The
Encryption Wizard for Oracle
User
Manual
For
Oracle 8i, 9i, 10g, 11g Databases
Version 5
Relational Database Consultants, Inc.
Copyright 2002-2007 Relational
Database Consultants, Inc.
The
Encryption Wizard for Oracle
User
Manual
Relational
Database Consultants, Inc. (RDC)
310-281-1915
Restricted Rights Notice
Copyright 2002. All Rights Reserved. No portion of this document may be
reproduced, recorded, transmitted, or copied without permission from the
copyright holders. Information in this document
is subject to change without notice.
Trademark Notice
All trademarks in this document belong to their respective holders.
The Encryption Wizard
for Oracle
User Manual
Table of Contents
Chapter
One Installation
of the Encryption Wizard
Chapter Two Encryption
Wizard Overview
Chapter
Three Encrypting
Table Data
Chapter
Four Decrypting
Table Data
Chapter
Five Managing Encrypted Data
Restricted
User Lists for Secure Access
Runtime
Passwords for User Authentication
Session
Auditing for Security History
Decrypted
Views for Application Transparency
Function
Indexes for Performance
Key Backup and
Recovery for Continuity Planning
Chapter
Six Migrating
Applications to Encrypted Data Tables
Chapter Seven Encryption
Wizard Administration
Chapter
Eight Management
Reports
Introduction - Database Encryption
In this age
value is stored within the world’s information systems. Before the advent and proliferation of
computers, corporate value took the form of money and physical documents. Yet just as capital seeks to automate labor –
capital has automated exchange value itself, thus replacing physical money with
credit and other forms of virtual money.
Today not
only is money value stored within the worlds information systems, but the
actual marketplace, where the velocity of capital turnover is determined, has
been abstracted to a virtual space within the computer and network
infrastructure of the world’s information systems – thus today it becomes
paramount to protect this real value, just as a bank in the past would protect
its physical deposit of money and its ability to conduct business transactions.
Data
Encryption and Obfuscation is the ultimate protection against the potential
theft or destruction of online marketplaces where goods and services are exchanged
and the actual money result of those transactions are stored. The reason being is that these forms of value
and capital accumulation must be stored as exact information. If this information is obfuscated - it loses
its value, until such a time that it is unobfuscated,
where it again becomes a value.
To encrypt
data is a magical process. It would be
like a banker of old being able to transform currency into obfuscated pieces of
worthless paper. Thus any thief would
only be stealing the product of our forests and not much value at that. Today we possess this magical art of
obfuscation and encryption - thus it is inevitable that capital will employ
this practice to protect data, since data content not only determines the money
result in the circuit of production and consumption, but the actual marketplace
velocity itself.
The
Encryption Wizard for Oracle offers users the ability to encrypt relational
data - an emerging necessity in the networked global economy and among the
governments that comprise the superstructure of this epoch in history. With the Encryption Wizard, data
administrators can easily transform valuable corporate data into useless bytes
of information – until such a time as they choose to re-establish the value
within their data.
Try an
experiment if you are not convinced.
Create a small tablespace in your Oracle database and create a table
containing some hypothetical valuable information. Now read the small tablespace in a
text-editor. You will see how easy it is
to obtain your corporate data. Imagine
if someone had used a tool such as FTP to transfer your tablespace to their
computer – would you be comfortable with the information they now had?
The
Encryption Wizard will eliminate these real fears. Simply encrypt your valuable corporate data
so anyone downloading our hypothetical tablespace will not possess your
corporate value but will instead own useless information. Not employing Encryption techniques is akin
to leaving money and valuable documents out in the open. Thus - the lack of encryption methodology for
relational corporate data is a
primary cause of the billions of dollars lost in Information Systems each
year. By leaving money, credit, and
valuable information unobfuscated - hacking and
corporate theft is encouraged. Use the
encryption techniques of the Encryption Wizard and protect the value of your
corporate data at a fraction of the cost of other less-secure methods.
Chapter One – Installation of the
Encryption Wizard
There is no
database encryption tool on the market that is easier to install than the
Encryption Wizard for Oracle. This is
because the Encryption Wizard runs exclusively on the Oracle RDBMS and accesses
all information directly within the SGA.
