Encrypted Wallet加密方面的理解是怎样的

68次阅读
没有评论

共计 6235 个字符,预计需要花费 16 分钟才能阅读完成。

Encrypted Wallet 加密方面的理解是怎样的,针对这个问题,这篇文章详细介绍了相对应的分析和解答,希望可以帮助更多想解决这个问题的小伙伴找到更简单易行的方法。

You cannot decrypt a tablespace that has been created encrypted. You must create an unencrypted tablespace and re-create the database objects in the unencrypted tablespace.
您无法解密已创建加密的表空间。您必须创建未加密的表空间,并在未加密的表空间中重新创建数据库对象。

个人理解:加密分两种,分别为 auto login wallet、encrypted wallet

服务器重启后,只有 auto login wallet 会自动打开,所以如果没有设置 auto login wallet,我们必须执行 ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY password 打开 encrypted wallet(加密钱包); 当然也可以执行 ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY password 打开 encrypted wallet(加密钱包),虽然后面这个命令主要是用来重置密码的。

设置 auto login wallet
暂时不会,没找在官方文档的哪个地方

设置 encrypted wallet
1、编辑文件 sqlnet.ora,添加
ENCRYPTION_WALLET_LOCATION=
  (SOURCE=(METHOD=FILE)(METHOD_DATA=
   (DIRECTORY=/app/wallet)))

WALLET_LOCATION=
  (SOURCE=(METHOD=FILE)(METHOD_DATA=
   (DIRECTORY=/app/wallet)))
备注:
METHOD=HSM,其中 HSM 表示使用 Hardware Security Modules 来加密
METHOD=FILE,其中 FILE 表示生成一个加密文件来加密
2、ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY password

创建加密的表空间
CREATE TABLESPACE encrypt_ts
  DATAFILE /ORACLE_HOME/dbs/encrypt_df.dbf SIZE 1M
 ENCRYPTION
  DEFAULT STORAGE (ENCRYPT);

ENCRYPTION Clause:Use this clause to specify the encryption properties of the tablespace. This clause does not actually encrypt the tablespace. You must also specify the ENCRYPT keyword as part of the DEFAULT storage_clause in this statement in order for the tablespace to be encrypted. In addition, you must already have used ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY … to load the TDE master key into database memory for the duration of the instance, or establish a connection to the HSM to send the encrypted table and tablespace keys to the HSM and receive them back decrypted
使用此子句指定表空间的加密属性。此子句实际上不加密表空间。您还必须在此语句中将 ENCRYPT 关键字指定为 DEFAULT storage_clause 的一部分,以便表空间被加密。此外,您必须已经使用 ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY … 在实例的持续时间内将 TDE 主密钥加载到数据库内存中,或建立与 HSM 的连接以发送加密的表和表空间密钥到 HSM 并且接收它们被解密

打开 auto login wallet
数据库重启后会自动打开,命令方式待查官方文档

打开 encrypted wallet
1、ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY password
啥时都可以执行
2、ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY password
以下两种情况下不能执行。
2.1、auto login wallet 已经打开
2.2、encrypted wallet 已经打开,比如已经执行了 ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY password

只关闭 auto login wallet
SQL ALTER SYSTEM SET ENCRYPTION WALLET CLOSE

关闭 encrypted wallet
同时关闭 auto login wallet 和 encrypted wallet
SQL ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY  password

auto login wallet 的官方摘要
Transparent Data Encryption(TDE) uses an auto login wallet only if it is available at the correct location (ENCRYPTION_WALLET_LOCATION, WALLET_LOCATION, or default wallet location), and the SQL command to open an encrypted wallet has not already been executed. If an auto login wallet is being used, you must not use the ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY password command.
透明数据加密(TDE)只有在正确位置(ENCRYPTION_WALLET_LOCATION,WALLET_LOCATION 或默认钱包位置)可用时才使用自动登录钱包,并且尚未执行打开加密钱包的 SQL 命令。如果正在使用自动登录钱包,则不能执行命令 ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY password。

A password is not required to close an auto-open wallet when only an auto-open wallet is present. The password is required to close an auto-open wallet when both an auto-open wallet and an encryption wallet are open. In this case, using CLOSE with a password will close the auto-open wallet and the encryption wallet.
当只有 auto-open 的钱包存在时,不需要使用密码去关闭 auto-open 的钱包。当 auto-open 的钱包和加密钱包都打开时,需要密码关闭 auto-open 的钱包。在这种情况下,使用 CLOSE 结合密码将关闭 auto-open 的钱包和加密钱包。

