Oracle TDE的学习
TDE的开启和关闭
设置wallet目录,在参数文件sqlnet.ora中,按照下面的格式加入信息
# Oracle Advanced Security Transparent Data Encryption
ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u01/app/oracle/product/11.2.4/db_1/network/admin/encryption_wallet)))
创建该目录
su - oracle
mkdir -p /u01/app/oracle/product/11.2.4/db_1/network/admin/encryption_wallet
创建master key文件,指定wallet密码,使用SYS用户登入系统,建立加密文件
ORA-28388: database is not open in read/write mode
创建万能密钥。
SQL>ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "junshi66";
[oracle@primary rpdm]$ cd /u01/app/oracle/product/11.2.4/db_1/network/admin/encryption_wallet/
[oracle@primary encryption_wallet]$ ll
总用量 4
-rw-r--r-- 1 oracle asmadmin 2845 1月 15 14:48 ewallet.p12
启动、关闭Wallet
打开钱包(第一次设置万能密钥会自动打开钱包)
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "junshi66";
ORA-28354: wallet 已经打开
SQL> alter system set encryption wallet close identified by "junshi66"; --关闭
System altered
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "junshi66"; --打开
System altered
到此,已经成功配置了Wallet,创建了master key。
注意:
如果是dg环境,需要把主库上的
这几个文件、目录都要同步过去。
创建环境使用部分
加密表空间
创建加密表空间 S
CREATE TABLESPACE S DATAFILE '+DATA' SIZE 200M autoextend on maxsize unlimited ENCRYPTION DEFAULT STORAGE(ENCRYPT);
创建用户 suser
create user suser identified by oracle default tablespace S;
grant connect,resource to suser;
创建表 st1
conn suser/oracle
create table st1 (id number CONSTRAINT id_nn NOT NULL,
name VARCHAR2(40),
PRIMARY KEY (id)
);
插入数据
insert into st1 values (1,'aaa');
insert into st1 values (2,'bbb');
insert into st1 values (3,'ccc');
insert into st1 values (4,'ddd');
创建普通表空间 P
CREATE TABLESPACE P DATAFILE '+DATA' SIZE 200M autoextend on maxsize unlimited;
创建用户 puser
create user puser identified by oracle default tablespace P;
grant connect,resource to puser;
创建表 pt1
conn puser/oracle
create table pt1 (id number CONSTRAINT id_nn NOT NULL,
name VARCHAR2(40),
PRIMARY KEY (id)
);
插入数据
insert into pt1 values (1,'aaa');
insert into pt1 values (2,'bbb');
insert into pt1 values (3,'ccc');
insert into pt1 values (4,'ddd');
加密列
suser 下创建表 stable1 、 stable2
conn suser/oracle
create table stable1 (id number ENCRYPT NOT NULL ,
name VARCHAR2(40) ENCRYPT
);
insert into stable1 values (1,'aaa');
insert into stable1 values (2,'bbb');
insert into stable1 values (3,'ccc');
insert into stable1 values (4,'ddd');
create table stable2 (id number NOT NULL,
name VARCHAR2(40) ENCRYPT
);
insert into stable2 values (1,'aaa');
insert into stable2 values (2,'bbb');
insert into stable2 values (3,'ccc');
insert into stable2 values (4,'ddd');
psuer下创建 ptable1 、 ptable2
conn puser/oracle
create table ptable1 (id number ENCRYPT NOT NULL ,
name VARCHAR2(40) ENCRYPT
);
insert into ptable1 values (1,'aaa');
insert into ptable1 values (2,'bbb');
insert into ptable1 values (3,'ccc');
insert into ptable1 values (4,'ddd');
create table ptable2 (id number NOT NULL,
name VARCHAR2(40) ENCRYPT
);
insert into ptable2 values (1,'aaa');
insert into ptable2 values (2,'bbb');
insert into ptable2 values (3,'ccc');
insert into ptable2 values (4,'ddd');
目标数据库
CREATE TABLESPACE S DATAFILE '/u01/app/oracle/oradata/demo/S01.dbf' SIZE 200M autoextend on maxsize unlimited;
CREATE TABLESPACE P DATAFILE '/u01/app/oracle/oradata/demo/P01.dbf' SIZE 200M autoextend on maxsize unlimited;
create user suser identified by oracle default tablespace S;
grant connect,resource to suser;
create user puser identified by oracle default tablespace P;
grant connect,resource to puser;
创建dblink
CREATE PUBLIC DATABASE LINK "linksource"
CONNECT TO system
IDENTIFIED BY "oracle"
USING 'source';
管理部分
schema的迁移(exp\imp,expdp\impdp)
expdp:
export LANG=AMERICAN_AMERICA.ZHS16GBK
expdp system/oracle directory=EXPDP dumpfile=expdp2users.dmp logfile=expdp2user.log schemas=suser,puser
[oracle@primary ~]$ export LANG=AMERICAN_AMERICA.ZHS16GBK
[oracle@primary ~]$ expdp system/oracle directory=EXPDP dumpfile=expdp2users.dmp logfile=expdp2user.log schemas=suser,puser
Export: Release 11.2.0.4.0 - Production on Tue Jan 26 17:21:33 2016
Copyright (c) 1982, 2011, Oracle and/or its affiliates. All rights reserved.
Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, Automatic Storage Management, OLAP, Data Mining
and Real Application Testing options
Starting "SYSTEM"."SYS_EXPORT_SCHEMA_01": system/******** directory=EXPDP dumpfile=expdp2users.dmp logfile=expdp2user.log schemas=suser,puser
Estimate in progress using BLOCKS method...
Processing object type SCHEMA_EXPORT/TABLE/TABLE_DATA
Total estimation using BLOCKS method: 384 KB
Processing object type SCHEMA_EXPORT/USER
Processing object type SCHEMA_EXPORT/SYSTEM_GRANT
Processing object type SCHEMA_EXPORT/ROLE_GRANT
Processing object type SCHEMA_EXPORT/DEFAULT_ROLE
Processing object type SCHEMA_EXPORT/PRE_SCHEMA/PROCACT_SCHEMA
Processing object type SCHEMA_EXPORT/TABLE/TABLE
Processing object type SCHEMA_EXPORT/TABLE/CONSTRAINT/CONSTRAINT
. . exported "PUSER"."PT1" 5.437 KB 4 rows
. . exported "PUSER"."PTABLE1" 5.445 KB 4 rows
. . exported "PUSER"."PTABLE2" 5.445 KB 4 rows
. . exported "SUSER"."ST1" 5.437 KB 4 rows
. . exported "SUSER"."STABLE1" 5.445 KB 4 rows
. . exported "SUSER"."STABLE2" 5.445 KB 4 rows
ORA-39173: Encrypted data has been stored unencrypted in dump file set.
Master table "SYSTEM"."SYS_EXPORT_SCHEMA_01" successfully loaded/unloaded
******************************************************************************
Dump file set for SYSTEM.SYS_EXPORT_SCHEMA_01 is:
/backup/expdp/expdp2users.dmp
Job "SYSTEM"."SYS_EXPORT_SCHEMA_01" completed with 1 error(s) at Tue Jan 26 17:22:06 2016 elapsed 0 00:00:27
exp:
export LANG=AMERICAN_AMERICA.ZHS16GBK
exp system/oracle file=/backup/expdp/exp2user.dmp log=/backup/expdp/exp2user.log owner=suser,puser
[oracle@primary ~]$ exp system/oracle file=/backup/expdp/exp2user.dmp log=/backup/expdp/exp2user.log owner=suser,puser
Export: Release 11.2.0.4.0 - Production on Tue Jan 26 17:22:31 2016
Copyright (c) 1982, 2011, Oracle and/or its affiliates. All rights reserved.
Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, Automatic Storage Management, OLAP, Data Mining
and Real Application Testing options
Export done in ZHS16GBK character set and AL16UTF16 NCHAR character set
About to export specified users ...
. exporting pre-schema procedural objects and actions
. exporting foreign function library names for user SUSER
. exporting foreign function library names for user PUSER
. exporting PUBLIC type synonyms
. exporting private type synonyms
. exporting PUBLIC type synonyms
. exporting private type synonyms
. exporting object type definitions for user SUSER
. exporting object type definitions for user PUSER
About to export SUSER's objects ...
. exporting database links
. exporting sequence numbers
. exporting cluster definitions
. about to export SUSER's tables via Conventional Path ...
EXP-00111: Table ST1 resides in an Encrypted Tablespace S and will not be exported
EXP-00111: Table STABLE1 resides in an Encrypted Tablespace S and will not be exported
EXP-00111: Table STABLE2 resides in an Encrypted Tablespace S and will not be exported
. exporting synonyms
. exporting views
. exporting stored procedures
. exporting operators
About to export PUSER's objects ...
. exporting database links
. exporting sequence numbers
. exporting cluster definitions
. about to export PUSER's tables via Conventional Path ...
. . exporting table PT1 4 rows exported
EXP-00107: Feature (COLUMN ENCRYPTION) of column ID in table PUSER.PTABLE1 is not supported. The table will not be exported.
EXP-00107: Feature (COLUMN ENCRYPTION) of column NAME in table PUSER.PTABLE2 is not supported. The table will not be exported.