Therefore no external C-routines or OS dependent files are there to
hamper your installation efforts.
The Encryption Wizard requires the following to be implemented
successfully on your Oracle platform(s):
1. An Oracle database of version 8.1.6 to 10.1 with the
package DBMS_Obfuscation_Toolkit currently installed. Optionally, AES Encryption requires Oracle
10.1 or higher with DBMS_Crypto installed.
2. To run the user-interface of the Encryption Wizard you
will need the Java JRE 1.3 or higher installed and running on either your
Windows/Unix/Linux server or a network accessible client. If you plan on using the Encryption Wizard
API Library exclusively, you do not need Java installed on your client. If you are running Oracle9i or greater, a
Java JRE is supplied by Oracle. You can also download the Java JRE 1.4 from SUN
at this link:
http://java.sun.com/products/archive/j2se/1.4.1_02/index.html
If you would like to run the Encryption Wizard client on a
Non-Windows machine, simply transfer the .ZIP installation to your client
machine of choice.
3. Technical ability to perform Oracle DBA tasks.
4. A working backup strategy
5. A valid Oracle support license.
Once you have determined that these above conditions are met, Installation
of the Encryption Wizard starts by downloading the product from:
http://www.relationalwizards.com/html/oracle_encryption.html
1. Client Installation
The
Encryption Wizard for Oracle download is offered as both a Windows .EXE
installation file or as a .ZIP file that can be extracted on any OS file-system
running Java. Installing the Encryption
Wizard on a Windows client does not preclude its use on non-Windows Oracle servers
such as Unix or Linux platforms.
The Client
Installation is performed when you download the Encryption Wizard for Oracle
and extract the *.exe file or the .zip file.
If you require a .tar or .gz format please do not hesitate to contact us at: ewdemo@relationalwizards.com.
If you
choose to run the EncryptionWizardJava.exe Windows installation file, the
Encryption Wizard will create a Win32 program group and install the appropriate
files and documentation needed for the Oracle Server Installation.
2. Database Installation
Once you
have completed the client installation for the Encryption Wizard, you are ready
to begin the Oracle database installation.
You can start the Encryption Wizard database installation from SQL*Plus
directly by running the installation script rdc_encrypt_install.sql.
SQL>@rdc_encrypt_install.sql
Or, if you
are running a Windows client, you may simply click on the Icon labeled
“Database Installation” in the new Encryption Wizard program group created by
the Win32 client installation.
During the
server installation the Encryption Wizard will prompt you for these following
five items:
- The System Password – This
value is not stored.
- The Net8 connection string used
by SQL*Plus for the database where you are installing the Encryption
Wizard.*
- The new password you would like
for the Encryption Wizard account: rdc_encrypt_user.
- The default tablespace you
would like to assign to the Encryption Wizard (Optional)
- The Temporary tablespace you
would like to assign the Encryption Wizard (Optional)
*Use may
manually remove this parameter from the installation script if you do not use
SQL*Net.
Once you
have supplied the Encryption Wizard installation script with these values, the
script will create the Encryption Wizard Oracle account rdc_encyrpt_user and install the intelligent PL/SQL packages that
make up the Encryption Wizard for Oracle.
If you are
running Oracle 10g or higher, you will be prompted to run the following SQL
connected as SYS:
SQL>grant
execute on DBMS_Crypto to RDC_Encrypt_User;
This grant
is only required if you plan on using AES Encryption offered in Oracle 10g and
11g.
The
Encryption Wizard user rdc_encrypt_user
is granted these following privileges by SYSTEM:
Connect Lock Any Table
Resource Create Any Trigger
Execute_Catalog_Role Alter Any Trigger
Select_Catalog_Role Drop
Any Trigger
Select Any Table Create Any View
Insert Any Table Drop Any View
Analyze Any Create Any Index
Global Query Rewrite Drop Any Index
Update Any Table Create Public Synonym
Delete Any Table Drop Public Synonym
Alter Any Table Grant Any Object
Privilege
Select Any Dictionary
Once this
script has successfully executed, you should receive this message from the
SQL*Plus prompt:
Installation
successful...
