配置Oracle传输数据加密

联系:手机/微信(+86 17813235971) QQ(107644445)

标题:配置Oracle传输数据加密

作者:惜分飞©版权所有[未经本人同意,不得以任何形式转载,否则有进一步追究法律责任的权利.]

随着安全意识和需求的越来越高,有一些客户要求数据库传输数据过程中对其进行加密,防止有人在网络层面通过抓包,获取数据内容,从而保证了在网络层面的数据传输安全.实现这种加密,主要是通过Database Advanced Security组件实现,主要是通过slnet.ora的配置实现数据在服务端和客户端之间传输加密.
数据库安装的安全组件和支持加密算法

[oracle@ora11g ~]$ adapters
Installed Oracle Net transport protocols are:
    IPC
    BEQ
    TCP/IP
    SSL
    RAW
    SDP/IB
Installed Oracle Net naming methods are:
    Local Naming (tnsnames.ora)
    Oracle Directory Naming
    Oracle Host Naming
    Oracle Names Server Naming
Installed Oracle Advanced Security options are:
    RC4 40-bit encryption
    RC4 56-bit encryption
    RC4 128-bit encryption
    RC4 256-bit encryption
    DES40 40-bit encryption
    DES 56-bit encryption
    3DES 112-bit encryption
    3DES 168-bit encryption
    AES 128-bit encryption
    AES 192-bit encryption
    AES 256-bit encryption
    MD5 crypto-checksumming
    SHA-1 crypto-checksumming
    Kerberos v5 authentication
    RADIUS authentication

启用客户端trace
trace只是为了验证传输加密,在实际生产中该功能需要关闭,不然会比较严重影响性能和导致trace文件过多磁盘空间占用较大问题

Trace_level_client=16
Trace_directory_client=D:\app\Administrator\product\11.2.0\dbhome_1\NETWORK\ADMIN\log
Trace_unique_client=on
Trace_timestamp_client=on
Diag_adr_enabled=off
tnsping.trace_directory=D:\app\Administrator\product\11.2.0\dbhome_1\NETWORK\ADMIN\log
tnsping.trace_level=admin

捕获非加密情况数据
通过对客户端trace文件的分析,基本上可以发现客户端和服务端数据传输是明码方式进行,也就是说如果有人在这个网络上捕获包,进行分析,可以知道你的应用端和数据库端的所有操作,数据存在安全隐患

----数据库登录
[24-6月 -2018 12:37:55:555] nam_gnsp: Reading parameter "SQLNET.ENCRYPTION_CLIENT" from parameter file
[24-6月 -2018 12:37:55:555] nam_gnsp: Parameter not found
[24-6月 -2018 12:37:55:555] naequad: Using default value "ACCEPTED"
[24-6月 -2018 12:37:55:555] nam_gic: entry
[24-6月 -2018 12:37:55:555] nam_gic: Counting # of items in "SQLNET.ENCRYPTION_TYPES_CLIENT" parameter
[24-6月 -2018 12:37:55:555] nam_gic: Parameter not found
[24-6月 -2018 12:37:55:555] nam_gic: exit
[24-6月 -2018 12:37:55:555] naesno: Using default value "all available algorithms"
[24-6月 -2018 12:37:55:555] naeshow: entry
[24-6月 -2018 12:37:55:555] naeshow: These are the encryption algorithms that the client will accept:
[24-6月 -2018 12:37:55:555] naeshow: Choice 0: no algorithm; encryption inactive
[24-6月 -2018 12:37:55:555] naeshow: Choice 1: 'AES256' (ID 17)
[24-6月 -2018 12:37:55:555] naeshow: Choice 2: 'RC4_256' (ID 6)
[24-6月 -2018 12:37:55:555] naeshow: Choice 3: 'AES192' (ID 16)
[24-6月 -2018 12:37:55:555] naeshow: Choice 4: '3DES168' (ID 12)
[24-6月 -2018 12:37:55:555] naeshow: Choice 5: 'AES128' (ID 15)
[24-6月 -2018 12:37:55:555] naeshow: Choice 6: 'RC4_128' (ID 10)
[24-6月 -2018 12:37:55:555] naeshow: Choice 7: '3DES112' (ID 11)
[24-6月 -2018 12:37:55:555] naeshow: Choice 8: 'RC4_56' (ID 8)
[24-6月 -2018 12:37:55:555] naeshow: Choice 9: 'DES' (ID 2)
[24-6月 -2018 12:37:55:555] naeshow: Choice 10: 'RC4_40' (ID 1)
[24-6月 -2018 12:37:55:555] naeshow: Choice 11: 'DES40' (ID 3)
[24-6月 -2018 12:37:55:555] naeshow: exit
----数据库执行select * from dual查询
[24-6月 -2018 12:39:38:744] nioqrc: entry
[24-6月 -2018 12:39:38:744] nsbasic_bsd: entry
[24-6月 -2018 12:39:38:744] nsbasic_bsd: tot=0, plen=256.
[24-6月 -2018 12:39:38:744] nttfpwr: entry
[24-6月 -2018 12:39:38:744] nttfpwr: socket 888 had bytes written=256
[24-6月 -2018 12:39:38:744] nttfpwr: exit
[24-6月 -2018 12:39:38:744] nsbasic_bsd: packet dump
[24-6月 -2018 12:39:38:744] nsbasic_bsd: 01 00 00 00 06 00 00 00  |........|
[24-6月 -2018 12:39:38:744] nsbasic_bsd: 00 00 03 5E 15 61 80 00  |...^.a..|
[24-6月 -2018 12:39:38:744] nsbasic_bsd: 00 00 00 00 00 FE FF FF  |........|
[24-6月 -2018 12:39:38:744] nsbasic_bsd: FF FF FF FF FF 12 00 00  |........|
[24-6月 -2018 12:39:38:744] nsbasic_bsd: 00 FE FF FF FF FF FF FF  |........|
[24-6月 -2018 12:39:38:744] nsbasic_bsd: FF 0D 00 00 00 FE FF FF  |........|
[24-6月 -2018 12:39:38:744] nsbasic_bsd: FF FF FF FF FF FE FF FF  |........|
[24-6月 -2018 12:39:38:744] nsbasic_bsd: FF FF FF FF FF 00 00 00  |........|
[24-6月 -2018 12:39:38:744] nsbasic_bsd: 00 01 00 00 00 00 00 00  |........|
[24-6月 -2018 12:39:38:744] nsbasic_bsd: 00 00 00 00 00 00 00 00  |........|
[24-6月 -2018 12:39:38:744] nsbasic_bsd: 00 00 00 00 00 00 00 00  |........|
[24-6月 -2018 12:39:38:744] nsbasic_bsd: 00 00 00 00 00 FE FF FF  |........|
[24-6月 -2018 12:39:38:744] nsbasic_bsd: FF FF FF FF FF 00 00 00  |........|
[24-6月 -2018 12:39:38:744] nsbasic_bsd: 00 00 00 00 00 FE FF FF  |........|
[24-6月 -2018 12:39:38:744] nsbasic_bsd: FF FF FF FF FF FE FF FF  |........|
[24-6月 -2018 12:39:38:744] nsbasic_bsd: FF FF FF FF FF FE FF FF  |........|
[24-6月 -2018 12:39:38:744] nsbasic_bsd: FF FF FF FF FF 00 00 00  |........|
[24-6月 -2018 12:39:38:744] nsbasic_bsd: 00 00 00 00 00 FE FF FF  |........|
[24-6月 -2018 12:39:38:744] nsbasic_bsd: FF FF FF FF FF FE FF FF  |........|
[24-6月 -2018 12:39:38:744] nsbasic_bsd: FF FF FF FF FF 00 00 00  |........|
[24-6月 -2018 12:39:38:744] nsbasic_bsd: 00 00 00 00 00 00 00 00  |........|
[24-6月 -2018 12:39:38:744] nsbasic_bsd: 00 00 00 00 00 00 00 00  |........|
[24-6月 -2018 12:39:38:744] nsbasic_bsd: 00 00 00 00 00 00 00 00  |........|
[24-6月 -2018 12:39:38:744] nsbasic_bsd: 00 12 73 65 6C 65 63 74  |..select|
[24-6月 -2018 12:39:38:744] nsbasic_bsd: 20 2A 20 66 72 6F 6D 20  |.*.from.|
[24-6月 -2018 12:39:38:744] nsbasic_bsd: 64 75 61 6C 01 00 00 00  |dual....|
[24-6月 -2018 12:39:38:744] nsbasic_bsd: 00 00 00 00 00 00 00 00  |........|
[24-6月 -2018 12:39:38:744] nsbasic_bsd: 00 00 00 00 00 00 00 00  |........|
[24-6月 -2018 12:39:38:744] nsbasic_bsd: 00 00 00 00 00 00 00 00  |........|
[24-6月 -2018 12:39:38:744] nsbasic_bsd: 01 00 00 00 00 00 00 00  |........|
[24-6月 -2018 12:39:38:744] nsbasic_bsd: 00 00 00 00 00 00 00 00  |........|
[24-6月 -2018 12:39:38:744] nsbasic_bsd: 00 00 00 00 00 00 00 00  |........|
[24-6月 -2018 12:39:38:744] nsbasic_bsd: exit (0)
[24-6月 -2018 12:39:38:744] nsbasic_brc: entry: oln/tot=0,prd=0
----返回查询结果
[24-6月 -2018 12:39:38:744] nsbasic_brc: packet dump
[24-6月 -2018 12:39:38:744] nsbasic_brc: 01 04 00 00 06 00 00 00  |........|
[24-6月 -2018 12:39:38:744] nsbasic_brc: 00 00 10 17 00 00 00 02  |........|
[24-6月 -2018 12:39:38:744] nsbasic_brc: FC 54 0D 44 40 AD B2 74  |.T.D@..t|
[24-6月 -2018 12:39:38:744] nsbasic_brc: 09 CB A2 01 A7 2D 38 78  |.....-8x|
[24-6月 -2018 12:39:38:744] nsbasic_brc: 76 04 15 03 3B 28 01 00  |v...;(..|
[24-6月 -2018 12:39:38:744] nsbasic_brc: 00 00 01 00 00 00 51 01  |......Q.|
[24-6月 -2018 12:39:38:744] nsbasic_brc: 80 00 00 01 00 00 00 00  |........|
[24-6月 -2018 12:39:38:744] nsbasic_brc: 00 00 00 00 00 00 00 00  |........|
[24-6月 -2018 12:39:38:744] nsbasic_brc: 00 00 00 00 00 54 03 01  |.....T..|
[24-6月 -2018 12:39:38:744] nsbasic_brc: 01 00 00 00 01 05 05 00  |........|
[24-6月 -2018 12:39:38:744] nsbasic_brc: 00 00 05 44 55 4D 4D 59  |...DUMMY|
[24-6月 -2018 12:39:38:744] nsbasic_brc: 00 00 00 00 00 00 00 00  |........|
[24-6月 -2018 12:39:38:744] nsbasic_brc: 00 00 00 00 00 00 07 00  |........|
[24-6月 -2018 12:39:38:744] nsbasic_brc: 00 00 07 78 76 04 15 05  |...xv...|
[24-6月 -2018 12:39:38:744] nsbasic_brc: 0F 0C 01 00 00 00 E8 1F  |........|
[24-6月 -2018 12:39:38:744] nsbasic_brc: 00 00 02 00 00 00 02 00  |........|
[24-6月 -2018 12:39:38:744] nsbasic_brc: 00 00 00 00 00 00 06 22  |......."|
[24-6月 -2018 12:39:38:744] nsbasic_brc: 01 00 00 00 00 00 01 00  |........|
[24-6月 -2018 12:39:38:744] nsbasic_brc: 00 00 00 00 00 00 00 00  |........|
[24-6月 -2018 12:39:38:744] nsbasic_brc: 00 00 00 00 07 01 58 08  |......X.|
[24-6月 -2018 12:39:38:744] nsbasic_brc: 06 00 7E 2D 18 00 00 00  |..~-....|
[24-6月 -2018 12:39:38:744] nsbasic_brc: 00 00 02 00 00 00 00 00  |........|
[24-6月 -2018 12:39:38:744] nsbasic_brc: 00 00 00 00 00 00 00 00  |........|
[24-6月 -2018 12:39:38:744] nsbasic_brc: 00 00 00 00 00 00 00 00  |........|
[24-6月 -2018 12:39:38:744] nsbasic_brc: 00 00 04 01 00 00 00 13  |........|
[24-6月 -2018 12:39:38:744] nsbasic_brc: 00 01 00 00 00 00 00 00  |........|
[24-6月 -2018 12:39:38:744] nsbasic_brc: 00 00 00 02 00 00 00 03  |........|
[24-6月 -2018 12:39:38:744] nsbasic_brc: 00 00 00 00 00 00 00 00  |........|
[24-6月 -2018 12:39:38:744] nsbasic_brc: 00 00 00 00 00 00 00 00  |........|
[24-6月 -2018 12:39:38:744] nsbasic_brc: 00 00 00 00 00 00 00 15  |........|
[24-6月 -2018 12:39:38:744] nsbasic_brc: 00 00 01 00 00 00 00 00  |........|
[24-6月 -2018 12:39:38:744] nsbasic_brc: 00 00 00 00 00 00 00 00  |........|
[24-6月 -2018 12:39:38:744] nsbasic_brc: 00 00 00 00              |....    |
[24-6月 -2018 12:39:38:744] nsbasic_brc: exit: oln=0, dln=250, tot=260, rc=0

