Encrypted Wallet加密方面的理解
You cannot decrypt a tablespace that has been created encrypted. You must create an unencrypted tablespace and re-create the database objects in the unencrypted tablespace.
您無法解密已建立加密的表空間。 您必須建立未加密的表空間,並在未加密的表空間中重新建立資料庫物件。
個人理解:加密分兩種,分別為auto login wallet、encrypted wallet
伺服器重啟後,只有auto login wallet會自動開啟,所以如果沒有設定auto login wallet,我們必須執行ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "password"開啟encrypted wallet(加密錢包);當然也可以執行ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "password"開啟encrypted wallet(加密錢包),雖然後面這個命令主要是用來重置密碼的。
設定auto login wallet
暫時不會,沒找在官方文件的哪個地方
設定encrypted wallet
1、編輯檔案sqlnet.ora,新增
ENCRYPTION_WALLET_LOCATION=
(SOURCE=(METHOD=FILE)(METHOD_DATA=
(DIRECTORY=/app/wallet)))
或
WALLET_LOCATION=
(SOURCE=(METHOD=FILE)(METHOD_DATA=
(DIRECTORY=/app/wallet)))
備註:
METHOD=HSM,其中HSM表示使用Hardware Security Modules來加密
METHOD=FILE,其中FILE表示生成一個加密檔案來加密
2、ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "password";
建立加密的表空間
CREATE TABLESPACE encrypt_ts
DATAFILE '/ORACLE_HOME/dbs/encrypt_df.dbf' SIZE 1M
ENCRYPTION
DEFAULT STORAGE (ENCRYPT);
ENCRYPTION Clause:Use this clause to specify the encryption properties of the tablespace. This clause does not actually encrypt the tablespace. You must also specify the ENCRYPT keyword as part of the DEFAULT storage_clause in this statement in order for the tablespace to be encrypted. In addition, you must already have used ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY ... to load the TDE master key into database memory for the duration of the instance, or establish a connection to the HSM to send the encrypted table and tablespace keys to the HSM and receive them back decrypted
使用此子句指定表空間的加密屬性。 此子句實際上不加密表空間。 您還必須在此語句中將ENCRYPT關鍵字指定為DEFAULT storage_clause的一部分,以便表空間被加密。 此外,您必須已經使用ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY ...在例項的持續時間內將TDE主金鑰載入到資料庫記憶體中,或建立與HSM的連線以傳送加密的表和表空間金鑰到HSM並且接收它們被解密
開啟auto login wallet
資料庫重啟後會自動開啟,命令方式待查官方文件
開啟encrypted wallet
1、ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "password";
啥時都可以執行
2、ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "password"
以下兩種情況下不能執行。
2.1、auto login wallet已經開啟
2.2、encrypted wallet已經開啟,比如已經執行了ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "password";
只關閉auto login wallet
SQL> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE
關閉encrypted wallet
同時關閉auto login wallet和encrypted wallet
SQL> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "password";
auto login wallet的官方摘要
Transparent Data Encryption(TDE) uses an auto login wallet only if it is available at the correct location (ENCRYPTION_WALLET_LOCATION, WALLET_LOCATION, or default wallet location), and the SQL command to open an encrypted wallet has not already been executed. If an auto login wallet is being used, you must not use the ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "password" command.
透明資料加密(TDE)只有在正確位置(ENCRYPTION_WALLET_LOCATION,WALLET_LOCATION或預設錢包位置)可用時才使用自動登入錢包,並且尚未執行開啟加密錢包的SQL命令。 如果正在使用自動登入錢包,則不能執行命令ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "password"。
A password is not required to close an auto-open wallet when only an auto-open wallet is present. The password is required to close an auto-open wallet when both an auto-open wallet and an encryption wallet are open. In this case, using CLOSE with a password will close the auto-open wallet and the encryption wallet.
當只有auto-open的錢包存在時,不需要使用密碼去關閉auto-open的錢包。 當auto-open的錢包和加密錢包都開啟時,需要密碼關閉auto-open的錢包。 在這種情況下,使用CLOSE結合密碼將關閉auto-open的錢包和加密錢包。
The external security module can use wallets with the automatic login feature enabled. These wallets remain open all of the time. The security administrator does not have to reopen the wallet after a database instance has been restarted. If your environment does not require the extra security provided by a wallet that must be explicitly opened for use, then you may use an auto login wallet.
