共計 6235 個字符,預計需要花費 16 分鐘才能閱讀完成。
Encrypted Wallet 加密方面的理解是怎樣的,針對這個問題,這篇文章詳細介紹了相對應的分析和解答,希望可以幫助更多想解決這個問題的小伙伴找到更簡單易行的方法。
You cannot decrypt a tablespace that has been created encrypted. You must create an unencrypted tablespace and re-create the database objects in the unencrypted tablespace.
您無法解密已創建加密的表空間。您必須創建未加密的表空間,并在未加密的表空間中重新創建數據庫對象。
個人理解:加密分兩種,分別為 auto login wallet、encrypted wallet
服務器重啟后,只有 auto login wallet 會自動打開,所以如果沒有設置 auto login wallet,我們必須執行 ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY password 打開 encrypted wallet(加密錢包); 當然也可以執行 ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY password 打開 encrypted wallet(加密錢包),雖然后面這個命令主要是用來重置密碼的。
設置 auto login wallet
暫時不會,沒找在官方文檔的哪個地方
設置 encrypted wallet
1、編輯文件 sqlnet.ora,添加
ENCRYPTION_WALLET_LOCATION=
(SOURCE=(METHOD=FILE)(METHOD_DATA=
(DIRECTORY=/app/wallet)))
或
WALLET_LOCATION=
(SOURCE=(METHOD=FILE)(METHOD_DATA=
(DIRECTORY=/app/wallet)))
備注:
METHOD=HSM,其中 HSM 表示使用 Hardware Security Modules 來加密
METHOD=FILE,其中 FILE 表示生成一個加密文件來加密
2、ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY password
創建加密的表空間
CREATE TABLESPACE encrypt_ts
DATAFILE /ORACLE_HOME/dbs/encrypt_df.dbf SIZE 1M
ENCRYPTION
DEFAULT STORAGE (ENCRYPT);
ENCRYPTION Clause:Use this clause to specify the encryption properties of the tablespace. This clause does not actually encrypt the tablespace. You must also specify the ENCRYPT keyword as part of the DEFAULT storage_clause in this statement in order for the tablespace to be encrypted. In addition, you must already have used ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY … to load the TDE master key into database memory for the duration of the instance, or establish a connection to the HSM to send the encrypted table and tablespace keys to the HSM and receive them back decrypted
使用此子句指定表空間的加密屬性。此子句實際上不加密表空間。您還必須在此語句中將 ENCRYPT 關鍵字指定為 DEFAULT storage_clause 的一部分,以便表空間被加密。此外,您必須已經使用 ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY … 在實例的持續時間內將 TDE 主密鑰加載到數據庫內存中,或建立與 HSM 的連接以發送加密的表和表空間密鑰到 HSM 并且接收它們被解密
打開 auto login wallet
數據庫重啟后會自動打開,命令方式待查官方文檔
打開 encrypted wallet
1、ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY password
啥時都可以執行
2、ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY password
以下兩種情況下不能執行。
2.1、auto login wallet 已經打開
2.2、encrypted wallet 已經打開,比如已經執行了 ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY password
只關閉 auto login wallet
SQL ALTER SYSTEM SET ENCRYPTION WALLET CLOSE
關閉 encrypted wallet
同時關閉 auto login wallet 和 encrypted wallet
SQL ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY password
auto login wallet 的官方摘要
Transparent Data Encryption(TDE) uses an auto login wallet only if it is available at the correct location (ENCRYPTION_WALLET_LOCATION, WALLET_LOCATION, or default wallet location), and the SQL command to open an encrypted wallet has not already been executed. If an auto login wallet is being used, you must not use the ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY password command.
透明數據加密(TDE)只有在正確位置(ENCRYPTION_WALLET_LOCATION,WALLET_LOCATION 或默認錢包位置)可用時才使用自動登錄錢包,并且尚未執行打開加密錢包的 SQL 命令。如果正在使用自動登錄錢包,則不能執行命令 ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY password。
A password is not required to close an auto-open wallet when only an auto-open wallet is present. The password is required to close an auto-open wallet when both an auto-open wallet and an encryption wallet are open. In this case, using CLOSE with a password will close the auto-open wallet and the encryption wallet.