3. Java User Interface Configuration
and Verification
The main
menu of the Encryption Wizard front end is a Java class called EncryptionWizard.class and exists in the EncryptionWizard user interface file named EncryptionWizard.jar.
To successfully run the Encryption Wizard’s Java front-end, a Java JRE
(1.3 or higher) must be installed on the machine you wish to run the Encryption
Wizard front-end. To test that you have
the proper java version in your command path, issue this command from either
your Windows command prompt or a Unix shell:
>java –version
Make sure the version of the java runtime is version 1.3 or
higher. If java cannot be recognized by
the operating system, you will need to include the correct JRE in your OS
path. Oracle already has the Java JRE
1.3 installed by default on its 9i databases, yet this JRE is usually not in
the path.
Setting the proper
Java path for Windows Users:
1.
Navigate
to Control Panel | Administrative Tools | Computer management
2.
Choose:
Actions | properties | Advanced | Environment Variables
3.
Click
on the system variable in the list called “path” and click on EDIT to modify
the path to include the proper java path.
Example: (mypath is already
defined)
Path = c:\mypath;C:\Program
Files\s1studio_jdk\j2sdk1.4.1_02\bin
For Oracle 9i users who don’t want to install the SUN jdk, this example uses the Oracle JRE 1.3. In this example ORACLE_HOME is defined as
c:\oracle\ora92:
Path = c:\mypath;c:\oracle\ora92\jdk\jre\bin;
Once you have edited the path information and clicked on OK,
open a new command prompt and run the test: java –version again.
Setting the Proper
Path for Unix/Linux users:
After you have extracted the Encryption Wizard for Oracle
.ZIP file, move all of the files up to a single Unix
directory where you wish to start the Encryption Wizard.
To change the Java path for your session, simply edit your
.profile or .bash_profile file in the home directory
of the Unix account that will run the Encryption
Wizard to include the proper CLASS_PATH value.
You do not need to run the Encryption Wizard from the “Oracle” Unix account.
Depending on your FTP or file transfer commands, you may
need to set the EncryptionWizard.sh as an executable
script as such from your shell:
$chmod 744 EncryptionWizard.sh
4. Starting the
Encryption Wizard User Interface
To evoke the Encryption Wizard Main Menu from windows,
simply click on the icon labeled: Encryption
Wizard User Interface.
If you are running Unix or Linux,
simple run the provided shell script that you modified as such in the directory
containing the Encryption Wizard install as such:
$./EncryptionWizard.sh
After you start the User Interface, you will be prompted for
your database login to the Encryption Wizard account, rdc_encrypt_user.
Make sure you remember the password that you assigned during
installation step 2 and simply supply the login information as such.
If your connection succeeds, then you should see the Encryption Wizard Main
Menu. It is from this window that you
will navigate through the various functions of the Encryption Wizard. When you first enter this menu - you will be
instructed to enter a demo license code which can be obtained
at ewdemo@relationalwizards.com.
Chapter Two - Encryption Wizard
Overview
The
Encryption Wizard for Oracle allows you to physically encrypt the data that
resides within your Oracle RDBMS. You
can specify this physical encryption at the schema, table, or column level.
1. Encryption Types
The
Encryption Wizard gives you five encryption algorithms to choose from to
protect your data:
I. Obfuscation – Obfuscation is not technically
encryption. Obfuscation simply obscures and makes your data apparently
useless. Advanced decryption techniques
can break obfuscation, yet obfuscation makes casual data theft unlikely among
threats inside or outside your organization unless sophisticated and time-consuming
techniques are employed to break the obfuscation keys.
II. DES Encryption – DES Encryption is the certified
encryption standard provided by the Oracle Corporation through their package
DBMS_Obfuscation_Toolkit. The Encryption
Wizard utilizes a 64 bit key to protect your data.
III. Triple DES
Encryption – Triple
DES Encryption (DES3) is a response to advanced techniques used to break
standard DES encrypted data. With Triple
DES, a data value is encrypted recursively using three 64-bit keys to insure an
almost infinite number of key combinations.
