaa');

insert into stable2 values (2,'bbb');

insert into stable2 values (3,'ccc');

insert into stable2 values (4,'ddd');

 
 

psuer下创建 ptable1 、 ptable2

conn puser/oracle

create table ptable1 (id number ENCRYPT NOT NULL ,

name VARCHAR2(40) ENCRYPT

);

insert into ptable1 values (1,'aaa');

insert into ptable1 values (2,'bbb');

insert into ptable1 values (3,'ccc');

insert into ptable1 values (4,'ddd');

 
 

create table ptable2 (id number NOT NULL,

name VARCHAR2(40) ENCRYPT

);

insert into ptable2 values (1,'aaa');

insert into ptable2 values (2,'bbb');

insert into ptable2 values (3,'ccc');

insert into ptable2 values (4,'ddd');

 
 

 
 

1. 目标数据库

CREATE TABLESPACE S DATAFILE '/u01/app/oracle/oradata/demo/S01.dbf' SIZE 200M autoextend on maxsize unlimited;

CREATE TABLESPACE P DATAFILE '/u01/app/oracle/oradata/demo/P01.dbf' SIZE 200M autoextend on maxsize unlimited;

create user suser identified by oracle default tablespace S;

grant connect,resource to suser;

create user puser identified by oracle default tablespace P;

grant connect,resource to puser;

 
 

1. 创建dblink 

CREATE PUBLIC DATABASE LINK "linksource"

CONNECT TO system

IDENTIFIED BY "oracle"

USING 'source';

 
 

1. 管理部分

   1. schema的迁移（exp\imp,expdp\impdp）

   expdp:

   export LANG=AMERICAN_AMERICA.ZHS16GBK

   expdp system/oracle directory=EXPDP dumpfile=expdp2users.dmp logfile=expdp2user.log schemas=suser,puser

    
    

[oracle@primary ~]$ export LANG=AMERICAN_AMERICA.ZHS16GBK

[oracle@primary ~]$ expdp system/oracle directory=EXPDP dumpfile=expdp2users.dmp logfile=expdp2user.log schemas=suser,puser

Export: Release 11.2.0.4.0 - Production on Tue Jan 26 17:21:33 2016

Copyright (c) 1982, 2011, Oracle and/or its affiliates. All rights reserved.

Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production

With the Partitioning, Automatic Storage Management, OLAP, Data Mining

and Real Application Testing options

Starting "SYSTEM"."SYS_EXPORT_SCHEMA_01": system/******** directory=EXPDP dumpfile=expdp2users.dmp logfile=expdp2user.log schemas=suser,puser

Estimate in progress using BLOCKS method...

Processing object type SCHEMA_EXPORT/TABLE/TABLE_DATA

Total estimation using BLOCKS method: 384 KB

Processing object type SCHEMA_EXPORT/USER

Processing object type SCHEMA_EXPORT/SYSTEM_GRANT

Processing object type SCHEMA_EXPORT/ROLE_GRANT

Processing object type SCHEMA_EXPORT/DEFAULT_ROLE

Processing object type SCHEMA_EXPORT/PRE_SCHEMA/PROCACT_SCHEMA

Processing object type SCHEMA_EXPORT/TABLE/TABLE

Processing object type SCHEMA_EXPORT/TABLE/CONSTRAINT/CONSTRAINT

. . exported "PUSER"."PT1" 5.437 KB 4 rows

. . exported "PUSER"."PTABLE1" 5.445 KB 4 rows

. . exported "PUSER"."PTABLE2" 5.445 KB 4 rows

. . exported "SUSER"."ST1" 5.437 KB 4 rows

. . exported "SUSER"."STABLE1" 5.445 KB 4 rows

. . exported "SUSER"."STABLE2" 5.445 KB 4 rows

ORA-39173: Encrypted data has been stored unencrypted in dump file set.