. exporting synonyms
. exporting views
. exporting stored procedures
. exporting operators
. exporting referential integrity constraints
. exporting triggers
. exporting indextypes
. exporting bitmap, functional and extensible indexes
. exporting posttables actions
. exporting materialized views
. exporting snapshot logs
. exporting job queues
. exporting refresh groups and children
. exporting dimensions
. exporting referential integrity constraints
. exporting triggers
. exporting indextypes
. exporting bitmap, functional and extensible indexes
. exporting posttables actions
. exporting materialized views
. exporting snapshot logs
. exporting job queues
. exporting refresh groups and children
. exporting dimensions
. exporting post-schema procedural objects and actions
. exporting statistics
Export terminated successfully with warnings.
可以看到,exp无法导出有加密列的表。
on 192.168.80.200
impdp
export LANG=AMERICAN_AMERICA.ZHS16GBK
impdp system/oracle directory=EXPDP dumpfile=expdp2users.dmp logfile=impdp2user.log schemas=suser,puser
没有迁移对应的密钥时
[oracle@single1102 ~]$ export LANG=AMERICAN_AMERICA.ZHS16GBK
[oracle@single1102 ~]$ impdp system/oracle directory=EXPDP dumpfile=expdp2users.dmp logfile=impdp2user.log schemas=suser,puser
Import: Release 11.2.0.4.0 - Production on Wed Jan 27 17:56:18 2016
Copyright (c) 1982, 2011, Oracle and/or its affiliates. All rights reserved.
Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
Master table "SYSTEM"."SYS_IMPORT_SCHEMA_01" successfully loaded/unloaded
Starting "SYSTEM"."SYS_IMPORT_SCHEMA_01": system/******** directory=EXPDP dumpfile=expdp2users.dmp logfile=impdp2user.log schemas=suser,puser
Processing object type SCHEMA_EXPORT/USER
ORA-31684: Object type USER:"SUSER" already exists
ORA-31684: Object type USER:"PUSER" already exists
Processing object type SCHEMA_EXPORT/SYSTEM_GRANT
Processing object type SCHEMA_EXPORT/ROLE_GRANT
Processing object type SCHEMA_EXPORT/DEFAULT_ROLE
Processing object type SCHEMA_EXPORT/PRE_SCHEMA/PROCACT_SCHEMA
Processing object type SCHEMA_EXPORT/TABLE/TABLE
ORA-39083: Object type TABLE:"SUSER"."STABLE1" failed to create with error:
ORA-28365: wallet is not open
Failing sql is:
CREATE TABLE "SUSER"."STABLE1" ("ID" NUMBER ENCRYPT USING 'AES192' 'SHA-1' NOT NULL ENABLE, "NAME" VARCHAR2(40 BYTE) ENCRYPT USING 'AES192' 'SHA-1') SEGMENT CREATION IMMEDIATE PCTFREE 10 PCTUSED 40 INITRANS 1 MAXTRANS 255 NOCOMPRESS LOGGING STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645 PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1 BUFFER_POOL DEFAULT FLASH_CACHE DEF
ORA-39083: Object type TABLE:"SUSER"."STABLE2" failed to create with error:
ORA-28365: wallet is not open
Failing sql is:
CREATE TABLE "SUSER"."STABLE2" ("ID" NUMBER NOT NULL ENABLE, "NAME" VARCHAR2(40 BYTE) ENCRYPT USING 'AES192' 'SHA-1') SEGMENT CREATION IMMEDIATE PCTFREE 10 PCTUSED 40 INITRANS 1 MAXTRANS 255 NOCOMPRESS LOGGING STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645 PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1 BUFFER_POOL DEFAULT FLASH_CACHE DEFAULT CELL_FLASH_CACHE DEFAULT)
ORA-39083: Object type TABLE:"PUSER"."PTABLE1" failed to create with error:
ORA-28365: wallet is not open
Failing sql is:
CREATE TABLE "PUSER"."PTABLE1" ("ID" NUMBER ENCRYPT USING 'AES192' 'SHA-1' NOT NULL ENABLE, "NAME" VARCHAR2(40 BYTE) ENCRYPT USING 'AES192' 'SHA-1') SEGMENT CREATION IMMEDIATE PCTFREE 10 PCTUSED 40 INITRANS 1 MAXTRANS 255 NOCOMPRESS LOGGING STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645 PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1 BUFFER_POOL DEFAULT FLASH_CACHE DEF
ORA-39083: Object type TABLE:"PUSER"."PTABLE2" failed to create with error:
