-
TDE的開啟和關閉
設置wallet目錄,在參數文件sqlnet.ora中,按照下面的格式加入信息
# Oracle Advanced Security Transparent Data Encryption
ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u01/app/oracle/product/11.2.4/db_1/network/admin/encryption_wallet)))
創建該目錄
su - oracle
mkdir -p /u01/app/oracle/product/11.2.4/db_1/network/admin/encryption_wallet
創建master key文件,指定wallet密碼,使用SYS用戶登入系統,建立加密文件
ORA-28388: database is not open in read/write mode
創建萬能密鑰。
SQL>ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "junshi66";
[oracle@primary rpdm]$ cd /u01/app/oracle/product/11.2.4/db_1/network/admin/encryption_wallet/
[oracle@primary encryption_wallet]$ ll
總用量 4
-rw-r--r-- 1 oracle asmadmin 2845 1月 15 14:48 ewallet.p12
啟動、關閉Wallet
打開錢包(第一次設置萬能密鑰會自動打開錢包)
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "junshi66";
ORA-28354: wallet 已經打開
SQL> alter system set encryption wallet close identified by "junshi66"; --關閉
System altered
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "junshi66"; --打開
System altered
到此,已經成功配置了Wallet,創建了master key。
注意:
如果是dg環境,需要把主庫上的 這幾個文件、目錄都要同步過去。
-
創建環境使用部分
-
加密表空間
-
創建加密表空間 S
CREATE TABLESPACE S DATAFILE '+DATA' SIZE 200M autoextend on maxsize unlimited ENCRYPTION DEFAULT STORAGE(ENCRYPT);
創建用戶 suser
create user suser identified by oracle default tablespace S;
grant connect,resource to suser;
創建表 st1
conn suser/oracle
create table st1 (id number CONSTRAINT id_nn NOT NULL,
name VARCHAR2(40),
PRIMARY KEY (id)
);
插入數據
insert into st1 values (1,'aaa');
insert into st1 values (2,'bbb');
insert into st1 values (3,'ccc');
insert into st1 values (4,'ddd');
創建普通表空間 P
CREATE TABLESPACE P DATAFILE '+DATA' SIZE 200M autoextend on maxsize unlimited;
創建用戶 puser
create user puser identified by oracle default tablespace P;
grant connect,resource to puser;
創建表 pt1
conn puser/oracle
create table pt1 (id number CONSTRAINT id_nn NOT NULL,
name VARCHAR2(40),
PRIMARY KEY (id)
);
插入數據
insert into pt1 values (1,'aaa');
insert into pt1 values (2,'bbb');
insert into pt1 values (3,'ccc');
insert into pt1 values (4,'ddd');
-
加密列
suser 下創建表 stable1 、 stable2
conn suser/oracle
create table stable1 (id number ENCRYPT NOT NULL ,
name VARCHAR2(40) ENCRYPT
);
insert into stable1 values (1,'aaa');
insert into stable1 values (2,'bbb');
insert into stable1 values (3,'ccc');
insert into stable1 values (4,'ddd');
create table stable2 (id number NOT NULL,
name VARCHAR2(40) ENCRYPT
);
insert into stable2 values (1,'aaa');
insert into stable2 values (2,'bbb');
insert into stable2 values (3,'ccc');
insert into stable2 values (4,'ddd');
psuer下創建 ptable1 、 ptable2
conn puser/oracle
create table ptable1 (id number ENCRYPT NOT NULL ,
name VARCHAR2(40) ENCRYPT
);
insert into ptable1 values (1,'aaa');
insert into ptable1 values (2,'bbb');
insert into ptable1 values (3,'ccc');
insert into ptable1 values (4,'ddd');
create table ptable2 (id number NOT NULL,
name VARCHAR2(40) ENCRYPT
);
insert into ptable2 values (1,'aaa');
insert into ptable2 values (2,'bbb');
insert into ptable2 values (3,'ccc');
insert into ptable2 values (4,'ddd');
-
目標數據庫
CREATE TABLESPACE S DATAFILE '/u01/app/oracle/oradata/demo/S01.dbf' SIZE 200M autoextend on maxsize unlimited;
CREATE TABLESPACE P DATAFILE '/u01/app/oracle/oradata/demo/P01.dbf' SIZE 200M autoextend on maxsize unlimited;
create user suser identified by oracle default tablespace S;
grant connect,resource to suser;
create user puser identified by oracle default tablespace P;
grant connect,resource to puser;
-
創建dblink
CREATE PUBLIC DATABASE LINK "linksource"
CONNECT TO system
IDENTIFIED BY "oracle"
USING 'source';
-
管理部分
-
schema的遷移(exp\imp,expdp\impdp)
expdp:
export LANG=AMERICAN_AMERICA.ZHS16GBK
expdp system/oracle directory=EXPDP dumpfile=expdp2users.dmp logfile=expdp2user.log schemas=suser,puser
-
[oracle@primary ~]$ export LANG=AMERICAN_AMERICA.ZHS16GBK
[oracle@primary ~]$ expdp system/oracle directory=EXPDP dumpfile=expdp2users.dmp logfile=expdp2user.log schemas=suser,puser
Export: Release 11.2.0.4.0 - Production on Tue Jan 26 17:21:33 2016
Copyright (c) 1982, 2011, Oracle and/or its affiliates. All rights reserved.
Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, Automatic Storage Management, OLAP, Data Mining
and Real Application Testing options
Starting "SYSTEM"."SYS_EXPORT_SCHEMA_01": system/******** directory=EXPDP dumpfile=expdp2users.dmp logfile=expdp2user.log schemas=suser,puser
Estimate in progress using BLOCKS method...
Processing object type SCHEMA_EXPORT/TABLE/TABLE_DATA
Total estimation using BLOCKS method: 384 KB
Processing object type SCHEMA_EXPORT/USER
Processing object type SCHEMA_EXPORT/SYSTEM_GRANT
Processing object type SCHEMA_EXPORT/ROLE_GRANT
Processing object type SCHEMA_EXPORT/DEFAULT_ROLE
Processing object type SCHEMA_EXPORT/PRE_SCHEMA/PROCACT_SCHEMA
Processing object type SCHEMA_EXPORT/TABLE/TABLE
Processing object type SCHEMA_EXPORT/TABLE/CONSTRAINT/CONSTRAINT
. . exported "PUSER"."PT1" 5.437 KB 4 rows
. . exported "PUSER"."PTABLE1" 5.445 KB 4 rows
. . exported "PUSER"."PTABLE2" 5.445 KB 4 rows
. . exported "SUSER"."ST1" 5.437 KB 4 rows
. . exported "SUSER"."STABLE1" 5.445 KB 4 rows
. . exported "SUSER"."STABLE2" 5.445 KB 4 rows
ORA-39173: Encrypted data has been stored unencrypted in dump file set.
Master table "SYSTEM"."SYS_EXPORT_SCHEMA_01" successfully loaded/unloaded
******************************************************************************
Dump file set for SYSTEM.SYS_EXPORT_SCHEMA_01 is:
/backup/expdp/expdp2users.dmp
Job "SYSTEM"."SYS_EXPORT_SCHEMA_01" completed with 1 error(s) at Tue Jan 26 17:22:06 2016 elapsed 0 00:00:27
exp:
export LANG=AMERICAN_AMERICA.ZHS16GBK
exp system/oracle file=/backup/expdp/exp2user.dmp log=/backup/expdp/exp2user.log owner=suser,puser
[oracle@primary ~]$ exp system/oracle file=/backup/expdp/exp2user.dmp log=/backup/expdp/exp2user.log owner=suser,puser
Export: Release 11.2.0.4.0 - Production on Tue Jan 26 17:22:31 2016
Copyright (c) 1982, 2011, Oracle and/or its affiliates. All rights reserved.
Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, Automatic Storage Management, OLAP, Data Mining
and Real Application Testing options
Export done in ZHS16GBK character set and AL16UTF16 NCHAR character set
About to export specified users ...
. exporting pre-schema procedural objects and actions
. exporting foreign function library names for user SUSER
. exporting foreign function library names for user PUSER
. exporting PUBLIC type synonyms
. exporting private type synonyms
. exporting PUBLIC type synonyms
. exporting private type synonyms
. exporting object type definitions for user SUSER
. exporting object type definitions for user PUSER
About to export SUSER's objects ...