Master table "SYSTEM"."SYS_EXPORT_SCHEMA_01" successfully loaded/unloaded

******************************************************************************

Dump file set for SYSTEM.SYS_EXPORT_SCHEMA_01 is:

/backup/expdp/expdp2users.dmp

Job "SYSTEM"."SYS_EXPORT_SCHEMA_01" completed with 1 error(s) at Tue Jan 26 17:22:06 2016 elapsed 0 00:00:27

 
 

 
 

exp:

export LANG=AMERICAN_AMERICA.ZHS16GBK

exp system/oracle file=/backup/expdp/exp2user.dmp log=/backup/expdp/exp2user.log owner=suser,puser

 
 

[oracle@primary ~]$ exp system/oracle file=/backup/expdp/exp2user.dmp log=/backup/expdp/exp2user.log owner=suser,puser

Export: Release 11.2.0.4.0 - Production on Tue Jan 26 17:22:31 2016

Copyright (c) 1982, 2011, Oracle and/or its affiliates. All rights reserved.

Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production

With the Partitioning, Automatic Storage Management, OLAP, Data Mining

and Real Application Testing options

Export done in ZHS16GBK character set and AL16UTF16 NCHAR character set

About to export specified users ...

. exporting pre-schema procedural objects and actions

. exporting foreign function library names for user SUSER

. exporting foreign function library names for user PUSER

. exporting PUBLIC type synonyms

. exporting private type synonyms

. exporting PUBLIC type synonyms

. exporting private type synonyms

. exporting object type definitions for user SUSER

. exporting object type definitions for user PUSER

About to export SUSER's objects ...

. exporting database links

. exporting sequence numbers

. exporting cluster definitions

. about to export SUSER's tables via Conventional Path ...

EXP-00111: Table ST1 resides in an Encrypted Tablespace S and will not be exported

EXP-00111: Table STABLE1 resides in an Encrypted Tablespace S and will not be exported

EXP-00111: Table STABLE2 resides in an Encrypted Tablespace S and will not be exported

. exporting synonyms

. exporting views

. exporting stored procedures

. exporting operators

About to export PUSER's objects ...

. exporting database links

. exporting sequence numbers

. exporting cluster definitions

. about to export PUSER's tables via Conventional Path ...

. . exporting table PT1 4 rows exported

EXP-00107: Feature (COLUMN ENCRYPTION) of column ID in table PUSER.PTABLE1 is not supported. The table will not be exported.

EXP-00107: Feature (COLUMN ENCRYPTION) of column NAME in table PUSER.PTABLE2 is not supported. The table will not be exported.

. exporting synonyms

. exporting views

. exporting stored procedures

. exporting operators

. exporting referential integrity constraints

. exporting triggers

. exporting indextypes

. exporting bitmap, functional and extensible indexes

. exporting posttables actions

. exporting materialized views

. exporting snapshot logs

. exporting job queues

. exporting refresh groups and children

. exporting dimensions

. exporting referential integrity constraints

. exporting triggers

. exporting indextypes

. exporting bitmap, functional and extensible indexes

. exporting posttables actions

. exporting materialized views

. exporting snapshot logs

. exporting job queues

. exporting refresh groups and children

. exporting dimensions

. exporting post-schema procedural objects and actions

. exporting statistics

Export terminated successfully with warnings.

 
 

可以看到，exp无法导出有加密列的表。

 
 

on 192.168.80.200

impdp

export LANG=AMERICAN_AMERICA.ZHS16GBK

impdp system/oracle directory=EXPDP dumpfile=expdp2users.dmp logfile=impdp2user.log schemas=suser,puser

没有迁移对应的密钥时

[oracle@single1102 ~]$ export LANG=AMERICAN_AMERICA.ZHS16GBK

[oracle@single1102 ~]$ impdp system/oracle directory=EXPDP dumpfile=expdp2users.dmp logfile=impdp2user.log schemas=suser,puser

 
 

Import: Release 11.2.0.4.0 - Production on Wed Jan 27 17:56:18 2016

 
 

Copyright (c) 1982, 2011, Oracle and/or its affiliates. All rights reserved.