ORA-28365: wallet is not open
Failing sql is:
CREATE TABLE "PUSER"."PTABLE2" ("ID" NUMBER NOT NULL ENABLE, "NAME" VARCHAR2(40 BYTE) ENCRYPT USING 'AES192' 'SHA-1') SEGMENT CREATION IMMEDIATE PCTFREE 10 PCTUSED 40 INITRANS 1 MAXTRANS 255 NOCOMPRESS LOGGING STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645 PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1 BUFFER_POOL DEFAULT FLASH_CACHE DEFAULT CELL_FLASH_CACHE DEFAULT)
Processing object type SCHEMA_EXPORT/TABLE/TABLE_DATA
. . imported "PUSER"."PT1" 5.437 KB 4 rows
. . imported "SUSER"."ST1" 5.437 KB 4 rows
Processing object type SCHEMA_EXPORT/TABLE/CONSTRAINT/CONSTRAINT
Job "SYSTEM"."SYS_IMPORT_SCHEMA_01" completed with 6 error(s) at Wed Jan 27 17:56:27 2016 elapsed 0 00:00:06
显示
无法创建"SUSER"."STABLE1"、"SUSER"."STABLE2"、"PUSER"."PTABLE1"、"PUSER"."PTABLE2"。原因是 ORA-28365: wallet is not open
如果将源库上的 wallet和sqlnet.ora同步过来之后,重启目标库后再次导入;
[oracle@single1102 ~]$ impdp system/oracle directory=EXPDP dumpfile=expdp2users.dmp logfile=impdp2user.log schemas=suser,puser
Import: Release 11.2.0.4.0 - Production on Wed Jan 27 18:00:59 2016
Copyright (c) 1982, 2011, Oracle and/or its affiliates. All rights reserved.
Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
Master table "SYSTEM"."SYS_IMPORT_SCHEMA_01" successfully loaded/unloaded
Starting "SYSTEM"."SYS_IMPORT_SCHEMA_01": system/******** directory=EXPDP dumpfile=expdp2users.dmp logfile=impdp2user.log schemas=suser,puser
Processing object type SCHEMA_EXPORT/USER
ORA-31684: Object type USER:"SUSER" already exists
ORA-31684: Object type USER:"PUSER" already exists
Processing object type SCHEMA_EXPORT/SYSTEM_GRANT
Processing object type SCHEMA_EXPORT/ROLE_GRANT
Processing object type SCHEMA_EXPORT/DEFAULT_ROLE
Processing object type SCHEMA_EXPORT/PRE_SCHEMA/PROCACT_SCHEMA
Processing object type SCHEMA_EXPORT/TABLE/TABLE
Processing object type SCHEMA_EXPORT/TABLE/TABLE_DATA
. . imported "PUSER"."PT1" 5.437 KB 4 rows
. . imported "PUSER"."PTABLE1" 5.445 KB 4 rows
. . imported "PUSER"."PTABLE2" 5.445 KB 4 rows
. . imported "SUSER"."ST1" 5.437 KB 4 rows
. . imported "SUSER"."STABLE1" 5.445 KB 4 rows
. . imported "SUSER"."STABLE2" 5.445 KB 4 rows
Processing object type SCHEMA_EXPORT/TABLE/CONSTRAINT/CONSTRAINT
Job "SYSTEM"."SYS_IMPORT_SCHEMA_01" completed with 2 error(s) at Wed Jan 27 18:01:11 2016 elapsed 0 00:00:10
可以看到,如果目标库上有了对应的密钥后,数据就可以导入。
另外,重启目标库后
SQL> select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/u01/app/oracle/product/11.2.4/db_1/network/admin/encryption_wallet
OPEN
发现 wallet是自动open的,说明这个属性是保存在/u01/app/oracle/product/11.2.4/db_1/network/admin/encryption_wallet目录下的配置文件中,而非保存在数据库中的。
imp
export LANG=AMERICAN_AMERICA.ZHS16GBK
create user suser identified by oracle default tablespace S;
grant connect,resource to suser;
create user puser identified by oracle default tablespace P;
grant connect,resource to puser;
imp system/oracle file=/backup/expdp/exp2user.dmp log=/backup/expdp/imp2user.log fromuser=suser,puser
[oracle@single1102 admin]$ imp system/oracle file=/backup/expdp/exp2user.dmp log=/backup/expdp/imp2user.log fromuser=suser,puser
Import: Release 11.2.0.4.0 - Production on Wed Jan 27 18:05:57 2016
Copyright (c) 1982, 2011, Oracle and/or its affiliates. All rights reserved.
Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
Export file created by EXPORT:V11.02.00 via conventional path
import done in ZHS16GBK character set and AL16UTF16 NCHAR character set
. importing SYSTEM's objects into SYSTEM
. importing SUSER's objects into SUSER
. importing PUSER's objects into PUSER
. . importing table "PT1" 4 rows imported
Import terminated successfully without warnings.