. exporting database links
. exporting sequence numbers
. exporting cluster definitions
. about to export SUSER's tables via Conventional Path ...
EXP-00111: Table ST1 resides in an Encrypted Tablespace S and will not be exported
EXP-00111: Table STABLE1 resides in an Encrypted Tablespace S and will not be exported
EXP-00111: Table STABLE2 resides in an Encrypted Tablespace S and will not be exported
. exporting synonyms
. exporting views
. exporting stored procedures
. exporting operators
About to export PUSER's objects ...
. exporting database links
. exporting sequence numbers
. exporting cluster definitions
. about to export PUSER's tables via Conventional Path ...
. . exporting table PT1 4 rows exported
EXP-00107: Feature (COLUMN ENCRYPTION) of column ID in table PUSER.PTABLE1 is not supported. The table will not be exported.
EXP-00107: Feature (COLUMN ENCRYPTION) of column NAME in table PUSER.PTABLE2 is not supported. The table will not be exported.
. exporting synonyms
. exporting views
. exporting stored procedures
. exporting operators
. exporting referential integrity constraints
. exporting triggers
. exporting indextypes
. exporting bitmap, functional and extensible indexes
. exporting posttables actions
. exporting materialized views
. exporting snapshot logs
. exporting job queues
. exporting refresh groups and children
. exporting dimensions
. exporting referential integrity constraints
. exporting triggers
. exporting indextypes
. exporting bitmap, functional and extensible indexes
. exporting posttables actions
. exporting materialized views
. exporting snapshot logs
. exporting job queues
. exporting refresh groups and children
. exporting dimensions
. exporting post-schema procedural objects and actions
. exporting statistics
Export terminated successfully with warnings.
可以看到,exp無法導出有加密列的表。
on 192.168.80.200
impdp
export LANG=AMERICAN_AMERICA.ZHS16GBK
impdp system/oracle directory=EXPDP dumpfile=expdp2users.dmp logfile=impdp2user.log schemas=suser,puser
沒有遷移對應的密鑰時
[oracle@single1102 ~]$ export LANG=AMERICAN_AMERICA.ZHS16GBK
[oracle@single1102 ~]$ impdp system/oracle directory=EXPDP dumpfile=expdp2users.dmp logfile=impdp2user.log schemas=suser,puser
Import: Release 11.2.0.4.0 - Production on Wed Jan 27 17:56:18 2016
Copyright (c) 1982, 2011, Oracle and/or its affiliates. All rights reserved.
Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
Master table "SYSTEM"."SYS_IMPORT_SCHEMA_01" successfully loaded/unloaded
Starting "SYSTEM"."SYS_IMPORT_SCHEMA_01": system/******** directory=EXPDP dumpfile=expdp2users.dmp logfile=impdp2user.log schemas=suser,puser
Processing object type SCHEMA_EXPORT/USER
ORA-31684: Object type USER:"SUSER" already exists
ORA-31684: Object type USER:"PUSER" already exists
Processing object type SCHEMA_EXPORT/SYSTEM_GRANT
Processing object type SCHEMA_EXPORT/ROLE_GRANT
Processing object type SCHEMA_EXPORT/DEFAULT_ROLE