 
 

Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production

With the Partitioning, OLAP, Data Mining and Real Application Testing options

Master table "SYSTEM"."SYS_IMPORT_SCHEMA_01" successfully loaded/unloaded

Starting "SYSTEM"."SYS_IMPORT_SCHEMA_01": system/******** directory=EXPDP dumpfile=expdp2users.dmp logfile=impdp2user.log schemas=suser,puser

Processing object type SCHEMA_EXPORT/USER

ORA-31684: Object type USER:"SUSER" already exists

ORA-31684: Object type USER:"PUSER" already exists

Processing object type SCHEMA_EXPORT/SYSTEM_GRANT

Processing object type SCHEMA_EXPORT/ROLE_GRANT

Processing object type SCHEMA_EXPORT/DEFAULT_ROLE

Processing object type SCHEMA_EXPORT/PRE_SCHEMA/PROCACT_SCHEMA

Processing object type SCHEMA_EXPORT/TABLE/TABLE

ORA-39083: Object type TABLE:"SUSER"."STABLE1" failed to create with error:

ORA-28365: wallet is not open

Failing sql is:

CREATE TABLE "SUSER"."STABLE1" ("ID" NUMBER ENCRYPT USING 'AES192' 'SHA-1' NOT NULL ENABLE, "NAME" VARCHAR2(40 BYTE) ENCRYPT USING 'AES192' 'SHA-1') SEGMENT CREATION IMMEDIATE PCTFREE 10 PCTUSED 40 INITRANS 1 MAXTRANS 255 NOCOMPRESS LOGGING STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645 PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1 BUFFER_POOL DEFAULT FLASH_CACHE DEF

ORA-39083: Object type TABLE:"SUSER"."STABLE2" failed to create with error:

ORA-28365: wallet is not open

Failing sql is:

CREATE TABLE "SUSER"."STABLE2" ("ID" NUMBER NOT NULL ENABLE, "NAME" VARCHAR2(40 BYTE) ENCRYPT USING 'AES192' 'SHA-1') SEGMENT CREATION IMMEDIATE PCTFREE 10 PCTUSED 40 INITRANS 1 MAXTRANS 255 NOCOMPRESS LOGGING STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645 PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1 BUFFER_POOL DEFAULT FLASH_CACHE DEFAULT CELL_FLASH_CACHE DEFAULT)

ORA-39083: Object type TABLE:"PUSER"."PTABLE1" failed to create with error:

ORA-28365: wallet is not open

Failing sql is:

CREATE TABLE "PUSER"."PTABLE1" ("ID" NUMBER ENCRYPT USING 'AES192' 'SHA-1' NOT NULL ENABLE, "NAME" VARCHAR2(40 BYTE) ENCRYPT USING 'AES192' 'SHA-1') SEGMENT CREATION IMMEDIATE PCTFREE 10 PCTUSED 40 INITRANS 1 MAXTRANS 255 NOCOMPRESS LOGGING STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645 PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1 BUFFER_POOL DEFAULT FLASH_CACHE DEF

ORA-39083: Object type TABLE:"PUSER"."PTABLE2" failed to create with error:

ORA-28365: wallet is not open

Failing sql is:

CREATE TABLE "PUSER"."PTABLE2" ("ID" NUMBER NOT NULL ENABLE, "NAME" VARCHAR2(40 BYTE) ENCRYPT USING 'AES192' 'SHA-1') SEGMENT CREATION IMMEDIATE PCTFREE 10 PCTUSED 40 INITRANS 1 MAXTRANS 255 NOCOMPRESS LOGGING STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645 PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1 BUFFER_POOL DEFAULT FLASH_CACHE DEFAULT CELL_FLASH_CACHE DEFAULT)