只能导入非加密的表。
表的迁移(exp\imp,expdp\impdp)
expdp:
export LANG=AMERICAN_AMERICA.ZHS16GBK
expdp system/oracle directory=EXPDP dumpfile=expdp2users.dmp logfile=expdp2user.log tables=suser,puser
on 192.168.80.200
impdp
export LANG=AMERICAN_AMERICA.ZHS16GBK
impdp system/oracle directory=EXPDP dumpfile=expdp2users.dmp logfile=impdp2user.log tables=suser.stable1,puser.ptable1
通过上面的导入导出部分得知,目标库上如果要导入数据,必须要有相关的wallet,此处已经实现该点。
[oracle@single1102 admin]$ impdp system/oracle directory=EXPDP dumpfile=expdp2users.dmp logfile=impdp2user.log tables=suser.stable1,puser.ptable1
Import: Release 11.2.0.4.0 - Production on Wed Jan 27 18:15:38 2016
Copyright (c) 1982, 2011, Oracle and/or its affiliates. All rights reserved.
Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
Master table "SYSTEM"."SYS_IMPORT_TABLE_01" successfully loaded/unloaded
Starting "SYSTEM"."SYS_IMPORT_TABLE_01": system/******** directory=EXPDP dumpfile=expdp2users.dmp logfile=impdp2user.log tables=suser.stable1,puser.ptable1
Processing object type SCHEMA_EXPORT/TABLE/TABLE
Processing object type SCHEMA_EXPORT/TABLE/TABLE_DATA
. . imported "PUSER"."PTABLE1" 5.445 KB 4 rows
. . imported "SUSER"."STABLE1" 5.445 KB 4 rows
Job "SYSTEM"."SYS_IMPORT_TABLE_01" successfully completed at Wed Jan 27 18:15:46 2016 elapsed 0 00:00:05
远端的expdp和impdp
直接从源库上导入到本地:
SQL> CREATE PUBLIC DATABASE LINK "linksource"
CONNECT TO system
IDENTIFIED BY "oracle"
USING 'source';
Database link created.
SQL> select * from puser.pt1@linksource;
ID NAME
---------- ----------------------------------------
1 aaa
2 bbb
3 ccc
4 ddd
export LANG=AMERICAN_AMERICA.ZHS16GBK
impdp system/oracle directory=EXPDP network_link='linksource' logfile=impdp2user.log tables=suser.stable1,puser.ptable1
[oracle@single1102 admin]$ impdp system/oracle directory=EXPDP network_link='linksource' logfile=impdp2user.log tables=suser.stable1,puser.ptable1
Import: Release 11.2.0.4.0 - Production on Wed Jan 27 18:23:17 2016
Copyright (c) 1982, 2011, Oracle and/or its affiliates. All rights reserved.
Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
Starting "SYSTEM"."SYS_IMPORT_TABLE_01": system/******** directory=EXPDP network_link=linksource logfile=impdp2user.log tables=suser.stable1,puser.ptable1
Estimate in progress using BLOCKS method...
Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
Total estimation using BLOCKS method: 128 KB
Processing object type TABLE_EXPORT/TABLE/TABLE
. . imported "PUSER"."PTABLE1" 4 rows
. . imported "SUSER"."STABLE1" 4 rows
Job "SYSTEM"."SYS_IMPORT_TABLE_01" successfully completed at Wed Jan 27 18:23:35 2016 elapsed 0 00:00:15
直接在本地库上导出源库上的表
export LANG=AMERICAN_AMERICA.ZHS16GBK
expdp system/oracle directory=EXPDP network_link='linksource' dumpfile=expdp2usersfromsource.dmp logfile=exppdp2userfromsource.log schemas=suser,puser
移动表到不同表空间
alter table &tablename move tablespace &tablespacename;
conn puser/oracle
alter table ptable1 move tablespace S;
alter table pt1 move tablespace S;
conn suser/oracle
alter table stable1 move tablespace P;
alter table st1 move tablespace P;
SQL> conn puser/oracle
Connected.
SQL> alter table ptable1 move tablespace S;
Table altered.
SQL> alter table pt1 move tablespace S;
Table altered.
SQL> conn suser/oracle
Connected.
SQL> alter table stable1 move tablespace P;
Table altered.
SQL> alter table st1 move tablespace P;
Table altered.