外部安全模組可以使用啟用自動登入功能的錢包。 這些錢包一直保持開放。 資料庫例項重新啟動後,安全管理員無需重新開啟錢包。 如果您的環境不需要必須明確開啟使用的錢包提供的額外安全性,那麼您可以使用自動登入錢包。
Auto login wallets are opened automatically and do not need to be opened explicitly.
No password is required to close an auto login wallet.
In case an auto login wallet needs to be closed, it can be closed with the following command:
SQL> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE
自動登入錢包自動開啟,不需要明確開啟。
關閉自動登入錢包不需要密碼。
如果需要關閉自動登入錢包,可以使用以下命令關閉自動登入錢包:
SQL> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE
encrypted wallet的官方摘要
SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "Easy2rem";
The preceding command achieves the following:
If no encrypted wallet is present in the directory specified, an encrypted wallet is created (ewallet.p12), the wallet is opened, and the master encryption key for TDE is created/re-created.
If an encrypted wallet is present in the directory specified, the wallet is opened, and the master encryption key for TDE is created/re-created.
上述命令可以實現以下命令:
如果指定的目錄中沒有加密的錢包,則會建立加密的錢包(ewallet.p12),開啟錢包,並建立/重新建立TDE的主加密金鑰。
如果指定的目錄中存在加密的錢包,則開啟錢包,並建立/重新建立TDE的主加密金鑰。
When you create the master encryption key using the ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "password" command, TDE checks to see if a wallet exists in the default or specified location. If no wallet exists, then a wallet is created automatically.
當您使用ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY“password”命令建立主加密金鑰時,TDE會檢查是否存在預設或指定位置的錢包。 如果沒有錢包存在,則自動建立錢包。
Use the following command to open the wallet containing the master encryption key:
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "Easy2rem";
Every time the database is shut down, the Oracle wallet is closed. You can also explicitly close the wallet.
You need to make sure that the Oracle wallet is open before you can perform any encryption or decryption operation.
每次關閉資料庫時,Oracle錢包都將關閉。 您還可以明確地關閉錢包。
在執行任何加密或解密操作之前,您需要確保Oracle錢包開啟。
實驗下來的現象(從上至下順序出現的結果)
編輯檔案sqlnet.ora
ENCRYPTION_WALLET_LOCATION=
(SOURCE=(METHOD=FILE)(METHOD_DATA=
(DIRECTORY=/app/wallet)))
或
WALLET_LOCATION=
(SOURCE=(METHOD=FILE)(METHOD_DATA=
(DIRECTORY=/app/wallet)))
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "oracle123";
ORA-28367: wallet does not exist
SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "oracle123";
System altered
SQL> ALTER SYSTEM SET ENCRYPTION WALLET close;
ORA-28390: auto login wallet not open but encryption wallet may be open
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "oracle123";
ORA-28354: Encryption wallet, auto login wallet, or HSM is already open
SQL> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "oracle123";
System altered
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "oracle123";
System altered
SQL> startup force
ORACLE instance started.
Total System Global Area 2471931904 bytes
Fixed Size 2255752 bytes
Variable Size 637535352 bytes
Database Buffers 1811939328 bytes
Redo Buffers 20201472 bytes
Database mounted.
ORA-28365: wallet is not open
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "oracle123";
System altered.
SQL> alter database open;
Database altered.