Processing object type SCHEMA_EXPORT/TABLE/TABLE_DATA

. . imported "PUSER"."PT1" 5.437 KB 4 rows

. . imported "SUSER"."ST1" 5.437 KB 4 rows

Processing object type SCHEMA_EXPORT/TABLE/CONSTRAINT/CONSTRAINT

Job "SYSTEM"."SYS_IMPORT_SCHEMA_01" completed with 6 error(s) at Wed Jan 27 17:56:27 2016 elapsed 0 00:00:06

显示
无法创建"SUSER"."STABLE1"、"SUSER"."STABLE2"、"PUSER"."PTABLE1"、"PUSER"."PTABLE2"。原因是 ORA-28365: wallet is not open

 
 

 
 

如果将源库上的 wallet和sqlnet.ora同步过来之后，重启目标库后再次导入；

[oracle@single1102 ~]$ impdp system/oracle directory=EXPDP dumpfile=expdp2users.dmp logfile=impdp2user.log schemas=suser,puser

 
 

Import: Release 11.2.0.4.0 - Production on Wed Jan 27 18:00:59 2016

 
 

Copyright (c) 1982, 2011, Oracle and/or its affiliates. All rights reserved.

 
 

Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production

With the Partitioning, OLAP, Data Mining and Real Application Testing options

Master table "SYSTEM"."SYS_IMPORT_SCHEMA_01" successfully loaded/unloaded

Starting "SYSTEM"."SYS_IMPORT_SCHEMA_01": system/******** directory=EXPDP dumpfile=expdp2users.dmp logfile=impdp2user.log schemas=suser,puser

Processing object type SCHEMA_EXPORT/USER

ORA-31684: Object type USER:"SUSER" already exists

ORA-31684: Object type USER:"PUSER" already exists

Processing object type SCHEMA_EXPORT/SYSTEM_GRANT

Processing object type SCHEMA_EXPORT/ROLE_GRANT

Processing object type SCHEMA_EXPORT/DEFAULT_ROLE

Processing object type SCHEMA_EXPORT/PRE_SCHEMA/PROCACT_SCHEMA

Processing object type SCHEMA_EXPORT/TABLE/TABLE

Processing object type SCHEMA_EXPORT/TABLE/TABLE_DATA

. . imported "PUSER"."PT1" 5.437 KB 4 rows

. . imported "PUSER"."PTABLE1" 5.445 KB 4 rows

. . imported "PUSER"."PTABLE2" 5.445 KB 4 rows

. . imported "SUSER"."ST1" 5.437 KB 4 rows

. . imported "SUSER"."STABLE1" 5.445 KB 4 rows

. . imported "SUSER"."STABLE2" 5.445 KB 4 rows

Processing object type SCHEMA_EXPORT/TABLE/CONSTRAINT/CONSTRAINT

Job "SYSTEM"."SYS_IMPORT_SCHEMA_01" completed with 2 error(s) at Wed Jan 27 18:01:11 2016 elapsed 0 00:00:10

可以看到，如果目标库上有了对应的密钥后，数据就可以导入。

另外，重启目标库后

SQL> select * from v$encryption_wallet;

 
 

WRL_TYPE

--------------------

WRL_PARAMETER

--------------------------------------------------------------------------------

STATUS

------------------

file

/u01/app/oracle/product/11.2.4/db_1/network/admin/encryption_wallet

OPEN

 
 

发现 wallet是自动open的，说明这个属性是保存在/u01/app/oracle/product/11.2.4/db_1/network/admin/encryption_wallet目录下的配置文件中，而非保存在数据库中的。

 
 

 
 

1. imp

export LANG=AMERICAN_AMERICA.ZHS16GBK

create user suser identified by oracle default tablespace S;

grant connect,resource to suser;

create user puser identified by oracle default tablespace P;

grant connect,resource to puser;

imp system/oracle file=/backup/expdp/exp2user.dmp log=/backup/expdp/imp2user.log fromuser=suser,puser

 
 

[oracle@single1102 admin]$ imp system/oracle file=/backup/expdp/exp2user.dmp log=/backup/expdp/imp2user.log fromuser=suser,puser

Import: Release 11.2.0.4.0 - Production on Wed Jan 27 18:05:57 2016

Copyright (c) 1982, 2011, Oracle and/or its affiliates. All rights reserved.

Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production

With the Partitioning, OLAP, Data Mining and Real Application Testing options

 
 

Export file created by EXPORT:V11.02.00 via conventional path

import done in ZHS16GBK character set and AL16UTF16 NCHAR character set

. importing SYSTEM's objects into SYSTEM

. importing SUSER's objects into SUSER

. importing PUSER's objects into PUSER

. . importing table "PT1" 4 rows imported

Import terminated successfully without warnings.

只能导入非加密的表。

 
 

 
 

1. 表的迁移（exp\imp,expdp\impdp）

expdp:

export LANG=AMERICAN_AMERICA.ZHS16GBK

expdp system/oracle directory=EXPDP dumpfile=expdp2users.dmp logfile=expdp2user.log tables=suser,puser

 
 

 
 

on 192.168.80.200

impdp

export LANG=AMERICAN_AMERICA.ZHS16GBK

impdp system/oracle directory=EXPDP dumpfile=expdp2users.dmp logfile=impdp2user.log tables=suser.stable1,puser.ptable1

 
 

通过上面的导入导出部分得知，目标库上如果要导入数据，必须要有相关的wallet,此处已经实现该点。

[oracle@single1102 admin]$ impdp system/oracle directory=EXPDP dumpfile=expdp2users.dmp logfile=impdp2user.log tables=suser.stable1,puser.ptable1

Import: Release 11.2.0.4.0 - Production on Wed Jan 27 18:15:38 2016

Copyright (c) 1982, 2011, Oracle and/or its affiliates. All rights reserved.

Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production

With the Partitioning, OLAP, Data Mining and Real Application Testing options

Master table "SYSTEM"."SYS_IMPORT_TABLE_01" successfully loaded/unloaded

Starting "SYSTEM"."SYS_IMPORT_TABLE_01": system/******** directory=EXPDP dumpfile=expdp2users.dmp logfile=impdp2user.log tables=suser.stable1,puser.ptable1

Processing object type SCHEMA_EXPORT/TABLE/TABLE

Processing object type SCHEMA_EXPORT/TABLE/TABLE_DATA

. . imported "PUSER"."PTABLE1" 5.445 KB 4 rows

. . imported "SUSER"."STABLE1" 5.445 KB 4 rows

Job "SYSTEM"."SYS_IMPORT_TABLE_01" successfully completed at Wed Jan 27 18:15:46 2016 elapsed 0 00:00:05

 
 

 
 

 
 

 
 

1. 远端的expdp和impdp        

 
 

直接从源库上导入到本地：

SQL> CREATE PUBLIC DATABASE LINK "linksource"

CONNECT TO system

IDENTIFIED BY "oracle"

USING 'source';

Database link created.

SQL> select * from puser.pt1@linksource;

ID NAME

---------- ----------------------------------------

1 aaa

2 bbb

3 ccc

4 ddd

 
 

 

 

 

 

export LANG=AMERICAN_AMERICA.ZHS16GBK

impdp system/oracle directory=EXPDP network_link='linksource' logfile=impdp2user.log tables=suser.stable1,puser.ptable1

[oracle@single1102 admin]$ impdp system/oracle directory=EXPDP network_link='linksource' logfile=impdp2user.log tables=suser.stable1,puser.ptable1

Import: Release 11.2.0.4.0 - Production on Wed Jan 27 18:23:17 2016

Copyright (c) 1982, 2011, Oracle and/or its affiliates. All rights reserved.

Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production

With the Partitioning, OLAP, Data Mining and Real Application Testing options

Starting "SYSTEM"."SYS_IMPORT_TABLE_01": system/******** directory=EXPDP network_link=linksource logfile=impdp2user.log tables=suser.stable1,puser.ptable1

Estimate in progress using BLOCKS method...