创建、重建、移动索引(加密列)
conn suser/oracle
SQL> desc stable1
Name Null? Type
----------------------------------------- -------- ----------------------------
ID NOT NULL NUMBER ENCRYPT
NAME VARCHAR2(40) ENCRYPT
在id上创建主键
SQL> alter table stable1 add constraint pk_id primary key(id);
alter table stable1 add constraint pk_id primary key(id)
*
ERROR at line 1:
ORA-28338: Column(s) cannot be both indexed and encrypted with salt
ORA-28338:
cannot encrypt indexed column(s) with salt
Cause: An attempt was made to encrypt index column with salt.
Action: Alter the table and specify column encrypting without salt.
处理方式
alter table stable1 modify (id ENCRYPT no salt);
SQL> alter table stable1 modify (id ENCRYPT no salt);
Table altered.
SQL> alter table stable1 add constraint pk_id primary key(id);
Table altered.
1)加密列的属性必须为no salt才可以创建索引
在id列上创建非btree索引
删除
主键约束
alter table stable1 drop constraint pk_id;
create BITMAP index id_idx on stable1(id) *
ERROR at line 1:
ORA-28337: the specified index may not be defined on an encrypted column
2)加密列只能创建b-tree索引
检查执行计划的变化:
SQL> alter table stable1 add constraint pk_id primary key(id);
Table altered.
SQL> select * from stable1;
Execution Plan
----------------------------------------------------------
Plan hash value: 3852586757
-----------------------------------------------------------------------------
| Id | Operation | Name | Rows | Bytes | Cost (%CPU)| Time |
-----------------------------------------------------------------------------
| 0 | SELECT STATEMENT | | 4 | 412 | 3 (0)| 00:00:01 |
| 1 | TABLE ACCESS FULL| STABLE1 | 4 | 412 | 3 (0)| 00:00:01 |
-----------------------------------------------------------------------------
Note
-----
- dynamic sampling used for this statement (level=2) 动态采样
Statistics
----------------------------------------------------------
47 recursive calls
0 db block gets
79 consistent gets
0 physical reads
0 redo size
672 bytes sent via SQL*Net to client
520 bytes received via SQL*Net from client
2 SQL*Net roundtrips to/from client
7 sorts (memory)
0 sorts (disk)
4 rows processed
SQL> select * from stable1 where id=2;
Execution Plan
----------------------------------------------------------
Plan hash value: 2030797596
--------------------------------------------------------------------------------
-------
| Id | Operation | Name | Rows | Bytes | Cost (%CPU)| Tim
e |
--------------------------------------------------------------------------------
-------
| 0 | SELECT STATEMENT | | 1 | 103 | 1 (0)| 00:
00:01 |
| 1 | TABLE ACCESS BY INDEX ROWID| STABLE1 | 1 | 103 | 1 (0)| 00:
00:01 |
|* 2 | INDEX UNIQUE SCAN | PK_ID | 1 | | 0 (0)| 00:
00:01 |
--------------------------------------------------------------------------------
-------
Predicate Information (identified by operation id):
---------------------------------------------------
2 - access("ID"=2) 走索引
Statistics
----------------------------------------------------------
11 recursive calls
0 db block gets
21 consistent gets
0 physical reads
0 redo size
590 bytes sent via SQL*Net to client
520 bytes received via SQL*Net from client
2 SQL*Net roundtrips to/from client
2 sorts (memory)
0 sorts (disk)
1 rows processed
SQL> select * from stable1 where id>2;
Execution Plan
----------------------------------------------------------
Plan hash value: 3852586757
-----------------------------------------------------------------------------
| Id | Operation | Name | Rows | Bytes | Cost (%CPU)| Time |
-----------------------------------------------------------------------------
| 0 | SELECT STATEMENT | | 2 | 206 | 3 (0)| 00:00:01 |
|* 1 | TABLE ACCESS FULL| STABLE1 | 2 | 206 | 3 (0)| 00:00:01 |
-----------------------------------------------------------------------------
Predicate Information (identified by operation id):
---------------------------------------------------
1 - filter(INTERNAL_FUNCTION("ID")>2) 内部加密算法
Note
-----
- dynamic sampling used for this statement (level=2) 动态采样
Statistics
----------------------------------------------------------
5 recursive calls
0 db block gets
9 consistent gets
0 physical reads
0 redo size
648 bytes sent via SQL*Net to client
520 bytes received via SQL*Net from client
2 SQL*Net roundtrips to/from client
0 sorts (memory)
0 sorts (disk)
2 rows processed
添加、更换加密算法
加密列
为了使用TDE加密列,所有你需要做的只是在定义列的时候增加一个简单的谓词"ENCRYPT"。在定义之前,理所当然的你需要决定采用什么样的加密算法和密钥长度。
目前表的所有数据是明文的,你想转换SSN列为加密的,因此SSN保存了敏感的"社会保险号",你可以通过如下方式设定:
alter table accounts modify (ssn encrypt);
这条语句完成了如下两件事:
为表创建了一个表密钥,如果你修改同一个表中的另外的列为加密的,将会使用同一个表密钥
将所有列的值转换为加密的形式
这条语句并不修改数据类型或者列的长度,也不创建触发器或者视图。
缺省情况下采用192位密钥长度的AES算法。你也可以选择不同的算法,只需要在SQL命令中指定即可。例如,如果要使用128位的AES算法,你可以采用如下语句:
alter table accounts modify (ssn encrypt using 'AES128');
你可以使用AES128、AES192、AES256、或者3DES168。这些值是自解释的,例如:AES256指采用AES算法、256位长度的密钥。
加密列之后,当查看表的时候你可以看到如下信息:
SQL> desc accounts
Name Null? Type
------------ ------------ --------------------------------------------------
ACC_NO NUMBER
ACC_NAME VARCHAR2(30)
SSN VARCHAR2(9) ENCRYPT
需要注意的是ENCRYPT关键字在数据类型之后。如果需要查找数据库中加密的列,你可以在数据字典视图中搜索DBA_ENCRYPTED_COLUMNS(TDE不能在SYS所有的表中启用).