當只有 auto-open 的錢包存在時,不需要使用密碼去關閉 auto-open 的錢包。當 auto-open 的錢包和加密錢包都打開時,需要密碼關閉 auto-open 的錢包。在這種情況下,使用 CLOSE 結合密碼將關閉 auto-open 的錢包和加密錢包。
The external security module can use wallets with the automatic login feature enabled. These wallets remain open all of the time. The security administrator does not have to reopen the wallet after a database instance has been restarted. If your environment does not require the extra security provided by a wallet that must be explicitly opened for use, then you may use an auto login wallet.
外部安全模塊可以使用啟用自動登錄功能的錢包。這些錢包一直保持開放。數據庫實例重新啟動后,安全管理員無需重新打開錢包。如果您的環境不需要必須明確打開使用的錢包提供的額外安全性,那么您可以使用自動登錄錢包。
Auto login wallets are opened automatically and do not need to be opened explicitly.
No password is required to close an auto login wallet.
In case an auto login wallet needs to be closed, it can be closed with the following command:
SQL ALTER SYSTEM SET ENCRYPTION WALLET CLOSE
自動登錄錢包自動打開,不需要明確打開。
關閉自動登錄錢包不需要密碼。
如果需要關閉自動登錄錢包,可以使用以下命令關閉自動登錄錢包:
SQL ALTER SYSTEM SET ENCRYPTION WALLET CLOSE
encrypted wallet 的官方摘要
SQL ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY Easy2rem
The preceding command achieves the following:
If no encrypted wallet is present in the directory specified, an encrypted wallet is created (ewallet.p12), the wallet is opened, and the master encryption key for TDE is created/re-created.
If an encrypted wallet is present in the directory specified, the wallet is opened, and the master encryption key for TDE is created/re-created.
上述命令可以實現以下命令:
如果指定的目錄中沒有加密的錢包,則會創建加密的錢包(ewallet.p12),打開錢包,并創建 / 重新創建 TDE 的主加密密鑰。
如果指定的目錄中存在加密的錢包,則打開錢包,并創建 / 重新創建 TDE 的主加密密鑰。
When you create the master encryption key using the ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY password command, TDE checks to see if a wallet exists in the default or specified location. If no wallet exists, then a wallet is created automatically.
當您使用 ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY“password”命令創建主加密密鑰時,TDE 會檢查是否存在缺省或指定位置的錢包。如果沒有錢包存在,則自動創建錢包。
Use the following command to open the wallet containing the master encryption key:
SQL ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY Easy2rem
Every time the database is shut down, the Oracle wallet is closed. You can also explicitly close the wallet.
You need to make sure that the Oracle wallet is open before you can perform any encryption or decryption operation.
每次關閉數據庫時,Oracle 錢包都將關閉。您還可以明確地關閉錢包。
在執行任何加密或解密操作之前,您需要確保 Oracle 錢包打開。
實驗下來的現象(從上至下順序出現的結果)
編輯文件 sqlnet.ora
ENCRYPTION_WALLET_LOCATION=
(SOURCE=(METHOD=FILE)(METHOD_DATA=
(DIRECTORY=/app/wallet)))
或
WALLET_LOCATION=
(SOURCE=(METHOD=FILE)(METHOD_DATA=
(DIRECTORY=/app/wallet)))
SQL ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY oracle123
ORA-28367: wallet does not exist
SQL ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY oracle123
System altered
SQL ALTER SYSTEM SET ENCRYPTION WALLET close;
ORA-28390: auto login wallet not open but encryption wallet may be open
SQL ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY oracle123
ORA-28354: Encryption wallet, auto login wallet, or HSM is already open
SQL ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY oracle123
System altered
SQL ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY oracle123
System altered
SQL startup force
ORACLE instance started.
Total System Global Area 2471931904 bytes
Fixed Size 2255752 bytes
Variable Size 637535352 bytes
Database Buffers 1811939328 bytes
Redo Buffers 20201472 bytes
Database mounted.
ORA-28365: wallet is not open
SQL ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY oracle123
System altered.
SQL alter database open;
Database altered.
關于 Encrypted Wallet 加密方面的理解是怎樣的問題的解答就分享到這里了,希望以上內容可以對大家有一定的幫助,如果你還有很多疑惑沒有解開,可以關注丸趣 TV 行業資訊頻道了解更多相關知識。