启用数据传输加密
这几个参数,每个参数都有几种选项,具体在下文补充说明

--服务端配置sqlnet.ora中配置,并重启监听
SQLNET.ENCRYPTION_SERVER = requested
SQLNET.ENCRYPTION_TYPES_SERVER= (RC4_128)
--客户端sqlnet.ora中配置
SQLNET.ENCRYPTION_CLIENT = requested
SQLNET.ENCRYPTION_TYPES_CLIENT= (RC4_128)

捕获加密情况数据

----登录操作
[24-6月 -2018 12:45:16:786] nam_gnsp: Reading parameter "SQLNET.ENCRYPTION_CLIENT" from parameter file
[24-6月 -2018 12:45:16:786] nam_gnsp: Found value "requested"
[24-6月 -2018 12:45:16:786] nam_gic: entry
[24-6月 -2018 12:45:16:786] nam_gic: Counting # of items in "SQLNET.ENCRYPTION_TYPES_CLIENT" parameter
[24-6月 -2018 12:45:16:786] nam_gic: Found 1 items
[24-6月 -2018 12:45:16:786] nam_gic: exit
[24-6月 -2018 12:45:16:786] nam_gnsp: Reading parameter "SQLNET.ENCRYPTION_TYPES_CLIENT" from parameter file
[24-6月 -2018 12:45:16:786] nam_gnsp: Found value "RC4_128"
[24-6月 -2018 12:45:16:786] naeshow: entry
[24-6月 -2018 12:45:16:786] naeshow: These are the encryption algorithms that the client will accept:
[24-6月 -2018 12:45:16:786] naeshow: Choice 0: 'RC4_128' (ID 10)
[24-6月 -2018 12:45:16:786] naeshow: Choice 1: no algorithm; encryption inactive
----发送查询select * from dual
[24-6月 -2018 12:49:51:528] nttwr: socket 848 had bytes written=277
[24-6月 -2018 12:49:51:528] nttwr: exit
[24-6月 -2018 12:49:51:528] nspsend: packet dump
[24-6月 -2018 12:49:51:528] nspsend: 01 15 00 00 06 00 00 00  |........|
[24-6月 -2018 12:49:51:528] nspsend: 00 00 DF CE 9E 46 DB 71  |.....F.q|
[24-6月 -2018 12:49:51:528] nspsend: CE 88 43 9E CA 43 F8 BE  |..C..C..|
[24-6月 -2018 12:49:51:528] nspsend: E8 ED 07 F1 2E 93 B6 2C  |.......,|
[24-6月 -2018 12:49:51:528] nspsend: E9 5A E5 D8 06 8B DB EE  |.Z......|
[24-6月 -2018 12:49:51:528] nspsend: 66 9E B5 BB 24 C0 5E 4C  |f...$.^L|
[24-6月 -2018 12:49:51:528] nspsend: 33 9C 81 10 18 0F BE 30  |3......0|
[24-6月 -2018 12:49:51:528] nspsend: 79 56 4C D8 4A F9 4D 78  |yVL.J.Mx|
[24-6月 -2018 12:49:51:528] nspsend: 6A 42 24 89 D4 0D 1F 92  |jB$.....|
[24-6月 -2018 12:49:51:528] nspsend: 44 24 DA 42 15 49 22 09  |D$.B.I".|
[24-6月 -2018 12:49:51:528] nspsend: FE AF 07 EA 01 36 83 D4  |.....6..|
[24-6月 -2018 12:49:51:528] nspsend: D6 B3 16 BD 1E B2 88 93  |........|
[24-6月 -2018 12:49:51:528] nspsend: 29 39 DB 44 86 E5 C6 F2  |)9.D....|
[24-6月 -2018 12:49:51:528] nspsend: DF 87 90 4B 6E 5A 66 D3  |...KnZf.|
[24-6月 -2018 12:49:51:528] nspsend: B1 1A 3A 34 01 A9 C2 F1  |..:4....|
[24-6月 -2018 12:49:51:528] nspsend: C7 08 06 50 2B BB C4 5E  |...P+..^|
[24-6月 -2018 12:49:51:528] nspsend: C0 80 D7 72 E4 D8 C0 B6  |...r....|
[24-6月 -2018 12:49:51:528] nspsend: C4 31 90 9A 3C 83 B0 16  |.1..<...|
[24-6月 -2018 12:49:51:528] nspsend: D1 AE 82 56 39 46 08 20  |...V9F..|
[24-6月 -2018 12:49:51:528] nspsend: DE D2 DC 6B BC 5F BF 7E  |...k._.~|
[24-6月 -2018 12:49:51:528] nspsend: 25 2A 31 D7 A3 60 CE 7A  |%*1..`.z|
[24-6月 -2018 12:49:51:528] nspsend: 42 58 0A 43 11 F5 D6 0A  |BX.C....|
[24-6月 -2018 12:49:51:528] nspsend: 31 C8 96 38 F3 C2 90 6A  |1..8...j|
[24-6月 -2018 12:49:51:528] nspsend: 64 50 46 B0 A2 EF 1E 9A  |dPF.....|
[24-6月 -2018 12:49:51:528] nspsend: 86 11 67 C9 9B CD 8C 2B  |..g....+|
[24-6月 -2018 12:49:51:528] nspsend: 2A 02 0D 9B C3 C5 D3 23  |*......#|
[24-6月 -2018 12:49:51:528] nspsend: 75 4C 4A 5B A3 85 80 C5  |uLJ[....|
[24-6月 -2018 12:49:51:528] nspsend: FA F0 6C C3 23 72 D5 28  |..l.#r.(|
[24-6月 -2018 12:49:51:528] nspsend: 0E 16 C7 C8 1B 3D CC B8  |.....=..|
[24-6月 -2018 12:49:51:528] nspsend: 06 FA D7 FB 03 EB E6 41  |.......A|
[24-6月 -2018 12:49:51:528] nspsend: 05 54 B0 5A 18 CC 7F E7  |.T.Z....|
[24-6月 -2018 12:49:51:528] nspsend: 2D 36 C4 4A E6 B2 7F F6  |-6.J....|
[24-6月 -2018 12:49:51:528] nspsend: 1E 10 5B 20 CF 60 FA D3  |..[..`..|
[24-6月 -2018 12:49:51:528] nspsend: 6E B1 F7 9E 35 92 27 BA  |n...5.'.|
[24-6月 -2018 12:49:51:528] nspsend: 9A 4A F1 00 01           |.J...   |
[24-6月 -2018 12:49:51:528] nspsend: 277 bytes to transport
[24-6月 -2018 12:49:51:528] nspsend: normal exit
----接收数据
[24-6月 -2018 12:49:51:528] nttrd: exit
[24-6月 -2018 12:49:51:528] nsprecv: 262 bytes from transport
[24-6月 -2018 12:49:51:528] nsprecv: tlen=262, plen=262, type=6
[24-6月 -2018 12:49:51:528] nsprecv: packet dump
[24-6月 -2018 12:49:51:528] nsprecv: 01 06 00 00 06 00 00 00  |........|
[24-6月 -2018 12:49:51:528] nsprecv: 00 00 63 2C 04 99 D8 25  |..c,...%|
[24-6月 -2018 12:49:51:528] nsprecv: 40 38 A0 30 AE 3D 24 05  |@8.0.=$.|
[24-6月 -2018 12:49:51:528] nsprecv: 97 E4 70 E9 1D 76 8B A0  |..p..v..|
[24-6月 -2018 12:49:51:528] nsprecv: 38 AD 7E D3 B1 A1 BD B7  |8.~.....|
[24-6月 -2018 12:49:51:528] nsprecv: 29 1F 0C 19 9A 0B FD D0  |).......|
[24-6月 -2018 12:49:51:528] nsprecv: F3 13 51 E0 78 C2 7C 7D  |..Q.x.|}|
[24-6月 -2018 12:49:51:528] nsprecv: 37 BC AA 25 23 20 FF 05  |7..%#...|
[24-6月 -2018 12:49:51:528] nsprecv: E0 F6 AF C3 53 C9 50 2F  |....S.P/|
[24-6月 -2018 12:49:51:528] nsprecv: 68 0D F1 CB CE B8 90 6B  |h......k|
[24-6月 -2018 12:49:51:528] nsprecv: 90 CC B2 B5 DF D8 C3 BC  |........|
[24-6月 -2018 12:49:51:529] nsprecv: F0 7A 37 E7 1B FA 3E 6B  |.z7...>k|
[24-6月 -2018 12:49:51:529] nsprecv: 13 90 7A 10 1C 6D C5 40  |..z..m.@|
[24-6月 -2018 12:49:51:529] nsprecv: BC E0 B9 4F 69 10 49 4D  |...Oi.IM|
[24-6月 -2018 12:49:51:529] nsprecv: B9 78 2E 28 B3 8C 05 53  |.x.(...S|
[24-6月 -2018 12:49:51:529] nsprecv: 18 99 B2 AF 46 AE 1D D7  |....F...|
[24-6月 -2018 12:49:51:529] nsprecv: 0E 19 56 28 7A B6 16 72  |..V(z..r|
[24-6月 -2018 12:49:51:529] nsprecv: 46 57 C9 7A 1C DB D1 A2  |FW.z....|
[24-6月 -2018 12:49:51:529] nsprecv: A2 35 B7 DD 63 EA 5E 07  |.5..c.^.|