conn suser/oracle
alter table stable1 modify (id encrypt using 'AES128' no salt);
SQL> alter table stable1 modify (id number decrypt); ---取消加密
Table altered.
SQL> desc stable1
Name Null? Type
----------------------------------------- -------- ----------------------------
ID NOT NULL NUMBER
NAME VARCHAR2(40) ENCRYPT
alter table stable1 modify (id number encrypt no salt);
SQL> desc stable1
Name Null? Type
----------------------------------------- -------- ----------------------------
ID NOT NULL NUMBER ENCRYPT
NAME VARCHAR2(40) ENCRYPT
alter table stable1 modify (id encrypt using 'AES256' no salt);
ERROR at line 1:
ORA-28340: a different encryption algorithm has been chosen for the table
alter table stable1 modify (id encrypt using 'AES256' no salt);
ORA-28340: a different encryption algorithm has been chosen for the table
只能使用一种加密方式,不能修改。
SQL> alter table stable1 modify (name decrypt);
Table altered.
SQL> alter table stable1 modify (name encrypt using 'aes256');
alter table stable1 modify (name encrypt using 'aes256')
ERROR at line 1:
ORA-28340: a different encryption algorithm has been chosen for the table
alter table stable1 modify (name encrypt);
SQL> alter table stable1 modify (name encrypt);
Table altered.
SQL> desc stable1
Name Null? Type
----------------------------------------- -------- ----------------------------
ID NOT NULL NUMBER ENCRYPT
NAME VARCHAR2(40) ENCRYPT
建表的时候确定加密方式
create table test(id number encrypt, name varchar2(20) encrypt using 'aes256');
SQL> create table test(id number encrypt, name varchar2(20) encrypt using 'aes256');
Table created.
SQL> desc test;
Name Null? Type
----------------------------------------- -------- ----------------------------
ID NUMBER ENCRYPT
NAME VARCHAR2(20) ENCRYPT
SQL> alter table test modify (name decrypt);
Table altered.
SQL> alter table test modify (name encrypt using 'aes128');
alter table test modify (name encrypt using 'aes128')
ERROR at line 1:
ORA-28340: a different encryption algorithm has been chosen for the table
SQL> alter table test modify (name encrypt using 'aes256');
Table altered.
总结:
加密方式一旦确定之后,就不能修改。
dataguard环境配置
为了在dataguard中能正常使用encryption的功能,需要使用oracle 11g的版本支持,10g版本是不支持dg的。
使用方法是将
加密文件架和sqlnet.ora内容同步到
和主库一样的位置。即可。
报错记录
SQL> create table stable1 (id number ENCRYPT NOT NULL ,
2 name VARCHAR2(40) ENCRYPT,
3 PRIMARY KEY (id)
4 );
create table stable1 (id number ENCRYPT NOT NULL ,
*
ERROR at line 1:
ORA-28338: Column(s) cannot be both indexed and encrypted with salt
SQL> alter table test modify (name encrypt using 'aes128');
alter table test modify (name encrypt using 'aes128')
*
ERROR at line 1:
ORA-28340: a different encryption algorithm has been chosen for the table
总结归档及其他
1、加密方式:
表空间加密
是发生在数据存储的时候,也就是存储在文件上的数据已经被加密;
字段加密发生在SQL层,由SQL调用一个算法对数据进行加密处理。
2、加密的限制,比如:
– 索引类型
(加密列和加密表空间都只能创建b-tree索引)
– 都需要 no salt创建索引
– 外部大对象(bfiles)都不可以
– exp/imp不行,需要用expdp/impdp
Oracle TDE的学习的更多相关文章
- oracle TDE
转自:oracle TDE学习系列 (1) — wallet 使用管理 关于oracle wallet,通常称为oracle钱夹,说的通俗一点,oracle wallet是一个用 口令加密的PKCS# ...
