環境:
OS:Centos 7
DB:12.2.0.1 開啟了cdb
1.Setup a Keystore(密鑰庫) Location:
# mkdir -pv /etc/ORACLE/hxl/encryption_keystore
# cd /etc
# chown -R oracle:oinstall ORACLE
# chmod -R 700 ORACLE
編輯"$ORACLE_HOME/network/admin/sqlnet.ora"文件, 增加下面的記錄:
ENCRYPTION_WALLET_LOCATION =
(SOURCE =(METHOD = FILE)
(METHOD_DATA =(DIRECTORY = /etc/ORACLE/hxl/encryption_keystore/))
)
2.Create a Keystore(密鑰庫):
sqlplus /nolog
connect / as sysdba
sql> administer key management create keystore '/etc/oracle/hxl/encryption_keystore/' identified by "oracle";
查看生成的文件
SQL> host ls -l /etc/ORACLE/hxl/encryption_keystore
3.Open the Keystore(密鑰庫)
需要在root container打開密鑰庫,如果沒有使用CONTAINER=ALL 只影響當前的container.狀態發生改變
sql>alter system set "_db_discard_lost_masterkey"=true;
sql>administer key management set keystore open identified by "oracle" container=all;
如果CLOSE 使用
administer key management set keystore close identified by "oracle" container=all;
4.Create TDE Master Encryption Key:
打開密鑰庫后還必須要在root container和每個PDB創建一個主密鑰,可以使用CONTAINER=ALL一條命令創建.
如果沒帶還需要在每個PDB中創建,創建后可以在 V$ENCRYPTION_KEYS view查詢,同時密鑰庫狀態改變,密鑰一定要保管好,每次修改記的備份和異地保存.
SQL> administer key management set key identified by "oracle" with backup container=all;
5.創建加密的表空間
SQL> alter session set container=ORA12CPDB4;
SQL> create tablespace cdb_secure
2 datafile '/u01/app/oracle/oradata/ora12c/ora12cpdb4/cdb_secure01.dbf'
3 size 150m
4 encryption using '3des168'
5 default storage(encrypt);
Tablespace created.
這個時候是可以查看 Dba_Data_Files視圖的
6.嘗試關閉秘鑰
cdb模式下關閉
SQL> administer key management set keystore close identified by "oracle" container=all;
SQL> alter session set container=ORA12CPDB4;
SQL> select * from Dba_Data_Files;
select * from Dba_Data_Files
*
ERROR at line 1:
ORA-28365: wallet is not open
發現無法訪問了,需要再次打開.
7.創建加密表測試
CONN hxl/oracle@pdb4
CREATE TABLE tde_ts_test (
id NUMBER(10),
data VARCHAR2(50)
) TABLESPACE CDB_SECURE;
INSERT INTO tde_ts_test VALUES (1, 'This is also a secret!');
COMMIT;
嘗試打開和關閉wallet,分別查詢測試表
cdb root模式:
administer key management set keystore close identified by "oracle" container=all;
administer key management set keystore open identified by "oracle" container=all;
8.數據庫重啟后開啟自動打開wallet
connect / as sysdba
administer key management create local auto_login keystore from keystore '/etc/ORACLE/hxl/encryption_keystore/' identified by oracle;
可以查看到wallet目錄會生成cwallet.sso文件
[oracle@localhost ~]$ ls -al /etc/ORACLE/hxl/encryption_keystore/
total 328
drwx------ 2 oracle oinstall 4096 Mar 20 09:27 .
drwx------ 3 oracle oinstall 33 Mar 6 14:35 ..
-rw------- 1 oracle oinstall 41435 Mar 20 09:27 cwallet.sso
-rw------- 1 oracle oinstall 41392 Mar 19 16:43 ewallet.p12
相關查詢視圖:
SQL> set linesize 200
SQL> COLUMN wrl_parameter FORMAT A50
SQL> SELECT * FROM v$encryption_wallet;
SQL> SET LINESIZE 100
SQL> SELECT con_id, key_id FROM v$encryption_keys;
-- The End --