[24-6月 -2018 12:49:51:529] nsprecv: F9 E1 4E 54 D0 57 63 9D  |..NT.Wc.|
[24-6月 -2018 12:49:51:529] nsprecv: 12 B0 7B 6F 0C DC 98 90  |..{o....|
[24-6月 -2018 12:49:51:529] nsprecv: C1 71 3B BD DA 27 03 CE  |.q;..'..|
[24-6月 -2018 12:49:51:529] nsprecv: 4B FA 5D 64 31 17 D1 CC  |K.]d1...|
[24-6月 -2018 12:49:51:529] nsprecv: 49 A7 A7 47 D8 26 81 23  |I..G.&.#|
[24-6月 -2018 12:49:51:529] nsprecv: BC 9E 54 76 C9 98 07 CF  |..Tv....|
[24-6月 -2018 12:49:51:529] nsprecv: CF 97 A4 70 57 68 80 16  |...pWh..|
[24-6月 -2018 12:49:51:529] nsprecv: 45 14 3D 32 06 3E 1A 06  |E.=2.>..|
[24-6月 -2018 12:49:51:529] nsprecv: 0A D6 8F 51 29 D3 A4 2E  |...Q)...|
[24-6月 -2018 12:49:51:529] nsprecv: 06 0C 03 B1 7A D1 5B 3B  |....z.[;|
[24-6月 -2018 12:49:51:529] nsprecv: 22 9A 6B 0F CD F7 EA 8C  |".k.....|
[24-6月 -2018 12:49:51:529] nsprecv: D7 8C CE F8 B6 9E 80 01  |........|
[24-6月 -2018 12:49:51:529] nsprecv: 95 1A D8 35 31 84 D6 42  |...51..B|
[24-6月 -2018 12:49:51:529] nsprecv: 7C CC 2D 31 00 01        ||.-1..  |
[24-6月 -2018 12:49:51:529] nsprecv: normal exit

这里可以发现,通过配置相关传输加密之后,客户端trace看到的已经是加密之后的数据,也就是说这样可以确保数据传输安全,网络上就算捕获这些包,也无法知道应用端和数据库端交互的内容.

补充说明
1. ENCRYPTION_SERVER和ENCRYPTION_CLIENT参数对应关系
SQLNET.ENCRYPTION_SERVICE-CLIENT


2. ENCRYPTION_TYPES_SERVER和ENCRYPTION_TYPES_CLIENT采用加密算法选择,可以选择adapters查看到的一种或者多种,默认为支持所有加密算法
3. 对于jdbc应用来说,可以参考下列配置方式

import oracle.jdbc.OracleConnection;
import oracle.jdbc.pool.OracleDataSource;
import java.sql.*;
import java.util.*;
class Employee1{
public static void main (String args []) throws Exception
{
OracleDataSource ods = new OracleDataSource();
Properties props = new Properties();
props.setProperty(OracleConnection.CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_LEVEL, "REQUIRED");
props.setProperty(OracleConnection.CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_TYPES, "(AES256,AES192,AES128)");
ods.setURL("jdbc:oracle:thin:@//yourHost:port/dbServiceName");
ods.setUser("scott");
ods.setPassword("tiger");
ods.setConnectionProperties(props);
Connection conn = ods.getConnection();
// Create a Statement
Statement stmt = conn.createStatement ();
// Select the ENAME column from the EMP table
ResultSet rset = stmt.executeQuery ("select ENAME from EMP");
// Iterate through the result and print the employee names
while (rset.next ())
System.out.println (rset.getString (1));
rset.close();
stmt.close();
conn.close();
}
}

关于wallet加密的几个测试

联系:手机/微信(+86 17813235971) QQ(107644445)

标题:关于wallet加密的几个测试

作者:惜分飞©版权所有[未经本人同意,不得以任何形式转载,否则有进一步追究法律责任的权利.]

TDE中比较核心部分为wallet,对于这部分进行测试,对钱包加密有更加深刻的理解.
wallet随库启动本质

[oracle@localhost wallets]$ ls -ltr
total 8
-rw------- 1 oracle oinstall 3637 Jan  5 23:11 ewallet.p12
[oracle@localhost wallets]$
[oracle@localhost wallets]$
[oracle@localhost wallets]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.4.0 Production on Tue Jan 5 23:16:13 2016
Copyright (c) 1982, 2013, Oracle.  All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/home/u01/oracle/network/wallets
OPEN
SQL> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> startup
ORACLE instance started.
Total System Global Area 5044088832 bytes
Fixed Size                  2261928 bytes
Variable Size            1040190552 bytes
Database Buffers         3992977408 bytes
Redo Buffers                8658944 bytes
Database mounted.
Database opened.
SQL> select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/home/u01/oracle/network/wallets
CLOSED
[oracle@localhost wallets]$ orapki wallet create -pwd xifenfei123 -wallet /home/u01/oracle/network/wallets  -auto_login
Oracle PKI Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.
[oracle@localhost wallets]$ ls -ltr
total 16
-rw------- 1 oracle oinstall 3637 Jan  5 23:11 ewallet.p12
-rw------- 1 oracle oinstall 3715 Jan  5 23:20 cwallet.sso
[oracle@localhost wallets]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.4.0 Production on Tue Jan 5 23:21:04 2016
Copyright (c) 1982, 2013, Oracle.  All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/home/u01/oracle/network/wallets
OPEN
SQL> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> startup
ORACLE instance started.
Total System Global Area 5044088832 bytes
Fixed Size                  2261928 bytes
Variable Size            1040190552 bytes
Database Buffers         3992977408 bytes
Redo Buffers                8658944 bytes
Database mounted.
Database opened.
SQL> select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/home/u01/oracle/network/wallets
OPEN
[oracle@localhost wallets]$ ls
cwallet.sso  ewallet.p12
[oracle@localhost wallets]$ rm cwallet.sso
[oracle@localhost wallets]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.4.0 Production on Tue Jan 5 23:30:55 2016
Copyright (c) 1982, 2013, Oracle.  All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/home/u01/oracle/network/wallets
OPEN
SQL> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> startup
ORACLE instance started.
Total System Global Area 5044088832 bytes
Fixed Size                  2261928 bytes
Variable Size            1040190552 bytes
Database Buffers         3992977408 bytes
Redo Buffers                8658944 bytes
Database mounted.
Database opened.
SQL> select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/home/u01/oracle/network/wallets
CLOSED
SQL>  alter system set wallet open identified by "xifenfei123";
System altered.
SQL>  select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/home/u01/oracle/network/wallets
OPEN

通过测试我们发现当钱包中含cwallet.sso之时,wallet就会随库启动而open,当cwallet.sso被删除之后,wallet无法随库启动而open,由此可见,wallet是否随库启动而open取决于cwallet.sso文件.