Processing object type SCHEMA_EXPORT/PRE_SCHEMA/PROCACT_SCHEMA
Processing object type SCHEMA_EXPORT/TABLE/TABLE
ORA-39083: Object type TABLE:"SUSER"."STABLE1" failed to create with error:
ORA-28365: wallet is not open
Failing sql is:
CREATE TABLE "SUSER"."STABLE1" ("ID" NUMBER ENCRYPT USING 'AES192' 'SHA-1' NOT NULL ENABLE, "NAME" VARCHAR2(40 BYTE) ENCRYPT USING 'AES192' 'SHA-1') SEGMENT CREATION IMMEDIATE PCTFREE 10 PCTUSED 40 INITRANS 1 MAXTRANS 255 NOCOMPRESS LOGGING STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645 PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1 BUFFER_POOL DEFAULT FLASH_CACHE DEF
ORA-39083: Object type TABLE:"SUSER"."STABLE2" failed to create with error:
ORA-28365: wallet is not open
Failing sql is:
CREATE TABLE "SUSER"."STABLE2" ("ID" NUMBER NOT NULL ENABLE, "NAME" VARCHAR2(40 BYTE) ENCRYPT USING 'AES192' 'SHA-1') SEGMENT CREATION IMMEDIATE PCTFREE 10 PCTUSED 40 INITRANS 1 MAXTRANS 255 NOCOMPRESS LOGGING STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645 PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1 BUFFER_POOL DEFAULT FLASH_CACHE DEFAULT CELL_FLASH_CACHE DEFAULT)
ORA-39083: Object type TABLE:"PUSER"."PTABLE1" failed to create with error:
ORA-28365: wallet is not open
Failing sql is:
CREATE TABLE "PUSER"."PTABLE1" ("ID" NUMBER ENCRYPT USING 'AES192' 'SHA-1' NOT NULL ENABLE, "NAME" VARCHAR2(40 BYTE) ENCRYPT USING 'AES192' 'SHA-1') SEGMENT CREATION IMMEDIATE PCTFREE 10 PCTUSED 40 INITRANS 1 MAXTRANS 255 NOCOMPRESS LOGGING STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645 PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1 BUFFER_POOL DEFAULT FLASH_CACHE DEF
ORA-39083: Object type TABLE:"PUSER"."PTABLE2" failed to create with error:
ORA-28365: wallet is not open
Failing sql is:
CREATE TABLE "PUSER"."PTABLE2" ("ID" NUMBER NOT NULL ENABLE, "NAME" VARCHAR2(40 BYTE) ENCRYPT USING 'AES192' 'SHA-1') SEGMENT CREATION IMMEDIATE PCTFREE 10 PCTUSED 40 INITRANS 1 MAXTRANS 255 NOCOMPRESS LOGGING STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645 PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1 BUFFER_POOL DEFAULT FLASH_CACHE DEFAULT CELL_FLASH_CACHE DEFAULT)
Processing object type SCHEMA_EXPORT/TABLE/TABLE_DATA
. . imported "PUSER"."PT1" 5.437 KB 4 rows
. . imported "SUSER"."ST1" 5.437 KB 4 rows
Processing object type SCHEMA_EXPORT/TABLE/CONSTRAINT/CONSTRAINT
Job "SYSTEM"."SYS_IMPORT_SCHEMA_01" completed with 6 error(s) at Wed Jan 27 17:56:27 2016 elapsed 0 00:00:06
顯示 無法創建"SUSER"."STABLE1"、"SUSER"."STABLE2"、"PUSER"."PTABLE1"、"PUSER"."PTABLE2"。原因是 ORA-28365: wallet is not open
如果將源庫上的 wallet和sqlnet.ora同步過來之后,重啟目標庫后再次導入;
[oracle@single1102 ~]$ impdp system/oracle directory=EXPDP dumpfile=expdp2users.dmp logfile=impdp2user.log schemas=suser,puser
Import: Release 11.2.0.4.0 - Production on Wed Jan 27 18:00:59 2016
Copyright (c) 1982, 2011, Oracle and/or its affiliates. All rights reserved.
Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
Master table "SYSTEM"."SYS_IMPORT_SCHEMA_01" successfully loaded/unloaded
Starting "SYSTEM"."SYS_IMPORT_SCHEMA_01": system/******** directory=EXPDP dumpfile=expdp2users.dmp logfile=impdp2user.log schemas=suser,puser
Processing object type SCHEMA_EXPORT/USER
ORA-31684: Object type USER:"SUSER" already exists
ORA-31684: Object type USER:"PUSER" already exists
Processing object type SCHEMA_EXPORT/SYSTEM_GRANT
Processing object type SCHEMA_EXPORT/ROLE_GRANT
Processing object type SCHEMA_EXPORT/DEFAULT_ROLE
Processing object type SCHEMA_EXPORT/PRE_SCHEMA/PROCACT_SCHEMA
Processing object type SCHEMA_EXPORT/TABLE/TABLE
Processing object type SCHEMA_EXPORT/TABLE/TABLE_DATA
. . imported "PUSER"."PT1" 5.437 KB 4 rows
. . imported "PUSER"."PTABLE1" 5.445 KB 4 rows
. . imported "PUSER"."PTABLE2" 5.445 KB 4 rows
. . imported "SUSER"."ST1" 5.437 KB 4 rows
. . imported "SUSER"."STABLE1" 5.445 KB 4 rows
. . imported "SUSER"."STABLE2" 5.445 KB 4 rows
Processing object type SCHEMA_EXPORT/TABLE/CONSTRAINT/CONSTRAINT
Job "SYSTEM"."SYS_IMPORT_SCHEMA_01" completed with 2 error(s) at Wed Jan 27 18:01:11 2016 elapsed 0 00:00:10
可以看到,如果目標庫上有了對應的密鑰后,數據就可以導入。
另外,重啟目標庫后
SQL> select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/u01/app/oracle/product/11.2.4/db_1/network/admin/encryption_wallet
OPEN
發現 wallet是自動open的,說明這個屬性是保存在/u01/app/oracle/product/11.2.4/db_1/network/admin/encryption_wallet目錄下的配置文件中,而非保存在數據庫中的。
-
imp
export LANG=AMERICAN_AMERICA.ZHS16GBK
create user suser identified by oracle default tablespace S;
grant connect,resource to suser;
create user puser identified by oracle default tablespace P;
grant connect,resource to puser;
imp system/oracle file=/backup/expdp/exp2user.dmp log=/backup/expdp/imp2user.log fromuser=suser,puser
[oracle@single1102 admin]$ imp system/oracle file=/backup/expdp/exp2user.dmp log=/backup/expdp/imp2user.log fromuser=suser,puser
Import: Release 11.2.0.4.0 - Production on Wed Jan 27 18:05:57 2016
Copyright (c) 1982, 2011, Oracle and/or its affiliates. All rights reserved.
Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
Export file created by EXPORT:V11.02.00 via conventional path
import done in ZHS16GBK character set and AL16UTF16 NCHAR character set
. importing SYSTEM's objects into SYSTEM
. importing SUSER's objects into SUSER
. importing PUSER's objects into PUSER
. . importing table "PT1" 4 rows imported
Import terminated successfully without warnings.
只能導入非加密的表。
-
表的遷移(exp\imp,expdp\impdp)
expdp:
export LANG=AMERICAN_AMERICA.ZHS16GBK
expdp system/oracle directory=EXPDP dumpfile=expdp2users.dmp logfile=expdp2user.log tables=suser,puser
on 192.168.80.200
impdp
export LANG=AMERICAN_AMERICA.ZHS16GBK
impdp system/oracle directory=EXPDP dumpfile=expdp2users.dmp logfile=impdp2user.log tables=suser.stable1,puser.ptable1
通過上面的導入導出部分得知,目標庫上如果要導入數據,必須要有相關的wallet,此處已經實現該點。
[oracle@single1102 admin]$ impdp system/oracle directory=EXPDP dumpfile=expdp2users.dmp logfile=impdp2user.log tables=suser.stable1,puser.ptable1
Import: Release 11.2.0.4.0 - Production on Wed Jan 27 18:15:38 2016
Copyright (c) 1982, 2011, Oracle and/or its affiliates. All rights reserved.
Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
Master table "SYSTEM"."SYS_IMPORT_TABLE_01" successfully loaded/unloaded
Starting "SYSTEM"."SYS_IMPORT_TABLE_01": system/******** directory=EXPDP dumpfile=expdp2users.dmp logfile=impdp2user.log tables=suser.stable1,puser.ptable1
Processing object type SCHEMA_EXPORT/TABLE/TABLE
Processing object type SCHEMA_EXPORT/TABLE/TABLE_DATA
. . imported "PUSER"."PTABLE1" 5.445 KB 4 rows
. . imported "SUSER"."STABLE1" 5.445 KB 4 rows
Job "SYSTEM"."SYS_IMPORT_TABLE_01" successfully completed at Wed Jan 27 18:15:46 2016 elapsed 0 00:00:05
-
遠端的expdp和impdp
直接從源庫上導入到本地:
SQL> CREATE PUBLIC DATABASE LINK "linksource"
CONNECT TO system
IDENTIFIED BY "oracle"
USING 'source';
Database link created.