The external security module can use wallets with the automatic login feature enabled. These wallets remain open all of the time. The security administrator does not have to reopen the wallet after a database instance has been restarted. If your environment does not require the extra security provided by a wallet that must be explicitly opened for use, then you may use an auto login wallet.
外部安全模块可以使用启用自动登录功能的钱包。这些钱包一直保持开放。数据库实例重新启动后,安全管理员无需重新打开钱包。如果您的环境不需要必须明确打开使用的钱包提供的额外安全性,那么您可以使用自动登录钱包。

Auto login wallets are opened automatically and do not need to be opened explicitly.
No password is required to close an auto login wallet.
In case an auto login wallet needs to be closed, it can be closed with the following command:
SQL ALTER SYSTEM SET ENCRYPTION WALLET CLOSE
自动登录钱包自动打开,不需要明确打开。
关闭自动登录钱包不需要密码。
如果需要关闭自动登录钱包,可以使用以下命令关闭自动登录钱包:
SQL ALTER SYSTEM SET ENCRYPTION WALLET CLOSE

encrypted wallet 的官方摘要
SQL ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY Easy2rem
The preceding command achieves the following:
If no encrypted wallet is present in the directory specified, an encrypted wallet is created (ewallet.p12), the wallet is opened, and the master encryption key for TDE is created/re-created.
If an encrypted wallet is present in the directory specified, the wallet is opened, and the master encryption key for TDE is created/re-created.
上述命令可以实现以下命令:
如果指定的目录中没有加密的钱包,则会创建加密的钱包(ewallet.p12),打开钱包,并创建 / 重新创建 TDE 的主加密密钥。
如果指定的目录中存在加密的钱包,则打开钱包,并创建 / 重新创建 TDE 的主加密密钥。

When you create the master encryption key using the ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY password command, TDE checks to see if a wallet exists in the default or specified location. If no wallet exists, then a wallet is created automatically.
当您使用 ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY“password”命令创建主加密密钥时,TDE 会检查是否存在缺省或指定位置的钱包。如果没有钱包存在,则自动创建钱包。

Use the following command to open the wallet containing the master encryption key:
SQL ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY Easy2rem
Every time the database is shut down, the Oracle wallet is closed. You can also explicitly close the wallet.
You need to make sure that the Oracle wallet is open before you can perform any encryption or decryption operation. 
每次关闭数据库时,Oracle 钱包都将关闭。您还可以明确地关闭钱包。
在执行任何加密或解密操作之前,您需要确保 Oracle 钱包打开。

实验下来的现象(从上至下顺序出现的结果)

编辑文件 sqlnet.ora 
ENCRYPTION_WALLET_LOCATION=
  (SOURCE=(METHOD=FILE)(METHOD_DATA=
   (DIRECTORY=/app/wallet)))

WALLET_LOCATION=
  (SOURCE=(METHOD=FILE)(METHOD_DATA=
   (DIRECTORY=/app/wallet)))

SQL ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY oracle123
ORA-28367: wallet does not exist

SQL ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY oracle123
System altered

SQL ALTER SYSTEM SET ENCRYPTION WALLET close;
ORA-28390: auto login wallet not open but encryption wallet may be open

SQL ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY oracle123
ORA-28354: Encryption wallet, auto login wallet, or HSM is already open

SQL ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY  oracle123
System altered

SQL ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY oracle123
System altered

SQL startup force
ORACLE instance started.
Total System Global Area 2471931904 bytes
Fixed Size                  2255752 bytes
Variable Size             637535352 bytes
Database Buffers         1811939328 bytes
Redo Buffers               20201472 bytes
Database mounted.
ORA-28365: wallet is not open

SQL ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY oracle123
System altered.

SQL alter database open;
Database altered.

关于 Encrypted Wallet 加密方面的理解是怎样的问题的解答就分享到这里了,希望以上内容可以对大家有一定的帮助,如果你还有很多疑惑没有解开,可以关注丸趣 TV 行业资讯频道了解更多相关知识。

正文完
 
丸趣
版权声明:本站原创文章,由 丸趣 2023-07-20发表,共计6235字。
转载说明:除特殊说明外本站除技术相关以外文章皆由网络搜集发布,转载请注明出处。
评论(没有评论)