修改wallet密码

[oracle@localhost wallets]$ orapki wallet change_pwd -wallet /home/u01/oracle/network/wallets
> -oldpwd xifenfei123 -newpwd www.xifenfei.com
Oracle PKI Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.
[oracle@localhost wallets]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.4.0 Production on Tue Jan 5 23:35:01 2016
Copyright (c) 1982, 2013, Oracle.  All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> alter system set wallet close identified by "xifenfei123";
System altered.
SQL> select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/home/u01/oracle/network/wallets
CLOSED
SQL> alter system set wallet open identified by "xifenfei123";
alter system set wallet open identified by "xifenfei123"
*
ERROR at line 1:
ORA-28353: failed to open wallet
SQL> alter system set wallet open identified by "www.xifenfei.com";
System altered.
SQL> select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/home/u01/oracle/network/wallets
OPEN
SQL> exit
Disconnected from Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
[oracle@localhost wallets]$ ls -ltr
total 8
-rw------- 1 oracle oinstall 3638 Jan  5 23:34 ewallet.p12

wallet文件丢失

[oracle@localhost wallets]$ mv ewallet.p12 ewallet.p12_bak
[oracle@localhost wallets]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.4.0 Production on Tue Jan 5 23:36:55 2016
Copyright (c) 1982, 2013, Oracle.  All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> alter system set wallet close identified by "www.xifenfei.com";
System altered.
SQL> alter system set wallet open identified by "www.xifenfei.com";
alter system set wallet open identified by "www.xifenfei.com"
*
ERROR at line 1:
ORA-28367: wallet does not exist
SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "www.xifenfei.com";
ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "www.xifenfei.com"
*
ERROR at line 1:
ORA-28362: master key not found
SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "www.xifenfei";
ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "www.xifenfei"
*
ERROR at line 1:
ORA-28353: failed to open wallet

如果wallet文件丢失,没有办法open钱包,也就是说加密数据无法读取.备份ewallet.p12文件非常重要

Oracle TDE 简单测试

联系:手机/微信(+86 17813235971) QQ(107644445)

标题:Oracle TDE 简单测试

作者:惜分飞©版权所有[未经本人同意,不得以任何形式转载,否则有进一步追究法律责任的权利.]

从ORACLE 10.2开始提供了一个新的特性,让你只需要做如下动作:你可以不写一行代码,只需要声明你需要加密某列。当用户插入数据的时候,数据库透明的加密数据然后存储加密后的数据。同样的,当用户读取数据时,数据库自动进行节目。由于加解密操作对应用程序来说都是透明的,不需要应用程序修改代码,因此这个特性就叫做:透明数据加密(TDE)。
TDE实施
sqlnet.ora中增加

ENCRYPTION_WALLET_LOCATION=
   (SOURCE=(METHOD=FILE)(METHOD_DATA=
      (DIRECTORY=/home/u01/oracle/network/wallets)))

重启监听

lsnrctl stop
lsnrctl start

配置钱包

[oracle@localhost wallets]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.4.0 PrXIFENFEIction on Tue Jan 5 14:43:18 2016
Copyright (c) 1982, 2013, Oracle.  All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit PrXIFENFEIction
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "welcome1";
System altered.
SQL> select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/home/u01/oracle/network/wallets
OPEN
[oracle@localhost wallets]$ ls -ltr
total 8
-rw-r--r-- 1 oracle oinstall 2845 Jan  5 14:43 ewallet.p12

TDE加密测试

SQL> conn XIFENFEI/oracle
Connected.
SQL>  create table CUST_PAYMENT_INFO
  2                     (first_name varchar2(11),
  3                      last_name varchar2(10),
                    order_number number(13),
                    CREDIT_CARD_NUMBER varchar2(20) ENCRYPT NO SALT);  4    5
Table created.
SQL>  insert into cust_payment_info values ('Jon', 'Oldfield', 10001, '5446-9597-0881-2985');
1 row created.
SQL> insert into cust_payment_info values ('Chris', 'White', 10002, '5122-3580-4608-2560');
1 row created.
SQL>  insert into cust_payment_info values ('Alan', 'Squire', 10003, '5595-9689-4375-7920');
1 row created.
SQL> commit;
Commit complete.
SQL> select * from USER_ENCRYPTED_COLUMNS;
TABLE_NAME                     COLUMN_NAME
------------------------------ ------------------------------
ENCRYPTION_ALG                SAL INTEGRITY_AL
----------------------------- --- ------------
CUST_PAYMENT_INFO              CREDIT_CARD_NUMBER
AES 192 bits key              NO  SHA-1
SQL> conn / as sysdba
Connected.
SQL> select * from XIFENFEI.cust_payment_info;
FIRST_NAME  LAST_NAME  ORDER_NUMBER CREDIT_CARD_NUMBER
----------- ---------- ------------ --------------------
Jon         Oldfield          10001 5446-9597-0881-2985
Chris       White             10002 5122-3580-4608-2560
Alan        Squire            10003 5595-9689-4375-7920
SQL> ALTER SYSTEM SET WALLET close IDENTIFIED BY  "welcome1";
System altered.
SQL> select * from XIFENFEI.cust_payment_info;
select * from XIFENFEI.cust_payment_info
                  *
ERROR at line 1:
ORA-28365: wallet is not open