您無法解密已建立加密的表空間。 您必須建立未加密的表空間,並在未加密的表空間中重新建立資料庫物件。
個人理解:加密分兩種,分別為auto login wallet、encrypted wallet
伺服器重啟後,只有auto login wallet會自動開啟,所以如果沒有設定auto login wallet,我們必須執行ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "password"開啟encrypted wallet(加密錢包);當然也可以執行ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "password"開啟encrypted wallet(加密錢包),雖然後面這個命令主要是用來重置密碼的。
設定auto login wallet
暫時不會,沒找在官方文件的哪個地方
設定encrypted wallet
1、編輯檔案sqlnet.ora,新增
ENCRYPTION_WALLET_LOCATION=
(SOURCE=(METHOD=FILE)(METHOD_DATA=
(DIRECTORY=/app/wallet)))
或
WALLET_LOCATION=
(SOURCE=(METHOD=FILE)(METHOD_DATA=
(DIRECTORY=/app/wallet)))
備註:
METHOD=HSM,其中HSM表示使用Hardware Security Modules來加密
METHOD=FILE,其中FILE表示生成一個加密檔案來加密
2、ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "password";
建立加密的表空間
CREATE TABLESPACE encrypt_ts
DATAFILE '/ORACLE_HOME/dbs/encrypt_df.dbf' SIZE 1M
ENCRYPTION
DEFAULT STORAGE (ENCRYPT);
ENCRYPTION Clause:Use this clause to specify the encryption properties of the tablespace. This clause does not actually encrypt the tablespace. You must also specify the ENCRYPT keyword as part of the DEFAULT storage_clause in this statement in order for the tablespace to be encrypted. In addition, you must already have used ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY ... to load the TDE master key into database memory for the duration of the instance, or establish a connection to the HSM to send the encrypted table and tablespace keys to the HSM and receive them back decrypted
使用此子句指定表空間的加密屬性。 此子句實際上不加密表空間。 您還必須在此語句中將ENCRYPT關鍵字指定為DEFAULT storage_clause的一部分,以便表空間被加密。 此外,您必須已經使用ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY ...在例項的持續時間內將TDE主金鑰載入到資料庫記憶體中,或建立與HSM的連線以傳送加密的表和表空間金鑰到HSM並且接收它們被解密
開啟auto login wallet
資料庫重啟後會自動開啟,命令方式待查官方文件
開啟encrypted wallet
1、ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "password";
啥時都可以執行
2、ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "password"
以下兩種情況下不能執行。
2.1、auto login wallet已經開啟
2.2、encrypted wallet已經開啟,比如已經執行了ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "password";
只關閉auto login wallet
SQL> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE
關閉encrypted wallet
同時關閉auto login wallet和encrypted wallet
SQL> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "password";
auto login wallet的官方摘要
Transparent Data Encryption(TDE) uses an auto login wallet only if it is available at the correct location (ENCRYPTION_WALLET_LOCATION, WALLET_LOCATION, or default wallet location), and the SQL command to open an encrypted wallet has not already been executed. If an auto login wallet is being used, you must not use the ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "password" command.
透明資料加密(TDE)只有在正確位置(ENCRYPTION_WALLET_LOCATION,WALLET_LOCATION或預設錢包位置)可用時才使用自動登入錢包,並且尚未執行開啟加密錢包的SQL命令。 如果正在使用自動登入錢包,則不能執行命令ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "password"。
A password is not required to close an auto-open wallet when only an auto-open wallet is present. The password is required to close an auto-open wallet when both an auto-open wallet and an encryption wallet are open. In this case, using CLOSE with a password will close the auto-open wallet and the encryption wallet.
當只有auto-open的錢包存在時,不需要使用密碼去關閉auto-open的錢包。 當auto-open的錢包和加密錢包都開啟時,需要密碼關閉auto-open的錢包。 在這種情況下,使用CLOSE結合密碼將關閉auto-open的錢包和加密錢包。
The external security module can use wallets with the automatic login feature enabled. These wallets remain open all of the time. The security administrator does not have to reopen the wallet after a database instance has been restarted. If your environment does not require the extra security provided by a wallet that must be explicitly opened for use, then you may use an auto login wallet.
外部安全模組可以使用啟用自動登入功能的錢包。 這些錢包一直保持開放。 資料庫例項重新啟動後,安全管理員無需重新開啟錢包。 如果您的環境不需要必須明確開啟使用的錢包提供的額外安全性,那麼您可以使用自動登入錢包。
Auto login wallets are opened automatically and do not need to be opened explicitly.
No password is required to close an auto login wallet.
In case an auto login wallet needs to be closed, it can be closed with the following command:
SQL> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE
自動登入錢包自動開啟,不需要明確開啟。
關閉自動登入錢包不需要密碼。
如果需要關閉自動登入錢包,可以使用以下命令關閉自動登入錢包:
SQL> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE
encrypted wallet的官方摘要
SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "Easy2rem";
The preceding command achieves the following:
If no encrypted wallet is present in the directory specified, an encrypted wallet is created (ewallet.p12), the wallet is opened, and the master encryption key for TDE is created/re-created.
If an encrypted wallet is present in the directory specified, the wallet is opened, and the master encryption key for TDE is created/re-created.
上述命令可以實現以下命令:
如果指定的目錄中沒有加密的錢包,則會建立加密的錢包(ewallet.p12),開啟錢包,並建立/重新建立TDE的主加密金鑰。
如果指定的目錄中存在加密的錢包,則開啟錢包,並建立/重新建立TDE的主加密金鑰。
When you create the master encryption key using the ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "password" command, TDE checks to see if a wallet exists in the default or specified location. If no wallet exists, then a wallet is created automatically.