Processing object type TABLE_EXPORT/TABLE/TABLE_DATA

Total estimation using BLOCKS method: 128 KB

Processing object type TABLE_EXPORT/TABLE/TABLE

. . imported "PUSER"."PTABLE1" 4 rows

. . imported "SUSER"."STABLE1" 4 rows

Job "SYSTEM"."SYS_IMPORT_TABLE_01" successfully completed at Wed Jan 27 18:23:35 2016 elapsed 0 00:00:15

 
 

 
 

直接在本地库上导出源库上的表

export LANG=AMERICAN_AMERICA.ZHS16GBK

expdp system/oracle directory=EXPDP network_link='linksource' dumpfile=expdp2usersfromsource.dmp logfile=exppdp2userfromsource.log schemas=suser,puser

 
 

1. 移动表到不同表空间

alter table &tablename move tablespace &tablespacename;

conn puser/oracle

alter table ptable1 move tablespace S;

alter table pt1 move tablespace S;

 
 

conn suser/oracle

alter table stable1 move tablespace P;

alter table st1 move tablespace P;

 
 

SQL> conn puser/oracle

Connected.

SQL> alter table ptable1 move tablespace S;

Table altered.

SQL> alter table pt1 move tablespace S;

Table altered.

 
 

 
 

SQL> conn suser/oracle

Connected.

SQL> alter table stable1 move tablespace P;

Table altered.

SQL> alter table st1 move tablespace P;

Table altered.        

 
 

1. 创建、重建、移动索引（加密列）

conn suser/oracle

SQL> desc stable1

Name Null? Type

----------------------------------------- -------- ----------------------------

ID NOT NULL NUMBER ENCRYPT

NAME VARCHAR2(40) ENCRYPT

 

在id上创建主键

SQL> alter table stable1 add constraint pk_id primary key(id);

alter table stable1 add constraint pk_id primary key(id)

*

ERROR at line 1:

ORA-28338: Column(s) cannot be both indexed and encrypted with salt        

ORA-28338:

cannot encrypt indexed column(s) with salt

Cause:        An attempt was made to encrypt index column with salt.

Action:        Alter the table and specify column encrypting without salt.

 
 

处理方式

alter table stable1 modify (id ENCRYPT no salt);

SQL> alter table stable1 modify (id ENCRYPT no salt);

Table altered.

SQL> alter table stable1 add constraint pk_id primary key(id);

Table altered.

1）加密列的属性必须为no salt才可以创建索引

 
 

 
 

 
 

1. 在id列上创建非btree索引

删除
主键约束

alter table stable1 drop constraint pk_id;

 
 

create BITMAP index id_idx on stable1(id) *

ERROR at line 1:

ORA-28337: the specified index may not be defined on an encrypted column

2）加密列只能创建b-tree索引

 
 

 
 

 
 

 
 

检查执行计划的变化：

SQL> alter table stable1 add constraint pk_id primary key(id);

Table altered.

 
 

SQL> select * from stable1;

Execution Plan

----------------------------------------------------------

Plan hash value: 3852586757

-----------------------------------------------------------------------------

| Id | Operation | Name | Rows | Bytes | Cost (%CPU)| Time |

-----------------------------------------------------------------------------

| 0 | SELECT STATEMENT | | 4 | 412 | 3 (0)| 00:00:01 |

| 1 | TABLE ACCESS FULL| STABLE1 | 4 | 412 | 3 (0)| 00:00:01 |

-----------------------------------------------------------------------------

Note

-----

- dynamic sampling used for this statement (level=2) 动态采样

Statistics

----------------------------------------------------------

47 recursive calls

0 db block gets

79 consistent gets

0 physical reads

0 redo size

672 bytes sent via SQL*Net to client

520 bytes received via SQL*Net from client

2 SQL*Net roundtrips to/from client

7 sorts (memory)