SQL> select * from puser.pt1@linksource;
ID NAME
---------- ----------------------------------------
1 aaa
2 bbb
3 ccc
4 ddd
export LANG=AMERICAN_AMERICA.ZHS16GBK
impdp system/oracle directory=EXPDP network_link='linksource' logfile=impdp2user.log tables=suser.stable1,puser.ptable1
[oracle@single1102 admin]$ impdp system/oracle directory=EXPDP network_link='linksource' logfile=impdp2user.log tables=suser.stable1,puser.ptable1
Import: Release 11.2.0.4.0 - Production on Wed Jan 27 18:23:17 2016
Copyright (c) 1982, 2011, Oracle and/or its affiliates. All rights reserved.
Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
Starting "SYSTEM"."SYS_IMPORT_TABLE_01": system/******** directory=EXPDP network_link=linksource logfile=impdp2user.log tables=suser.stable1,puser.ptable1
Estimate in progress using BLOCKS method...
Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
Total estimation using BLOCKS method: 128 KB
Processing object type TABLE_EXPORT/TABLE/TABLE
. . imported "PUSER"."PTABLE1" 4 rows
. . imported "SUSER"."STABLE1" 4 rows
Job "SYSTEM"."SYS_IMPORT_TABLE_01" successfully completed at Wed Jan 27 18:23:35 2016 elapsed 0 00:00:15
直接在本地庫上導出源庫上的表
export LANG=AMERICAN_AMERICA.ZHS16GBK
expdp system/oracle directory=EXPDP network_link='linksource' dumpfile=expdp2usersfromsource.dmp logfile=exppdp2userfromsource.log schemas=suser,puser
-
移動表到不同表空間
alter table &tablename move tablespace &tablespacename;
conn puser/oracle
alter table ptable1 move tablespace S;
alter table pt1 move tablespace S;
conn suser/oracle
alter table stable1 move tablespace P;
alter table st1 move tablespace P;
SQL> conn puser/oracle
Connected.
SQL> alter table ptable1 move tablespace S;
Table altered.
SQL> alter table pt1 move tablespace S;
Table altered.
SQL> conn suser/oracle
Connected.
SQL> alter table stable1 move tablespace P;
Table altered.
SQL> alter table st1 move tablespace P;
Table altered.
-
創建、重建、移動索引(加密列)
conn suser/oracle
SQL> desc stable1
Name Null? Type
----------------------------------------- -------- ----------------------------
ID NOT NULL NUMBER ENCRYPT
NAME VARCHAR2(40) ENCRYPT
在id上創建主鍵
SQL> alter table stable1 add constraint pk_id primary key(id);
alter table stable1 add constraint pk_id primary key(id)
*
ERROR at line 1:
ORA-28338: Column(s) cannot be both indexed and encrypted with salt
ORA-28338:
cannot encrypt indexed column(s) with salt
Cause: An attempt was made to encrypt index column with salt.
Action: Alter the table and specify column encrypting without salt.
處理方式
alter table stable1 modify (id ENCRYPT no salt);
SQL> alter table stable1 modify (id ENCRYPT no salt);
Table altered.
SQL> alter table stable1 add constraint pk_id primary key(id);
Table altered.
1)加密列的屬性必須為no salt才可以創建索引
-
在id列上創建非btree索引
刪除 主鍵約束
alter table stable1 drop constraint pk_id;
create BITMAP index id_idx on stable1(id) *
ERROR at line 1:
ORA-28337: the specified index may not be defined on an encrypted column
2)加密列只能創建b-tree索引
檢查執行計划的變化:
SQL> alter table stable1 add constraint pk_id primary key(id);
Table altered.
