高级安全指南里说的比较少,所以看了以下2个白皮书:
- Oracle Data Pump Encrypted Columns Support 10g
- Oracle Data Pump Encrypted Dump File Support 11g
- Protect your data with Encrypted Data Pump Jobs
TDE只保证数据库内数据的加密,出库即解密。
所以出库后的加密,需要依赖于RMAN或Data Pump。此时才会有password,wallet和dual mode的概念。
两个有用的例子。
外部表dump文件,加密整个文件:
CREATE TABLE XDEPT (
deptno,
dname,
loc)
ORGANIZATION EXTERNAL
(
TYPE ORACLE_DATAPUMP
DEFAULT DIRECTORY DATA_PUMP_DIR
ACCESS PARAMETERS (ENCRYPTION ENABLED)
LOCATION ('xdept.dmp')
)
REJECT LIMIT UNLIMITED
AS SELECT * FROM DEPT;
ERROR at line 1:
ORA-29913: error in executing ODCIEXTTABLEPOPULATE callout
ORA-39188: unable to encrypt dump file set
ORA-28365: wallet is not open
外部表dump文件,加密某列:
CREATE TABLE XEMP (
empid,
empname,
salary ENCRYPT IDENTIFIED BY "column_pwd")
ORGANIZATION EXTERNAL
(
TYPE ORACLE_DATAPUMP
LOCATION ('xemp.dmp')
)
REJECT LIMIT UNLIMITED
AS SELECT empno, ename, sal FROM EMP;
ERROR at line 11:
ORA-28365: wallet is not open