0 sorts (disk)

4 rows processed

 
 

SQL> select * from stable1 where id=2;

Execution Plan

----------------------------------------------------------

Plan hash value: 2030797596

--------------------------------------------------------------------------------

-------

 
 

| Id | Operation | Name | Rows | Bytes | Cost (%CPU)| Tim

e |

 
 

--------------------------------------------------------------------------------

-------

 
 

| 0 | SELECT STATEMENT | | 1 | 103 | 1 (0)| 00:

00:01 |

 
 

| 1 | TABLE ACCESS BY INDEX ROWID| STABLE1 | 1 | 103 | 1 (0)| 00:

00:01 |

 
 

|* 2 | INDEX UNIQUE SCAN | PK_ID | 1 | | 0 (0)| 00:

00:01 |

 
 

--------------------------------------------------------------------------------

-------

Predicate Information (identified by operation id):

---------------------------------------------------

2 - access("ID"=2) 走索引

Statistics

----------------------------------------------------------

11 recursive calls

0 db block gets

21 consistent gets

0 physical reads

0 redo size

590 bytes sent via SQL*Net to client

520 bytes received via SQL*Net from client

2 SQL*Net roundtrips to/from client

2 sorts (memory)

0 sorts (disk)

1 rows processed

 
 

SQL> select * from stable1 where id>2;

Execution Plan

----------------------------------------------------------

Plan hash value: 3852586757

 
 

-----------------------------------------------------------------------------

| Id | Operation | Name | Rows | Bytes | Cost (%CPU)| Time |

-----------------------------------------------------------------------------

| 0 | SELECT STATEMENT | | 2 | 206 | 3 (0)| 00:00:01 |

|* 1 | TABLE ACCESS FULL| STABLE1 | 2 | 206 | 3 (0)| 00:00:01 |

-----------------------------------------------------------------------------

 
 

Predicate Information (identified by operation id):

---------------------------------------------------

1 - filter(INTERNAL_FUNCTION("ID")>2) 内部加密算法

Note

-----

- dynamic sampling used for this statement (level=2) 动态采样

Statistics

----------------------------------------------------------

5 recursive calls

0 db block gets

9 consistent gets

0 physical reads

0 redo size

648 bytes sent via SQL*Net to client

520 bytes received via SQL*Net from client

2 SQL*Net roundtrips to/from client

0 sorts (memory)

0 sorts (disk)

2 rows processed

 

 

 

 
 

1. 添加、更换加密算法

加密列

为了使用TDE加密列，所有你需要做的只是在定义列的时候增加一个简单的谓词"ENCRYPT"。在定义之前，理所当然的你需要决定采用什么样的加密算法和密钥长度。

目前表的所有数据是明文的，你想转换SSN列为加密的，因此SSN保存了敏感的"社会保险号"，你可以通过如下方式设定：

alter table accounts modify (ssn encrypt);

这条语句完成了如下两件事：

为表创建了一个表密钥，如果你修改同一个表中的另外的列为加密的，将会使用同一个表密钥

将所有列的值转换为加密的形式

这条语句并不修改数据类型或者列的长度，也不创建触发器或者视图。

 

缺省情况下采用192位密钥长度的AES算法。你也可以选择不同的算法，只需要在SQL命令中指定即可。例如，如果要使用128位的AES算法，你可以采用如下语句：

alter table accounts modify (ssn encrypt using 'AES128');

你可以使用AES128、AES192、AES256、或者3DES168。这些值是自解释的，例如：AES256指采用AES算法、256位长度的密钥。

 
 

 
 

加密列之后，当查看表的时候你可以看到如下信息：

SQL> desc accounts

Name Null? Type

------------ ------------ --------------------------------------------------

ACC_NO NUMBER

ACC_NAME VARCHAR2(30)

SSN VARCHAR2(9) ENCRYPT

需要注意的是ENCRYPT关键字在数据类型之后。如果需要查找数据库中加密的列，你可以在数据字典视图中搜索DBA_ENCRYPTED_COLUMNS（TDE不能在SYS所有的表中启用）.

