Databases Reference
In-Depth Information
Encryption
The previous sections of this chapter all deal with the need to protect access to data in
the Oracle Database. There may be times when you want to take the extra step of pro‐
tecting the actual data values from unauthorized viewing by encrypting the data.
Oracle has provided data encryption for several releases, but Oracle Database 10
g
Re‐
lease 2 first introduced a significant new feature called Transparent Data Encryption.
Prior to the introduction of this feature, encrypted data stored in the Oracle Database
had to be decrypted by an application before it could be used. This scenario caused a
number of limitations, such as the need to explicitly decrypt data in all applications that
used the encrypted data and the possibility that some SQL options, such as sorting,
would not work as expected. If you wanted to start encrypting a particular piece of data,
you would have to change all data access routines in every application that used the data.
This limitation alone made it difficult to consider adding encryption to existing data.
With Transparent Data Encryption, the database does the work of encrypting and de‐
crypting data automatically. Data sent to the database is encrypted by Oracle, and data
requested from the database is decrypted. No additional code is required in an appli‐
cation, which means that you can encrypt existing data without changing any of your
SQL access statements.
Since Oracle Database 11
g
, you can encrypt entire tablespaces (described in
Chapter 4
)
with Transparent Data Encryption, and this feature should reduce management over‐
head for this feature.
Data Redaction
Oracle Database 12
c
adds another option for obscuring data.
Data redaction
is the ability
to return data with different values than the actual value stored in the database, such as
returning “XXXX-XXXX-XXXX-4239” for a credit card number instead of the stored
value of “1234-5678-9012-4239.” Data redaction in Oracle Database 12
c
allows you to
implement redaction policies, which can specify users and conditions to redact data.
You can completely redact values, partially redact values, redact values based on a regular
expression to maintain formatting, or perform random redaction.
This redaction is frequently transparent to the use of the data by applications. The data
redaction also maintains the proper data format for the affected data.
Data redaction is managed for Oracle Database 12
c
through Enterprise Manager, SQL
Developer, or through a command line interface.
Secure Backup
The security features described in previous sections give you the tools you need to keep
the data in your Oracle Database secure. But what about when the data leaves your