Currently the Encryption Wizard uses the Triple DES scheme:
C=Ek3(Dk2(Ek1(P)))
IV. AES 128-bit
Encryption
AES encryption is available to Oracle 10g and 11g users
through the new DBMS_Crypto package. AES
encryption is recognized as more secure than DES Encryption and we have tested
it as 20% faster.
AES encryption is not available as of release 5.0.0.1 for
CLOB or BLOB datatypes.
V. AES 256-bit
Encryption
256-bit AES encryption uses large 32 byte encryption
keys. This encryption type also is
called through Oracle’s certified DBMS_Crypto package and is only available to
Oracle 10g and 11g users.
AES encryption is not available as of release 5.0.0.1 for
CLOB or BLOB datatypes.
The
Encryption Wizard does not employ public key strategies to encrypt corporate
data. Public keys are more ideal for
E-Commerce, but less secure. Single-key
encryption is the standard of the DBMS_Obfuscation_Toolkit and the DBMS_Crypto
packages supplied by the Oracle Corporation and utilized by the Encryption
Wizard.
The
Encryption Wizard stores your encryption keys in the Oracle database using
recursive DES3 Encryption techniques.
Encryption Keys can either be specified by the user or automatically
generated by the Encryption Wizard.
2. Key Management
I. Key Values are
Stored in the Oracle RDBMS and Protected
All keys values are stored as 2048 bit raw variables within
the Oracle RDBMS - the potential mathematical seed of the eventual key to be
utilized. At runtime this key matrix is
again Triple DES encrypted and cached in user memory. This allows for a hidden mutating key
strategy for the Encryption Wizard’s eventual sets of Triple DES 8 64 bit keys. Thus, the Encryption Wizard uses an algorithm
to choose mutating 64 bit subsets of a 2048 bit key per encryption round which
is Triple DES protected at runtime using Oracle’s certified
DBMS_Obfuscation_Toolkit.
II. User-Defined Keys
All user-defined keys, or pass-phrases, are expanded to the
256 byte key value and obfuscated using Triple DES and then again obfuscated at
runtime. Yet with a user-defined key,
recovery is possible if the key is lost.
This recovery can only be performed using the Encryption Wizard API.
III. Key Backup
The Encryption Wizard for Oracle now offers complete or
partial key backups to a flat-file. This
will allow users to backup database encryption keys to removable disks and/or
use removable disks as a requirement to read encrypted data.
The encryption wizard also allows you to password protect
your backups and insures that backups from one Oracle database cannot be loaded
into another database. Because the
Encryption Wizard performs another Triple DES round on these stored keys at
runtime, it is not necessary to encrypt the backup file - unless you want
another level of protection.
The Encryption Wizard always generates one unique key per
database column. This makes unauthorized
decryption much more difficult for large data sets containing many columns.
3. Data Type Restrictions
The
Encryption Wizard for Oracle allows you to encrypt these basic types of data:
Character Data and
Natural Language Support
Varchar2, Char, along with NVarchar2 and NCHAR data types
can be encrypted using any of the three above methods. If DES, AES-128 bit or AES-256 bit encryption
is utilized, the Encryption Wizard will modify the column lengths of your
character data upwards to the nearest multiple of 8, 16 and 32 characters
respectively.
Number and Date Data
Date and Number data can only be obfuscated. Large floating point numbers over 38 places
are rounded in accordance with Oracle’s to_number function default settings.
Large Object Binaries
The Encryption Wizard is able to encrypt both BLOB and CLOB
Oracle data types. There are no size
restrictions, yet large objects take considerable time to encrypt and
decrypt. Be sure to test the time of
encryption before attempting to encrypt a large table of BLOB or CLOB
data. CLOB data is trimmed of trailing
blanks.
The
Encryption Wizard will not encrypt Primary, Unique, or Foreign Keys, nor does
it encrypt columns with default values or condition constraints, aside from the
popular “Not Null” constraint. The
Encryption Wizard default settings also prohibit encryption of compressed
tables. Write us at ewdemo@relationalwizards.com for instructions on how to enable
this feature.