验证TDE加密数据

--创建测试数据
SQL> create table XIFENFEI.CUST_PAYMENT_INFO2
  2                     (first_name varchar2(11),
  3                      last_name varchar2(10),
  4                      order_number number(13),
                    CREDIT_CARD_NUMBER varchar2(20));  5
Table created.
SQL> insert into XIFENFEI.cust_payment_info2 values ('Jon', 'Oldfield', 10001, '5446-9597-0881-2985');
insert into XIFENFEI.cust_payment_info2 values ('Chris', 'White', 10002, '5122-3580-4608-2560');
1 row created.
SQL>
1 row created.
SQL> insert into XIFENFEI.cust_payment_info2 values ('Alan', 'Squire', 10003, '5595-9689-4375-7920');
1 row created.
SQL> commit;
Commit complete.
SQL> select CREDIT_CARD_NUMBER,rowid,
  2  dbms_rowid.rowid_relative_fno(rowid)rel_fno,
  3  dbms_rowid.rowid_block_number(rowid)blockno,
dbms_rowid.rowid_row_number(rowid) rowno
  4    5  from XIFENFEI.cust_payment_info2;
CREDIT_CARD_NUMBER   ROWID                 REL_FNO    BLOCKNO      ROWNO
-------------------- ------------------ ---------- ---------- ----------
5446-9597-0881-2985  AAAZXdAAEAAAmgUAAA          4     157716          0
5122-3580-4608-2560  AAAZXdAAEAAAmgUAAB          4     157716          1
5595-9689-4375-7920  AAAZXdAAEAAAmgUAAC          4     157716          2
SQL> select name from v$datafile where file#=4;
NAME
--------------------------------------------------------------------------------
/home/u01/oradata/qsng/users01.dbf
SQL> alter system checkpoint;
System altered.
--使用bbed直接查看数据文件中数据
[oracle@localhost oracle]$ bbed
Password:
BBED: Release 2.0.0.0.0 - Limited PrXIFENFEIction on Tue Jan 5 22:06:59 2016
Copyright (c) 1982, 2011, Oracle and/or its affiliates.  All rights reserved.
************* !!! For Oracle Internal Use only !!! ***************
BBED> set filename '/home/u01/oradata/qsng/users01.dbf'
        FILENAME        /home/u01/oradata/qsng/users01.dbf
BBED> set blocksize 8192
        BLOCKSIZE       8192
BBED> set block 157716
        BLOCK#          157716
BBED> map
 File: /home/u01/oradata/qsng/users01.dbf (0)
 Block: 157716                                Dba:0x00000000
------------------------------------------------------------
 KTB Data Block (Table/Cluster)
 struct kcbh, 20 bytes                      @0
 struct ktbbh, 72 bytes                     @20
 struct kdbh, 14 bytes                      @100
 struct kdbt[1], 4 bytes                    @114
 sb2 kdbr[3]                                @118
 ub1 freespace[7943]                        @124
 ub1 rowdata[121]                           @8067
 ub4 tailchk                                @8188
BBED> p *kdbr[0]
rowdata[80]
-----------
ub1 rowdata[80]                             @8147     0x2c
BBED> x /rccnc
rowdata[80]                                 @8147
-----------
flag@8147: 0x2c (KDRHFL, KDRHFF, KDRHFH)
lock@8148: 0x01
cols@8149:    4
col    0[3] @8150: Jon
col    1[8] @8154: Oldfield
col    2[4] @8163: 10001
col   3[19] @8168: 5446-9597-0881-2985
--证明没有加密数据文件中数据,可以直接查看
SQL> ALTER TABLE XIFENFEI.CUST_PAYMENT_INFO2 MODIFY (CREDIT_CARD_NUMBER ENCRYPT NO SALT);
Table altered.
SQL> insert into XIFENFEI.cust_payment_info2 values ('xifenfei', 'XFF', 10004, 'WWW.XIFENFEI.COM');
1 row created.
SQL> COMMIT;
Commit complete.
SQL>  alter system checkpoint;
System altered.
SQL> select CREDIT_CARD_NUMBER,rowid,
  2  dbms_rowid.rowid_relative_fno(rowid)rel_fno,
  3  dbms_rowid.rowid_block_number(rowid)blockno,
dbms_rowid.rowid_row_number(rowid) rowno
  4    5  from XIFENFEI.cust_payment_info2;
CREDIT_CARD_NUMBER   ROWID                 REL_FNO    BLOCKNO      ROWNO
-------------------- ------------------ ---------- ---------- ----------
5446-9597-0881-2985  AAAZXdAAEAAAmgUAAA          4     157716          0
5122-3580-4608-2560  AAAZXdAAEAAAmgUAAB          4     157716          1
5595-9689-4375-7920  AAAZXdAAEAAAmgUAAC          4     157716          2
WWW.XIFENFEI.COM     AAAZXdAAEAAAmgWAAA          4     157718          0
BBED> set filename '/home/u01/oradata/qsng/users01.dbf'
        FILENAME        /home/u01/oradata/qsng/users01.dbf
BBED> set blocksize 8192
        BLOCKSIZE       8192
BBED> set block 157716
        BLOCK#          157716
BBED> map
 File: /home/u01/oradata/qsng/users01.dbf (0)
 Block: 157716                                Dba:0x00000000
------------------------------------------------------------
 KTB Data Block (Table/Cluster)
 struct kcbh, 20 bytes                      @0
 struct ktbbh, 72 bytes                     @20
 struct kdbh, 14 bytes                      @100
 struct kdbt[1], 4 bytes                    @114
 sb2 kdbr[3]                                @118
 ub1 freespace[7723]                        @124
 ub1 rowdata[341]                           @7847
 ub4 tailchk                                @8188
BBED> p *kdbr[0]
rowdata[146]
------------
ub1 rowdata[146]                            @7993     0x2c
BBED> x /rccnc
rowdata[146]                                @7993
------------
flag@7993: 0x2c (KDRHFL, KDRHFF, KDRHFH)
lock@7994: 0x02
cols@7995:    4
col    0[3] @7996: Jon
col    1[8] @8000: Oldfield
col    2[4] @8009: 10001
col   3[52] @8014: g隐.1Y.>.焦右.l.0赌鉣X.^._K泅Dn&.蜥._sR^....
BBED> set block 157718
        BLOCK#          157718
BBED> map
 File: /home/u01/oradata/qsng/users01.dbf (0)
 Block: 157718                                Dba:0x00000000
------------------------------------------------------------
 KTB Data Block (Table/Cluster)
 struct kcbh, 20 bytes                      @0
 struct ktbbh, 72 bytes                     @20
 struct kdbh, 14 bytes                      @100
 struct kdbt[1], 4 bytes                    @114
 sb2 kdbr[1]                                @118
 ub1 freespace[7994]                        @120
 ub1 rowdata[74]                            @8114
 ub4 tailchk                                @8188
BBED> p *kdbr[0]
rowdata[0]
----------
ub1 rowdata[0]                              @8114     0x2c
BBED> x /rccnc
rowdata[0]                                  @8114
----------
flag@8114: 0x2c (KDRHFL, KDRHFF, KDRHFH)
lock@8115: 0x01
cols@8116:    4
col    0[8] @8117: xifenfei
col    1[3] @8126: XFF
col    2[4] @8130: 10004
col   3[52] @8135: 籕G蠖璆]Qu]..o._証?.湮`.C..)S....&...Z

通过测试可以发现两点:
1. TDE加密之后,数据无法通过数据文件获取,也就是说在没有钱包的情况下,就算有数据文件,也无法直接获取数据
2. 当对表进行alter语句设置加密之后,原表中数据已经进行加密,而且后续插入数据也加密

TDE加密后数据导出问题

--TDE加密之后,数据无法通过exp导出
[oracle@localhost network]$ exp XIFENFEI/oracle file=/tmp/1.dmp tables=CUST_PAYMENT_INFO1
Export: Release 11.2.0.4.0 - PrXIFENFEIction on Tue Jan 5 16:09:54 2016
Copyright (c) 1982, 2011, Oracle and/or its affiliates.  All rights reserved.
Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit PrXIFENFEIction
With the Partitioning, OLAP, Data Mining and Real Application Testing options
Export done in US7ASCII character set and AL16UTF16 NCHAR character set
server uses ZHS16GBK character set (possible charset conversion)
About to export specified tables via Conventional Path ...
EXP-00107: Feature (COLUMN ENCRYPTION) of column CREDIT_CARD_NUMBER in table
  XIFENFEI.CUST_PAYMENT_INFO1 is not supported. The table will not be exported.
Export terminated successfully with warnings.
--TDE加密之后,数据使用expdp导出需要使用
[oracle@localhost network]$ expdp XIFENFEI/oracle dumpfile=1.dmp tables=CUST_PAYMENT_INFO1
Export: Release 11.2.0.4.0 - PrXIFENFEIction on Tue Jan 5 16:10:29 2016
Copyright (c) 1982, 2011, Oracle and/or its affiliates.  All rights reserved.
Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit PrXIFENFEIction
With the Partitioning, OLAP, Data Mining and Real Application Testing options
Starting "XIFENFEI"."SYS_EXPORT_TABLE_01":  XIFENFEI/******** dumpfile=1.dmp tables=CUST_PAYMENT_INFO1
Estimate in progress using BLOCKS method...
Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
Total estimation using BLOCKS method: 64 KB
Processing object type TABLE_EXPORT/TABLE/TABLE
. . exported "XIFENFEI"."CUST_PAYMENT_INFO1"                  6.406 KB       3 rows
ORA-39173: Encrypted data has been stored unencrypted in dump file set.
Master table "XIFENFEI"."SYS_EXPORT_TABLE_01" successfully loaded/unloaded
******************************************************************************
Dump file set for XIFENFEI.SYS_EXPORT_TABLE_01 is:
  /home/u01/admin/qsng/dpdump/1.dmp
Job "XIFENFEI"."SYS_EXPORT_TABLE_01" completed with 1 error(s) at Tue Jan 5 16:10:43 2016 elapsed 0 00:00:11
--指定ENCRYPTION_MODE=TRANSPARENT使用钱包加密方式
[oracle@localhost oracle]$ expdp XIFENFEI/oracle dumpfile=2.dmp ENCRYPTION_MODE=TRANSPARENT
> ENCRYPTION=ALL tables=CUST_PAYMENT_INFO2 reuse_dumpfiles=yes
Export: Release 11.2.0.4.0 - PrXIFENFEIction on Tue Jan 5 22:45:02 2016
Copyright (c) 1982, 2011, Oracle and/or its affiliates.  All rights reserved.
Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit PrXIFENFEIction
With the Partitioning, OLAP, Data Mining and Real Application Testing options
Starting "XIFENFEI"."SYS_EXPORT_TABLE_01":  XIFENFEI/******** dumpfile=2.dmp ENCRYPTION_MODE=TRANSPARENT
  ENCRYPTION=ALL tables=CUST_PAYMENT_INFO2 reuse_dumpfiles=yes
Estimate in progress using BLOCKS method...
Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
Total estimation using BLOCKS method: 64 KB
Processing object type TABLE_EXPORT/TABLE/TABLE
. . exported "XIFENFEI"."CUST_PAYMENT_INFO2"                  6.453 KB       4 rows
Master table "XIFENFEI"."SYS_EXPORT_TABLE_01" successfully loaded/unloaded
******************************************************************************
Dump file set for XIFENFEI.SYS_EXPORT_TABLE_01 is:
  /home/u01/admin/qsng/dpdump/2.dmp
Job "XIFENFEI"."SYS_EXPORT_TABLE_01" successfully completed at Tue Jan 5 22:45:06 2016 elapsed 0 00:00:03
--使用ENCRYPTION_MODE=PASSWORD方式导出
[oracle@localhost oracle]$ expdp XIFENFEI/oracle dumpfile=2.dmp ENCRYPTION_MODE=PASSWORD
>ENCRYPTION_PASSWORD=www.xifenfei.com  ENCRYPTION=ALL tables=CUST_PAYMENT_INFO2 reuse_dumpfiles=yes
Export: Release 11.2.0.4.0 - PrXIFENFEIction on Tue Jan 5 22:46:17 2016
Copyright (c) 1982, 2011, Oracle and/or its affiliates.  All rights reserved.
Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit PrXIFENFEIction
With the Partitioning, OLAP, Data Mining and Real Application Testing options
Starting "XIFENFEI"."SYS_EXPORT_TABLE_01":  XIFENFEI/******** dumpfile=2.dmp ENCRYPTION_MODE=PASSWORD
  ENCRYPTION_PASSWORD=******** ENCRYPTION=ALL tables=CUST_PAYMENT_INFO2 reuse_dumpfiles=yes
Estimate in progress using BLOCKS method...
Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
Total estimation using BLOCKS method: 64 KB
Processing object type TABLE_EXPORT/TABLE/TABLE
. . exported "XIFENFEI"."CUST_PAYMENT_INFO2"                  6.453 KB       4 rows
Master table "XIFENFEI"."SYS_EXPORT_TABLE_01" successfully loaded/unloaded
******************************************************************************
Dump file set for XIFENFEI.SYS_EXPORT_TABLE_01 is:
  /home/u01/admin/qsng/dpdump/2.dmp
Job "XIFENFEI"."SYS_EXPORT_TABLE_01" successfully completed at Tue Jan 5 22:46:21 2016 elapsed 0 00:00:03