SQL> select * from stable1;
Execution Plan
----------------------------------------------------------
Plan hash value: 3852586757
-----------------------------------------------------------------------------
| Id | Operation | Name | Rows | Bytes | Cost (%CPU)| Time |
-----------------------------------------------------------------------------
| 0 | SELECT STATEMENT | | 4 | 412 | 3 (0)| 00:00:01 |
| 1 | TABLE ACCESS FULL| STABLE1 | 4 | 412 | 3 (0)| 00:00:01 |
-----------------------------------------------------------------------------
Note
-----
- dynamic sampling used for this statement (level=2) 動態采樣
Statistics
----------------------------------------------------------
47 recursive calls
0 db block gets
79 consistent gets
0 physical reads
0 redo size
672 bytes sent via SQL*Net to client
520 bytes received via SQL*Net from client
2 SQL*Net roundtrips to/from client
7 sorts (memory)
0 sorts (disk)
4 rows processed
SQL> select * from stable1 where id=2;
Execution Plan
----------------------------------------------------------
Plan hash value: 2030797596
--------------------------------------------------------------------------------
-------
| Id | Operation | Name | Rows | Bytes | Cost (%CPU)| Tim
e |
--------------------------------------------------------------------------------
-------
| 0 | SELECT STATEMENT | | 1 | 103 | 1 (0)| 00:
00:01 |
| 1 | TABLE ACCESS BY INDEX ROWID| STABLE1 | 1 | 103 | 1 (0)| 00:
00:01 |
|* 2 | INDEX UNIQUE SCAN | PK_ID | 1 | | 0 (0)| 00:
00:01 |
--------------------------------------------------------------------------------
-------
Predicate Information (identified by operation id):
---------------------------------------------------
2 - access("ID"=2) 走索引
Statistics
----------------------------------------------------------
11 recursive calls
0 db block gets
21 consistent gets
0 physical reads
0 redo size
590 bytes sent via SQL*Net to client
520 bytes received via SQL*Net from client
2 SQL*Net roundtrips to/from client
2 sorts (memory)
0 sorts (disk)
1 rows processed
SQL> select * from stable1 where id>2;
Execution Plan
----------------------------------------------------------
Plan hash value: 3852586757
-----------------------------------------------------------------------------
| Id | Operation | Name | Rows | Bytes | Cost (%CPU)| Time |
-----------------------------------------------------------------------------
| 0 | SELECT STATEMENT | | 2 | 206 | 3 (0)| 00:00:01 |
|* 1 | TABLE ACCESS FULL| STABLE1 | 2 | 206 | 3 (0)| 00:00:01 |
-----------------------------------------------------------------------------
Predicate Information (identified by operation id):
---------------------------------------------------
1 - filter(INTERNAL_FUNCTION("ID")>2) 內部加密算法
Note
-----
- dynamic sampling used for this statement (level=2) 動態采樣
Statistics
----------------------------------------------------------
5 recursive calls
0 db block gets
9 consistent gets
0 physical reads
0 redo size
648 bytes sent via SQL*Net to client
520 bytes received via SQL*Net from client
2 SQL*Net roundtrips to/from client
0 sorts (memory)
0 sorts (disk)
2 rows processed
-
添加、更換加密算法
加密列
為了使用TDE加密列,所有你需要做的只是在定義列的時候增加一個簡單的謂詞"ENCRYPT"。在定義之前,理所當然的你需要決定采用什么樣的加密算法和密鑰長度。
目前表的所有數據是明文的,你想轉換SSN列為加密的,因此SSN保存了敏感的"社會保險號",你可以通過如下方式設定:
alter table accounts modify (ssn encrypt);
這條語句完成了如下兩件事:
為表創建了一個表密鑰,如果你修改同一個表中的另外的列為加密的,將會使用同一個表密鑰
將所有列的值轉換為加密的形式
這條語句並不修改數據類型或者列的長度,也不創建觸發器或者視圖。
缺省情況下采用192位密鑰長度的AES算法。你也可以選擇不同的算法,只需要在SQL命令中指定即可。例如,如果要使用128位的AES算法,你可以采用如下語句:
alter table accounts modify (ssn encrypt using 'AES128');
你可以使用AES128、AES192、AES256、或者3DES168。這些值是自解釋的,例如:AES256指采用AES算法、256位長度的密鑰。
加密列之后,當查看表的時候你可以看到如下信息:
SQL> desc accounts
Name Null? Type
------------ ------------ --------------------------------------------------
ACC_NO NUMBER
ACC_NAME VARCHAR2(30)
SSN VARCHAR2(9) ENCRYPT
需要注意的是ENCRYPT關鍵字在數據類型之后。如果需要查找數據庫中加密的列,你可以在數據字典視圖中搜索DBA_ENCRYPTED_COLUMNS(TDE不能在SYS所有的表中啟用).
