db19密钥库和加密
创建密钥库
ENCRYPTION_WALLET_LOCATION =
(SOURCE =(METHOD = FILE)(METHOD_DATA =
(DIRECTORY = /u01/app/oracle/admin/$ORACLE_SID/encryption_keystore/)))
保存密钥库的目录
mkdir -p /u01/app/oracle/admin/$ORACLE_SID/encryption_keystore
连接到根容器并创建密钥库
CONN / AS SYSDBA
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/u01/app/oracle/admin/cdb1/encryption_keystore/' IDENTIFIED BY AAbb1234;
查看
HOST ls /u01/app/oracle/admin/cdb1/encryption_keystore/
打开和关闭密钥库
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY AAbb1234 CONTAINER=ALL;
ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY AAbb1234 CONTAINER=ALL;
创建并激活一个主密钥
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY AAbb1234 WITH BACKUP CONTAINER=ALL;
密钥库的信息
SELECT con_id, key_id FROM v$encryption_keys;
SELECT * FROM v$encryption_wallet;
加密表空间
CONN sys@pdb1 AS SYSDBA
CREATE TABLESPACE encrypted_ts
DATAFILE SIZE 128K
AUTOEXTEND ON NEXT 64K
ENCRYPTION USING 'AES256'
DEFAULT STORAGE(ENCRYPT);
ALTER USER test QUOTA UNLIMITED ON encrypted_ts;
测试用户
CREATE USER lihao IDENTIFIED BY AAbb1234;
GRANT CREATE SESSION TO lihao;
创建表
CONN test/test@pdb1
-- Encrypted column
CREATE TABLE tde_test (
id NUMBER(10),
data VARCHAR2(50) ENCRYPT
);
INSERT INTO tde_test VALUES (1, 'This is a secret!');
COMMIT;
创建密钥库
ENCRYPTION_WALLET_LOCATION =
(SOURCE =(METHOD = FILE)(METHOD_DATA =
(DIRECTORY = /u01/app/oracle/admin/$ORACLE_SID/encryption_keystore/)))
保存密钥库的目录
mkdir -p /u01/app/oracle/admin/$ORACLE_SID/encryption_keystore
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/u01/app/oracle/admin/cdb1/encryption_keystore/' IDENTIFIED BY AAbb1234;
HOST ls /u01/app/oracle/admin/cdb1/encryption_keystore/
打开和关闭密钥库
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY AAbb1234 CONTAINER=ALL;
ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY AAbb1234 CONTAINER=ALL;
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY AAbb1234;
在根容器中创建并激活一个主密钥
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY AAbb1234 WITH BACKUP;
PDB创建主密钥
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY myPassword WITH BACKUP;
数据库关闭在开后
使用 TDE 的密钥库
CREATE TABLESPACE encrypted_ts
DATAFILE '/u02/oradata/CDB1/encrypted_ts01.dbf' SIZE 128K
AUTOEXTEND ON NEXT 64K
ENCRYPTION USING 'AES256'
DEFAULT STORAGE(ENCRYPT);
测试用户
CREATE USER lihao IDENTIFIED BY AAbb1234;
GRANT CREATE SESSION TO lihao;
grant create table to lihao;
ALTER USER lihao QUOTA UNLIMITED ON encrypted_ts;
创建表
CREATE TABLE tde_ts_test (
id NUMBER(10),
data VARCHAR2(50)
) TABLESPACE encrypted_ts;
INSERT INTO tde_ts_test VALUES (1, 'mi mi');
Commit;
PDB重新启动,则必须先在PDB中打开密钥库,然后才能访问数据
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY AAbb1234;
show user
SELECT * FROM tde_ts_test;
重新启动CDB,则必须在CDB和PDB 中打开密钥库