钱包随库一起open

[oracle@localhost wallets]$ orapki wallet create -pwd welcome1 -wallet /home/u01/oracle/network/wallets  -auto_login
Oracle PKI Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.
--注意随库open之后钱包无法关闭
SQL> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> startup
ORACLE instance started.
Total System Global Area 5044088832 bytes
Fixed Size                  2261928 bytes
Variable Size            1040190552 bytes
Database Buffers         3992977408 bytes
Redo Buffers                8658944 bytes
Database mounted.
Database opened.
SQL> select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/home/u01/oracle/network/wallets
OPEN
SQL> alter system set wallet close identified by "welcome1";
alter system set wallet close identified by "welcome1"
*
ERROR at line 1:
ORA-28365: wallet is not open
SQL>  alter system set wallet close;
System altered.
SQL> select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/home/u01/oracle/network/wallets
OPEN

给你的dmp文件(datapump)加上密码锁

联系:手机/微信(+86 17813235971) QQ(107644445)

标题:给你的dmp文件(datapump)加上密码锁

作者:惜分飞©版权所有[未经本人同意,不得以任何形式转载,否则有进一步追究法律责任的权利.]

从oracle 11.1.0.7开始oracle 支持data pump导出加密,从而实现dmp文件安全.不会因为dmp文件丢失而导致数据泄露.涉及数据泵加密参数主要有:ENCRYPTION,ENCRYPTION_ALGORITHM,ENCRYPTION_MODE,ENCRYPTION_PASSWORD几个参数.这里测试的是使用最简单方式实现datapump加密功能,如果需要更好的数据安全可以考虑实时密码钱包

ENCRYPTION
Encrypt part or all of a dump file.
Valid keyword values are: ALL, DATA_ONLY, ENCRYPTED_COLUMNS_ONLY, METADATA_ONLY and NONE.
ENCRYPTION为加密dmp文件加密部分,其参数值可以有ALL, DATA_ONLY, ENCRYPTED_COLUMNS_ONLY, METADATA_ONLY and NONE,
如果只有ENCRYPTION_PASSWORD指定值,那么ENCRYPTION默认值为ALL
如果ENCRYPTION_PASSWORD和ENCRYPTION均为指定,那么默认值为NONE

ENCRYPTION_ALGORITHM
Specify how encryption should be done.
Valid keyword values are: [AES128], AES192 and AES256.
ENCRYPTION_ALGORITHM是指加密算法,参数值可以有AES128, AES192 and AES256。默认值为AES128

ENCRYPTION_MODE
Method of generating encryption key.
Valid keyword values are: DUAL, PASSWORD and [TRANSPARENT].
ENCRYPTION_MODE指定加密方式,其参数值有DUAL, PASSWORD and TRANSPARENT。默认值为TRANSPARENT
DUAL表示你指定的加密的dmp文件在导入的时候可以通过密码方式或者加密钱包方式导入
PASSWORD表示指定密码方式创建dmp文件,你导入也需要提供密码
TRANSPARENT需要加密钱包方式导出和导入

ENCRYPTION_PASSWORD
Password key for creating encrypted data within a dump file.
ENCRYPTION_PASSWORD指定加密密码

创建测试表

[oracle@localhost ~]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.4.0 Production on Wed Feb 11 14:52:32 2015
Copyright (c) 1982, 2013, Oracle.  All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> conn chf/xifenfei
Connected.
SQL> create table xifenfei (id number,name varchar2(50));
Table created.
SQL> insert into xifenfei values(&id,'&name');
Enter value for id: 1
Enter value for name: xifenfei
old   1: insert into xifenfei values(&id,'&name')
new   1: insert into xifenfei values(1,'xifenfei')
1 row created.
SQL> /
Enter value for id: 2
Enter value for name: www.xifenfei.com
old   1: insert into xifenfei values(&id,'&name')
new   1: insert into xifenfei values(2,'www.xifenfei.com')
1 row created.
SQL> /
Enter value for id: 3
Enter value for name: www.orasos.com
old   1: insert into xifenfei values(&id,'&name')
new   1: insert into xifenfei values(3,'www.orasos.com')
1 row created.
SQL> commit;
Commit complete.
SQL> col name for a50
SQL> set lines 100
SQL> select * from xifenfei;
        ID NAME
---------- --------------------------------------------------
         1 xifenfei
         2 www.xifenfei.com
         3 www.orasos.com

创建目录

SQL> create directory dir_xff as '/tmp';
Directory created.

不加密导出

[oracle@localhost ~]$ expdp chf/xifenfei tables=xifenfei directory=dir_xff dumpfile=none.dmp logfile=none.log
Export: Release 11.2.0.4.0 - Production on Wed Feb 11 15:29:13 2015
Copyright (c) 1982, 2011, Oracle and/or its affiliates.  All rights reserved.
Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
Starting "CHF"."SYS_EXPORT_TABLE_01":  chf/******** tables=xifenfei
directory=dir_xff dumpfile=none.dmp logfile=none.log
Estimate in progress using BLOCKS method...
Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
Total estimation using BLOCKS method: 64 KB
Processing object type TABLE_EXPORT/TABLE/TABLE
. . exported "CHF"."XIFENFEI"                            5.460 KB       3 rows
Master table "CHF"."SYS_EXPORT_TABLE_01" successfully loaded/unloaded
******************************************************************************
Dump file set for CHF.SYS_EXPORT_TABLE_01 is:
  /tmp/none.dmp
Job "CHF"."SYS_EXPORT_TABLE_01" successfully completed at Wed Feb 11 15:29:37 2015 elapsed 0 00:00:14

数据字典和数据都加密导出

[oracle@localhost ~]$ expdp chf/xifenfei tables=xifenfei directory=dir_xff  ENCRYPTION=ALL dumpfile=ALL.dmp
logfile=ALL.log ENCRYPTION_MODE=PASSWORD ENCRYPTION_PASSWORD=www.xifenfei.com
Export: Release 11.2.0.4.0 - Production on Wed Feb 11 15:33:06 2015
Copyright (c) 1982, 2011, Oracle and/or its affiliates.  All rights reserved.
Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
Starting "CHF"."SYS_EXPORT_TABLE_01":  chf/******** tables=xifenfei directory=dir_xff ENCRYPTION=ALL
dumpfile=ALL.dmp logfile=ALL.log ENCRYPTION_MODE=PASSWORD ENCRYPTION_PASSWORD=********
Estimate in progress using BLOCKS method...
Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
Total estimation using BLOCKS method: 64 KB
Processing object type TABLE_EXPORT/TABLE/TABLE
. . exported "CHF"."XIFENFEI"                            5.468 KB       3 rows
Master table "CHF"."SYS_EXPORT_TABLE_01" successfully loaded/unloaded
******************************************************************************
Dump file set for CHF.SYS_EXPORT_TABLE_01 is:
  /tmp/ALL.dmp
Job "CHF"."SYS_EXPORT_TABLE_01" successfully completed at Wed Feb 11 15:33:13 2015 elapsed 0 00:00:06

数据加密导出

[oracle@localhost ~]$ expdp chf/xifenfei tables=xifenfei directory=dir_xff  ENCRYPTION=DATA_ONLY
dumpfile=DATA_ONLY.dmp logfile=DATA_ONLY.log ENCRYPTION_MODE=PASSWORD ENCRYPTION_PASSWORD=www.xifenfei.com
Export: Release 11.2.0.4.0 - Production on Wed Feb 11 15:33:52 2015
Copyright (c) 1982, 2011, Oracle and/or its affiliates.  All rights reserved.
Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
Starting "CHF"."SYS_EXPORT_TABLE_01":  chf/******** tables=xifenfei directory=dir_xff ENCRYPTION=DATA_ONLY
dumpfile=DATA_ONLY.dmp logfile=DATA_ONLY.log ENCRYPTION_MODE=PASSWORD ENCRYPTION_PASSWORD=********
Estimate in progress using BLOCKS method...
Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
Total estimation using BLOCKS method: 64 KB
Processing object type TABLE_EXPORT/TABLE/TABLE
. . exported "CHF"."XIFENFEI"                            5.468 KB       3 rows
Master table "CHF"."SYS_EXPORT_TABLE_01" successfully loaded/unloaded
******************************************************************************
Dump file set for CHF.SYS_EXPORT_TABLE_01 is:
  /tmp/DATA_ONLY.dmp
Job "CHF"."SYS_EXPORT_TABLE_01" successfully completed at Wed Feb 11 15:33:57 2015 elapsed 0 00:00:04