conn suser/oracle
alter table stable1 modify (id encrypt using 'AES128' no salt);
SQL> alter table stable1 modify (id number decrypt); ---取消加密
Table altered.
SQL> desc stable1
Name Null? Type
----------------------------------------- -------- ----------------------------
ID NOT NULL NUMBER
NAME VARCHAR2(40) ENCRYPT
alter table stable1 modify (id number encrypt no salt);
SQL> desc stable1
Name Null? Type
----------------------------------------- -------- ----------------------------
ID NOT NULL NUMBER ENCRYPT
NAME VARCHAR2(40) ENCRYPT
alter table stable1 modify (id encrypt using 'AES256' no salt);
ERROR at line 1:
ORA-28340: a different encryption algorithm has been chosen for the table
alter table stable1 modify (id encrypt using 'AES256' no salt);
ORA-28340: a different encryption algorithm has been chosen for the table
只能使用一種加密方式,不能修改。
SQL> alter table stable1 modify (name decrypt);
Table altered.
SQL> alter table stable1 modify (name encrypt using 'aes256');
alter table stable1 modify (name encrypt using 'aes256')
ERROR at line 1:
ORA-28340: a different encryption algorithm has been chosen for the table
alter table stable1 modify (name encrypt);
SQL> alter table stable1 modify (name encrypt);
Table altered.
SQL> desc stable1
Name Null? Type
----------------------------------------- -------- ----------------------------
ID NOT NULL NUMBER ENCRYPT
NAME VARCHAR2(40) ENCRYPT
建表的時候確定加密方式
create table test(id number encrypt, name varchar2(20) encrypt using 'aes256');
SQL> create table test(id number encrypt, name varchar2(20) encrypt using 'aes256');
Table created.
SQL> desc test;
Name Null? Type
----------------------------------------- -------- ----------------------------
ID NUMBER ENCRYPT
NAME VARCHAR2(20) ENCRYPT
SQL> alter table test modify (name decrypt);
Table altered.
SQL> alter table test modify (name encrypt using 'aes128');
alter table test modify (name encrypt using 'aes128')
ERROR at line 1:
ORA-28340: a different encryption algorithm has been chosen for the table
SQL> alter table test modify (name encrypt using 'aes256');
Table altered.
總結:
加密方式一旦確定之后,就不能修改。
-
dataguard環境配置
為了在dataguard中能正常使用encryption的功能,需要使用oracle 11g的版本支持,10g版本是不支持dg的。
使用方法是將 加密文件架和sqlnet.ora內容同步到 和主庫一樣的位置。即可。
-
報錯記錄
SQL> create table stable1 (id number ENCRYPT NOT NULL ,
2 name VARCHAR2(40) ENCRYPT,
3 PRIMARY KEY (id)
4 );
create table stable1 (id number ENCRYPT NOT NULL ,
*
ERROR at line 1:
ORA-28338: Column(s) cannot be both indexed and encrypted with salt
SQL> alter table test modify (name encrypt using 'aes128');
alter table test modify (name encrypt using 'aes128')
*
ERROR at line 1:
ORA-28340: a different encryption algorithm has been chosen for the table
-
總結歸檔及其他
1、加密方式:
表空間加密 是發生在數據存儲的時候,也就是存儲在文件上的數據已經被加密;
字段加密發生在SQL層,由SQL調用一個算法對數據進行加密處理。
2、加密的限制,比如:
– 索引類型 (加密列和加密表空間都只能創建b-tree索引)
– 都需要 no salt創建索引
– 外部大對象(bfiles)都不可以
– exp/imp不行,需要用expdp/impdp