- Oracle教程之学习笔记
Oracle教程之学习笔记... ----------------------------------- Oracle教程:---学习笔记: ============================= ...
- 【oracle】入门学习(一)
一直想学oracle但都没有下定决心.这次借了书,一定要学好oracle. 目前学习 <Oracle从入门到精通> 明日科技 的Oracle 11g 版本 关系型数据库的基本理论 数据模型 ...
- Oracle 12c 搭建学习
Oracle 12c 搭建学习 Vm workstaton10 安装linux 6.4 安装oracle12c Oracle 12c只支持64位系统 1 环境检查 [root@rac1 ~]# gre ...
- Oracle data guard学习
Oracle data guard学习:三思笔记 Data guard 1data guard结构: data guard是一个集合,由一个primary数据库(生产数据库)和一个或多个standby ...
- [转]oracle 实施方法论学习心得
本周由部门新入职的同事为我们分享oracle实施方法论,本次重点围绕项目启动会来做介绍,并着重介绍了oracle与我们不一样的地方.收获颇丰,简单总结几个值得学习借鉴的要点: 1. 细节 ...
- ORACLE opatch命令学习实践
opatch 是ORACLE开发的用来安装,卸载,检测patch冲突.管理ORACLE所有已经安装的补丁的工具,当然这是一个命令工具.opatch命令工具一般位于$ORACLE_HOME/OPat ...
- Oracle 数据库基础学习 (三) Oracle 四个表结构
Oracle 四个表的 emp dept salgrade bunus 的结构,记住有利于后期SQL语句的学习 雇员表(emp) No. 字段 类型 描述 1 empno NUMBER(4) 表示 ...
- Oracle 数据库 基础学习 (一) SQL基本知识
Oracle 从零开始,不知所措.要掌握一种技能,最好的方式是先学会怎么使用它,然后再深入学习,先有样子,再有技术. 一,什么是数据库? 为什么需要数据库? 数据库实质上是一个信息的列表,或者是一 ...
随机推荐
- Visual C++中MFC消息的分类
Visual C++中MFC消息的分为三类:标准(窗口)消息.命令消息.控件消息. 1.标准(窗口)消息:窗口消息一般与窗口内部运作有关,如创建窗口,绘制窗口,销毁窗口,通常,消息是从系统发到窗口,或 ...
- inode的理解
迫于需要理解sock_init()中的init_inodecache,所以稍微学习了一下inode. 一.inode的定义 文件储存在硬盘上,硬盘的最小存储单位叫做"扇区"(Sec ...
- 十一、IntelliJ IDEA 中的版本控制介绍(上)
咱们已经了解了很多关于 IntelliJ IDEA 的使用方法,至少可以独立的运用 IntelliJ IDEA 进行项目开发啦!但是一个人进行项目开发更趋向于理想化,更多的则是团队协同开发.这时,咱们 ...
- HDU 2089(暴力和数位dp)
传送门: http://acm.hdu.edu.cn/showproblem.php?pid=2089 不要62 Time Limit: 1000/1000 MS (Java/Others) M ...
- 由Oracle 11g SYSAUX 和 SYSTEM 表空间回收引发的联想
0x00--目的 整理一下以前一个SYSTEM表空间和SYSAUX表空间使用率达到99%上限的处理思路和相关知识点,好记性不如烂笔头 0x01--表空间使用率现状 通过查询可得知目前表空间使用情况如下 ...
- python 变量定义
变量定义 什么是变量? 在程序运行过程中,其值可以改变的量. 标识符(命令规范) 只能由数字.字母.下划线组成 不能以数字开头 不能是系统关键字 import keyword # 打印关键字列表 ...
- vue移动端项目vw适配运行项目时出现"advanced"报错解决办法。
Module build failed: Error: Cannot load preset "advanced". Please check your configuration ...
- 463. Island Perimeter (5月29日)
解答 class Solution { public: int islandPerimeter(vector<vector<int>>& grid) { int num ...
- 811. Subdomain Visit Count (5月23日)
解答 class Solution { public: vector<string> subdomainVisits(vector<string>& cpdomains ...
- Java中泛型的运用实例
package example6; import java.util.ArrayList;import java.util.HashMap;import java.util.HashSet;impor ...