 
 

conn suser/oracle

alter table stable1 modify (id encrypt using 'AES128' no salt);

 
 

SQL> alter table stable1 modify (id number decrypt); ---取消加密

Table altered.

SQL> desc stable1

Name Null? Type

----------------------------------------- -------- ----------------------------

ID NOT NULL NUMBER

NAME VARCHAR2(40) ENCRYPT

 
 

alter table stable1 modify (id number encrypt no salt);

SQL> desc stable1

Name Null? Type

----------------------------------------- -------- ----------------------------

ID NOT NULL NUMBER ENCRYPT

NAME VARCHAR2(40) ENCRYPT

 

alter table stable1 modify (id encrypt using 'AES256' no salt);

ERROR at line 1:

ORA-28340: a different encryption algorithm has been chosen for the table

 
 

alter table stable1 modify (id encrypt using 'AES256' no salt);

ORA-28340: a different encryption algorithm has been chosen for the table

只能使用一种加密方式，不能修改。

 
 

SQL> alter table stable1 modify (name decrypt);

Table altered.

SQL> alter table stable1 modify (name encrypt using 'aes256');

alter table stable1 modify (name encrypt using 'aes256')

ERROR at line 1:

ORA-28340: a different encryption algorithm has been chosen for the table

 
 

 
 

alter table stable1 modify (name encrypt);

SQL> alter table stable1 modify (name encrypt);

Table altered.

SQL> desc stable1

Name Null? Type

----------------------------------------- -------- ----------------------------

ID NOT NULL NUMBER ENCRYPT

NAME VARCHAR2(40) ENCRYPT

 
 

建表的时候确定加密方式

create table test(id number encrypt, name varchar2(20) encrypt using 'aes256');

SQL> create table test(id number encrypt, name varchar2(20) encrypt using 'aes256');

 
 

Table created.

 
 

SQL> desc test;

Name Null? Type

----------------------------------------- -------- ----------------------------

ID NUMBER ENCRYPT

NAME VARCHAR2(20) ENCRYPT

SQL> alter table test modify (name decrypt);

Table altered.

 
 

SQL> alter table test modify (name encrypt using 'aes128');

alter table test modify (name encrypt using 'aes128')

ERROR at line 1:

ORA-28340: a different encryption algorithm has been chosen for the table

 
 

 
 

SQL> alter table test modify (name encrypt using 'aes256');

Table altered.

 
 

总结：

加密方式一旦确定之后，就不能修改。

 

 
 

 

 

 

1. dataguard环境配置

为了在dataguard中能正常使用encryption的功能，需要使用oracle 11g的版本支持，10g版本是不支持dg的。

使用方法是将
加密文件架和sqlnet.ora内容同步到
和主库一样的位置。即可。

1. 报错记录

SQL> create table stable1 (id number ENCRYPT NOT NULL ,

2 name VARCHAR2(40) ENCRYPT,

3 PRIMARY KEY (id)

4 );

create table stable1 (id number ENCRYPT NOT NULL ,

*

ERROR at line 1:

ORA-28338: Column(s) cannot be both indexed and encrypted with salt

 
 

SQL> alter table test modify (name encrypt using 'aes128');

alter table test modify (name encrypt using 'aes128')

*

ERROR at line 1:

ORA-28340: a different encryption algorithm has been chosen for the table

1. 总结归档及其他

 
 

1、加密方式：

表空间加密
是发生在数据存储的时候，也就是存储在文件上的数据已经被加密；

字段加密发生在SQL层，由SQL调用一个算法对数据进行加密处理。

 
 

2、加密的限制，比如：

– 索引类型
（加密列和加密表空间都只能创建b-tree索引）

– 都需要 no salt创建索引

– 外部大对象（bfiles)都不可以

– exp/imp不行，需要用expdp/impdp