當您使用ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY“password”命令建立主加密金鑰時,TDE會檢查是否存在預設或指定位置的錢包。 如果沒有錢包存在,則自動建立錢包。
Use the following command to open the wallet containing the master encryption key:
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "Easy2rem";
Every time the database is shut down, the Oracle wallet is closed. You can also explicitly close the wallet.
You need to make sure that the Oracle wallet is open before you can perform any encryption or decryption operation.
每次關閉資料庫時,Oracle錢包都將關閉。 您還可以明確地關閉錢包。
在執行任何加密或解密操作之前,您需要確保Oracle錢包開啟。
實驗下來的現象(從上至下順序出現的結果)
編輯檔案sqlnet.ora
ENCRYPTION_WALLET_LOCATION=
(SOURCE=(METHOD=FILE)(METHOD_DATA=
(DIRECTORY=/app/wallet)))
或
WALLET_LOCATION=
(SOURCE=(METHOD=FILE)(METHOD_DATA=
(DIRECTORY=/app/wallet)))
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "oracle123";
ORA-28367: wallet does not exist
SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "oracle123";
System altered
SQL> ALTER SYSTEM SET ENCRYPTION WALLET close;
ORA-28390: auto login wallet not open but encryption wallet may be open
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "oracle123";
ORA-28354: Encryption wallet, auto login wallet, or HSM is already open
SQL> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "oracle123";
System altered
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "oracle123";
System altered
SQL> startup force
ORACLE instance started.
Total System Global Area 2471931904 bytes
Fixed Size 2255752 bytes
Variable Size 637535352 bytes
Database Buffers 1811939328 bytes
Redo Buffers 20201472 bytes
Database mounted.
ORA-28365: wallet is not open
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "oracle123";
System altered.
SQL> alter database open;
Database altered.
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/30126024/viewspace-2146395/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- TDE 透明表空間加密 Wallet加密
- Oracle Encrypted TablespacesOracle
- Hybird介面的理解
- Oracle walletOracle
- 使用datapump傳輸加密表請先確認TDE Encryption wallet狀態加密
- oracle-walletOracle
- 用介面的思想來理解GraphQL
- 對稱加密和非對稱加密(一)初步理解加密
- 關於抽象類和介面的初步理解抽象
- 我是如何理解Java抽象類和介面的Java抽象
- dba_histograms等高直方圖和等頻直方圖的理解Histogram直方圖
- 理解區塊鏈的非對稱加密區塊鏈加密
- ORA-1578 Corrupt Block Found in Encrypted Database (Doc ID 1329437.1)BloCDatabase
- 給第三方使用介面的 URL 簽名實現
- 為什麼每個前端開發者都要理解頁面的渲染?前端
- itchat—python實現呼叫微信介面的第三方模組Python
- 關於第三方授權的理解
- js如何實現點選li選中和取消裡面的核取方塊JS
- 範寶興的魔法陣A:自然數5階幻方穿越介面的表演
- 蘇茂挺的魔法陣C:15階完美幻方穿越介面的表演
- 蘇茂挺的魔法陣B:9階完美幻方穿越介面的表演
- iOS開發中GCD在多執行緒方面的理解iOSGC執行緒
- 使用salvagewallet修復錢包資料
- Impact of Database Recovery and Flashback Database on the TDE Wallet_1327519.1Database
- wallet , auto login , encrypt data, sqlnet.oraSQL
- Oracle OCP 1Z0-053 Q291(encrypted tablespace&redo logs)Oracle
- 給第三方沒有加密的dll強打簽名加密
- 爬蟲記錄——第三方錢包加密引數逆向爬蟲加密
- 第三方API介面的好處以及免費API介面推薦API
- 範寶興的魔法陣B:自然數7階幻方穿越介面的表演
- 範寶興的魔法陣E:自然數13階幻方穿越介面的表演
- 範寶興的魔法陣D:自然數11階幻方穿越介面的表演
- 範寶興的魔法陣C:自然數9階幻方穿越介面的表演
- 範寶興的魔法陣F:自然數17階幻方穿越介面的表演
- 範寶興的魔法陣G:自然數19階幻方穿越介面的表演
- 蘇茂挺的魔法陣A:自然數9階平方幻方穿越介面的表演
- 2015年的API將成為這五方面的主力API
- 深入理解高階加密標準(Advanced Encryption Standard)加密