数据字典加密导出

[oracle@localhost tmp]$ expdp chf/xifenfei tables=xifenfei directory=dir_xff  ENCRYPTION=METADATA_ONLY
dumpfile=METADATA_ONLY.dmp logfile=METADATA_ONLY.log ENCRYPTION_MODE=PASSWORD ENCRYPTION_PASSWORD=www.xifenfei.com
Export: Release 11.2.0.4.0 - Production on Wed Feb 11 15:50:00 2015
Copyright (c) 1982, 2011, Oracle and/or its affiliates.  All rights reserved.
Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
Starting "CHF"."SYS_EXPORT_TABLE_01":  chf/******** tables=xifenfei directory=dir_xff ENCRYPTION=METADATA_ONLY
dumpfile=METADATA_ONLY.dmp logfile=METADATA_ONLY.log ENCRYPTION_MODE=PASSWORD ENCRYPTION_PASSWORD=********
Estimate in progress using BLOCKS method...
Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
Total estimation using BLOCKS method: 64 KB
Processing object type TABLE_EXPORT/TABLE/TABLE
. . exported "CHF"."XIFENFEI"                            5.460 KB       3 rows
Master table "CHF"."SYS_EXPORT_TABLE_01" successfully loaded/unloaded
******************************************************************************
Dump file set for CHF.SYS_EXPORT_TABLE_01 is:
  /tmp/METADATA_ONLY.dmp
Job "CHF"."SYS_EXPORT_TABLE_01" successfully completed at Wed Feb 11 15:50:04 2015 elapsed 0 00:00:03

删除测试表

SQL> drop table xifenfei purge;
Table dropped.

导入数据未输入密码

[oracle@localhost tmp]$ impdp chf/xifenfei tables=xifenfei directory=dir_xff
dumpfile=METADATA_ONLY.dmp logfile=xifenfei.log
Import: Release 11.2.0.4.0 - Production on Wed Feb 11 16:03:13 2015
Copyright (c) 1982, 2011, Oracle and/or its affiliates.  All rights reserved.
Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
ORA-39002: invalid operation
ORA-39174: Encryption password must be supplied.

导入数据密码错误

[oracle@localhost tmp]$ impdp chf/xifenfei tables=xifenfei directory=dir_xff
dumpfile=METADATA_ONLY.dmp logfile=METADATA_ONLY.log ENCRYPTION_PASSWORD=www.orasos.com
Import: Release 11.2.0.4.0 - Production on Wed Feb 11 16:05:46 2015
Copyright (c) 1982, 2011, Oracle and/or its affiliates.  All rights reserved.
Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
ORA-39002: invalid operation
ORA-39176: Encryption password is incorrect.

导入数据密码正确

[oracle@localhost tmp]$ impdp chf/xifenfei tables=xifenfei directory=dir_xff
dumpfile=METADATA_ONLY.dmp logfile=METADATA_ONLY.log ENCRYPTION_PASSWORD=www.xifenfei.com
Import: Release 11.2.0.4.0 - Production on Wed Feb 11 16:06:00 2015
Copyright (c) 1982, 2011, Oracle and/or its affiliates.  All rights reserved.
Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
Master table "CHF"."SYS_IMPORT_TABLE_01" successfully loaded/unloaded
Starting "CHF"."SYS_IMPORT_TABLE_01":  chf/******** tables=xifenfei directory=dir_xff
dumpfile=METADATA_ONLY.dmp logfile=METADATA_ONLY.log ENCRYPTION_PASSWORD=********
Processing object type TABLE_EXPORT/TABLE/TABLE
Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
. . imported "CHF"."XIFENFEI"                            5.460 KB       3 rows
Job "CHF"."SYS_IMPORT_TABLE_01" successfully completed at Wed Feb 11 16:06:04 2015 elapsed 0 00:00:02

验证数据

[oracle@localhost tmp]$ sqlplus chf/xifenfei
SQL*Plus: Release 11.2.0.4.0 Production on Wed Feb 11 16:06:09 2015
Copyright (c) 1982, 2013, Oracle.  All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> set lines 150
SQL> col name for a50
SQL> select * from xifenfei;
        ID NAME
---------- --------------------------------------------------
         1 xifenfei
         2 www.xifenfei.com
         3 www.orasos.com

给你的rman备份集加上密码锁

联系:手机/微信(+86 17813235971) QQ(107644445)

标题:给你的rman备份集加上密码锁

作者:惜分飞©版权所有[未经本人同意,不得以任何形式转载,否则有进一步追究法律责任的权利.]

数据的安全越来越重要,不是说你的生产库安全,你的数据就一定安全了,rman备份也是泄露数据的一个重要地方,如果别人拿到了你的备份集,一样等同入侵了你的生产库。为了rman备份的安全,最简单方式就是使用set encryption方式在rman备份过程中设置密码,需要版本为10.2及其以后企业版版,另外如果需要备份到带库只能使用oracle自己的osb(Oracle Secure Backup),注意rman只有backupset可以加密,copy无法进行加密
数据库版本

SQL> select * from v$version;
BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
PL/SQL Release 11.2.0.4.0 - Production
CORE    11.2.0.4.0      Production
TNS for Linux: Version 11.2.0.4.0 - Production
NLSRTL Version 11.2.0.4.0 - Production
SQL> show parameter compatible
NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
compatible                           string      11.2.0.4.0

支持rman加密算法

SQL> select ALGORITHM_NAME
  2  from V$RMAN_ENCRYPTION_ALGORITHMS;
ALGORITHM_NAME
----------------------------------------------------------------
AES128
AES192
AES256

调整加密算法

RMAN> show  ENCRYPTION ALGORITHM;
RMAN configuration parameters for database with db_unique_name ORCL are:
CONFIGURE ENCRYPTION ALGORITHM 'AES128'; # default
RMAN> CONFIGURE ENCRYPTION ALGORITHM 'AES256';
new RMAN configuration parameters:
CONFIGURE ENCRYPTION ALGORITHM 'AES256';
new RMAN configuration parameters are successfully stored
RMAN> show ENCRYPTION ALGORITHM;
using target database control file instead of recovery catalog
RMAN configuration parameters for database with db_unique_name ORCL are:
CONFIGURE ENCRYPTION ALGORITHM 'AES256';

创建新测试数据文件
我们这里测试的是对新创建的5号文件进行加密备份和还原

SQL> select name from v$datafile;
NAME
--------------------------------------------------------------------------------
/u01/app/oracle/oradata/orcl/system01.dbf
/u01/app/oracle/oradata/orcl/sysaux01.dbf
/u01/app/oracle/oradata/orcl/undotbs01.dbf
/u01/app/oracle/oradata/orcl/users01.dbf
SQL> create tablespace rman_xifenfei datafile
  2 '/u01/app/oracle/oradata/orcl/xifenfei01.dbf' size 100M;
Tablespace created.
SQL> select file#,name from v$datafile;
     FILE# NAME
---------- --------------------------------------------------
         1 /u01/app/oracle/oradata/orcl/system01.dbf
         2 /u01/app/oracle/oradata/orcl/sysaux01.dbf
         3 /u01/app/oracle/oradata/orcl/undotbs01.dbf
         4 /u01/app/oracle/oradata/orcl/users01.dbf
         5 /u01/app/oracle/oradata/orcl/xifenfei01.dbf
SQL> create table chf.t_xifenfei tablespace rman_xifenfei
  2  as select * from dba_objects;
Table created.
SQL> select count(*) from chf.t_xifenfei;
  COUNT(*)
----------
     86721

rman加密备份

RMAN> set encryption on identified by 'www.xifenfei.com' only;
executing command: SET encryption
RMAN> backup datafile 5;
Starting backup at 28-JAN-15
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=5 device type=DISK
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
input datafile file number=00005 name=/u01/app/oracle/oradata/orcl/xifenfei01.dbf
channel ORA_DISK_1: starting piece 1 at 28-JAN-15
channel ORA_DISK_1: finished piece 1 at 28-JAN-15
piece handle=/u01/2015_01_28/o1_mf_nnndf_TAG20150128T230115_bdkyfvlw_.bkp tag=TAG20150128T230115 comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:00:01
Finished backup at 28-JAN-15

准备恢复测试

RMAN> sql 'alter database datafile 5 offline';
sql statement: alter database datafile 5 offline
[oracle@localhost ~]$ rm /u01/app/oracle/oradata/orcl/xifenfei01.dbf
[oracle@localhost ~]$ ls /u01/app/oracle/oradata/orcl/xifenfei01.dbf
ls: /u01/app/oracle/oradata/orcl/xifenfei01.dbf: No such file or directory

rman恢复测试

[oracle@localhost ~]$ rman target /
Recovery Manager: Release 11.2.0.4.0 - Production on Wed Jan 28 23:02:24 2015
Copyright (c) 1982, 2011, Oracle and/or its affiliates.  All rights reserved.
connected to target database: ORCL (DBID=1378620768)
RMAN> list backup of datafile 5;
using target database control file instead of recovery catalog
List of Backup Sets
===================
BS Key  Type LV Size       Device Type Elapsed Time Completion Time
------- ---- -- ---------- ----------- ------------ ---------------
1       Full    10.94M     DISK        00:00:01     28-JAN-15
        BP Key: 1   Status: AVAILABLE  Compressed: NO  Tag: TAG20150128T230115
        Piece Name: /u01/2015_01_28/o1_mf_nnndf_TAG20150128T230115_bdkyfvlw_.bkp
  List of Datafiles in backup set 1
  File LV Type Ckp SCN    Ckp Time  Name
  ---- -- ---- ---------- --------- ----
  5       Full 54057180   28-JAN-15 /u01/app/oracle/oradata/orcl/xifenfei01.dbf
--未输入密码
RMAN> restore datafile 5;
Starting restore at 28-JAN-15
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=492 device type=DISK
channel ORA_DISK_1: starting datafile backup set restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
channel ORA_DISK_1: restoring datafile 00005 to /u01/app/oracle/oradata/orcl/xifenfei01.dbf
channel ORA_DISK_1: reading from backup piece /u01/2015_01_28/o1_mf_nnndf_TAG20150128T230115_bdkyfvlw_.bkp
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: failure of restore command at 01/28/2015 23:02:52
ORA-19870: error while restoring backup piece /u01/2015_01_28/o1_mf_nnndf_TAG20150128T230115_bdkyfvlw_.bkp
ORA-19913: unable to decrypt backup
ORA-28365: wallet is not open
--设置错误密码
RMAN> SET DECRYPTION IDENTIFIED BY 'www.orasos.com';
executing command: SET decryption
RMAN> restore datafile 5;
Starting restore at 28-JAN-15
using channel ORA_DISK_1
channel ORA_DISK_1: starting datafile backup set restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
channel ORA_DISK_1: restoring datafile 00005 to /u01/app/oracle/oradata/orcl/xifenfei01.dbf
channel ORA_DISK_1: reading from backup piece /u01/2015_01_28/o1_mf_nnndf_TAG20150128T230115_bdkyfvlw_.bkp
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: failure of restore command at 01/28/2015 23:03:31
ORA-19870: error while restoring backup piece /u01/2015_01_28/o1_mf_nnndf_TAG20150128T230115_bdkyfvlw_.bkp
ORA-19913: unable to decrypt backup
ORA-28365: wallet is not open
--设置正确密码
RMAN> SET DECRYPTION IDENTIFIED BY 'www.xifenfei.com';
executing command: SET decryption
RMAN> restore datafile 5;
Starting restore at 28-JAN-15
using channel ORA_DISK_1
channel ORA_DISK_1: starting datafile backup set restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
channel ORA_DISK_1: restoring datafile 00005 to /u01/app/oracle/oradata/orcl/xifenfei01.dbf
channel ORA_DISK_1: reading from backup piece /u01/2015_01_28/o1_mf_nnndf_TAG20150128T230115_bdkyfvlw_.bkp
channel ORA_DISK_1: piece handle=/u01/2015_01_28/o1_mf_nnndf_TAG20150128T230115_bdkyfvlw_.bkp tag=TAG20150128T230115
channel ORA_DISK_1: restored backup piece 1
channel ORA_DISK_1: restore complete, elapsed time: 00:00:01
Finished restore at 28-JAN-15

验证数据还原

RMAN> recover datafile 5;
Starting recover at 28-JAN-15
using target database control file instead of recovery catalog
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=7 device type=DISK
starting media recovery
media recovery complete, elapsed time: 00:00:00
Finished recover at 28-JAN-15
RMAN> sql 'alter database datafile 5 online';
sql statement: alter database datafile 5 online
RMAN> exit
Recovery Manager complete.
[oracle@localhost ~]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.4.0 Production on Wed Jan 28 23:05:55 2015
Copyright (c) 1982, 2013, Oracle.  All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> select count(*) from chf.t_xifenfei;
  COUNT(*)
----------
     86721

至此我们可以看到,最简单的rman加密备份和加密恢复测试完成,在使用set encryption加密后,如果不输入或者错误的输入密码无法使用备份集,从而确保了备份集的安全.

通过DBMS_CRYPTO包对表敏感字段进行加密

联系:手机/微信(+86 17813235971) QQ(107644445)

标题:通过DBMS_CRYPTO包对表敏感字段进行加密

作者:惜分飞©版权所有[未经本人同意,不得以任何形式转载,否则有进一步追究法律责任的权利.]

在安全越来越重视的近体,我们不少时候需要对数据库中的某个表的敏感列数据(银行卡,身份证号码,金额等)进行加密,方式数据泄密,在11.2.0.4中可以通过dbms_crypto包方式实现,增加oracle的加密效率,本文提供处理思路,其他可以根据需求尽情发挥
数据库版本

SQL> select * from v$version;
BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
PL/SQL Release 11.2.0.4.0 - Production
CORE    11.2.0.4.0      Production
TNS for Linux: Version 11.2.0.4.0 - Production
NLSRTL Version 11.2.0.4.0 - Production
[/shell]
<strong>创建加密函数</strong>

SQL> create or replace function f_Encrypt_number(number_in in varchar2) return raw is
  2  number_in_raw RAW(128):=UTL_I18N.STRING_TO_RAW(number_in,'AL32UTF8');
  3  key_number number(32):=32432432343243279898;
  4  key_raw RAW(128):=UTL_RAW.cast_from_number(key_number);
  5  encrypted_raw RAW(128);
  6  begin
  7  encrypted_raw:=dbms_crypto.Encrypt(src=>number_in_raw,typ=>DBMS_CRYPTO.DES_CBC_PKCS5,key=>key_raw);
  8  return encrypted_raw;
  9  end;
 10  /
Function created.

测试加密函数

SQL> select f_Encrypt_number('wwww.xifenfei.com') from dual;
F_ENCRYPT_NUMBER('WWWW.XIFENFEI.COM')
--------------------------------------------------------------------------------
003CB89CB77F6644C93AE2CF7810B0E3E3B10B8C60B54058

创建解密函数

SQL> create or replace function f_decrypt_number (encrypted_raw IN RAW)
  2  return varchar2 is
  3  decrypted_raw raw(48);
  4  key_number number(32):=32432432343243279898;
  5  key_raw RAW(128):=UTL_RAW.cast_from_number(key_number);
  6  begin
  7  decrypted_raw := DBMS_CRYPTO.DECRYPT
  8  (
  9  src => encrypted_raw,
 10  typ => DBMS_CRYPTO.DES_CBC_PKCS5,
 11  key => key_raw
 12  );
 13  return UTL_I18N.RAW_TO_CHAR (decrypted_raw, 'AL32UTF8');
 14  END;
 15  /
Function created.

测试解密函数

SQL> select f_decrypt_number('003CB89CB77F6644C93AE2CF7810B0E3E3B10B8C60B54058') from dual;
F_DECRYPT_NUMBER('003CB89CB77F6644C93AE2CF7810B0E3E3B10B8C60B54058')
--------------------------------------------------------------------------------
wwww.xifenfei.com

创建表综合测试

SQL> create table xifenfei_crypto
  2  (id number, name varchar2(20),en_name raw(128)) ;
Table created.
SQL> insert into xifenfei_crypto (id,name) select object_id,object_name from dba_objects where rownum<10;
9 rows created.
SQL> commit;
Commit complete.
SQL> select * from xifenfei_crypto;
        ID NAME                 EN_NAME
---------- -------------------- ------------------------------
        20 ICOL$
        46 I_USER1
        28 CON$
        15 UNDO$
        29 C_COBJ#
         3 I_OBJ#
        25 PROXY_ROLE_DATA$
        41 I_IND1
        54 I_CDEF2
9 rows selected.
SQL> update xifenfei_crypto set en_name=f_Encrypt_number(name);
9 rows updated.
SQL> commit;
Commit complete.
SQL> select * from xifenfei_crypto;
        ID NAME                 EN_NAME
---------- -------------------- --------------------------------------------------
        20 ICOL$                FE17B031331839A9
        46 I_USER1              FEF96765B1E2C53C
        28 CON$                 0283FCE900ACED5C
        15 UNDO$                20DD92762F199436
        29 C_COBJ#              A0CB43E2EA6BA889
         3 I_OBJ#               F2DE1B9C8A39AA3D
        25 PROXY_ROLE_DATA$     62B99C02EBD4B250311E4490207FEF18CBD8CD8FBA1BFD81
        41 I_IND1               3F4C3C186F8E2F52
        54 I_CDEF2              CA23D202802BD3AC
9 rows selected.
SQL> select id,name,f_decrypt_number(EN_NAME) de_name,en_name from  xifenfei_crypto;
        ID NAME                 DE_NAME                        EN_NAME
---------- -------------------- ------------------------------ --------------------------------------------------
        20 ICOL$                ICOL$                          FE17B031331839A9
        46 I_USER1              I_USER1                        FEF96765B1E2C53C
        28 CON$                 CON$                           0283FCE900ACED5C
        15 UNDO$                UNDO$                          20DD92762F199436
        29 C_COBJ#              C_COBJ#                        A0CB43E2EA6BA889
         3 I_OBJ#               I_OBJ#                         F2DE1B9C8A39AA3D
        25 PROXY_ROLE_DATA$     PROXY_ROLE_DATA$               62B99C02EBD4B250311E4490207FEF18CBD8CD8FBA1BFD81
        41 I_IND1               I_IND1                         3F4C3C186F8E2F52
        54 I_CDEF2              I_CDEF2                        CA23D202802BD3AC
9 rows selected.