4. Transparent Decrypted Views
To allow
for applications to access physically encrypted data, the Encryption Wizard
Administrator can optionally create decrypted
views against any table with encrypted data. Decrypted Views display data in unencrypted
format, and thus allow applications to seamlessly read and/or write to the
decrypted data objects through the use of an automatically generated instead-of
database trigger created for each view.
Decrypted views can be dynamically created and dropped at any time
through the Encryption Wizard User Interface or the Encryption Wizard API.
5. Function Indexes
To allow
for fast access of decrypted views, the Encryption Wizard now offers point and
click function index creation to speed up access to your encrypted data. Function Index data is stored in Bitmap
format to minimize data search time in the index tablespace.
6. Session Auditing
The
Encryption Wizard also allows the user to specify session auditing. Session auditing, will record all distinct
Encryption and Decryption (read/write) requests for all sessions. Session Auditing allows you to see who has
had access to your encrypted data down to the Terminal ID and database column
level. The Encryption Wizard also
supplies you with management reports to trace user activity against your
encrypted data.
7. Restricted User Lists and Runtime
Passwords
A
Restricted User List allows you to specify which users you wish to grant the
ability to read and/or write encrypted data.
You can specify user lists for a given schema, table, or column. If there is no user list specified, then a
user’s ability to access encrypted data is based on traditional Oracle
grants.
Runtime
passwords protect your data by requiring all users to login and supply a
password before viewing encrypted data objects.
The actual login method is a PL/SQL call to the Encryption Wizard API
and can be embedded in any SQL script or application. A runtime password can be assigned for each
column, table, or schema depending on your preference.
You may
also add password protection for any user defined in a restricted user
list. This requires the user to “login” with the password before they can
view or change the encrypted data domain.
Restricted
User Lists and Runtime Passwords allow you to block out any Oracle user from
viewing your encrypted data, even a DBA user such as SYS. To block DBA access to data, use Restricted
User Lists and / or Runtime Passwords in conjunction with the Administrative
Password which is discussed below.
8. Administrative Password
To prevent
Database Administrators unauthorized access to the Encryption Wizard, the
Encryption Wizard Administrator can set an optional password required to
Encrypt and Decrypt data and use the Encryption Wizard interface. Likewise, the Encryption Wizard administrator
does not require DBA privileges to use the Encryption Wizard.
9. Data Consistency
The Encryption
Wizard also employs intelligent recovery operations if any Encryption or
Decryption attempt fails. The Encryption
Wizard will self-diagnose any incomplete Encryption or Decryption operation and
allow the administrator to simply continue the process or back out. This helps guard against serious data
inconsistency due to partially completed operations that may occur due to an
unexpected database event like a shutdown.
10. Backup & Recovery for
Continuity Planning
The
Encryption Wizard allows users to backup encryption keys to a flat-file. These files may be password protected and
cannot be used on any other database than from where they were created. This enhances the security of your key backup
and recovery operations.
Chapter Three – Encrypting Table
Data
To Encrypt
Data within your Oracle RDBMS, click on the top-most option of the Encryption
Wizard Main Menu labeled: Encrypt/Decrypt
Data. At this point you will enter
the Encrypt / Decrypt Data Screen:
Step One - Choosing a Data Set for
Encryption
From the
Encryption / Decryption Screen we can encrypt database data at the schema,
table, or column level. These three
levels define our data domain for encryption:
Schema Level
Encryption
Schema Level Encryption is the most powerful of the three
levels of Encryption. When using Schema
Level Encryption, all one must do is specify a schema by using the uppermost
pick-list that appears on the Encryption / Decryption screen. Simply leave the Table Name list blank.
When we choose Schema Level Encryption, we are instructing
the Encryption Wizard to encrypt all valid columns for that schema. Encryption of this type should not be
performed until you are comfortable using the Encryption Wizard.
Note:
When you choose Schema
or Table Encryption, all valid date and number fields are obfuscated,
regardless of the encryption type you request.
Schema encryption does not mean that your complete schema
will always be encrypted. If new tables
are added to your schema, the Encryption Wizard will not be aware of them
unless you choose schema encryption again to protect the remaining tables.
Table Level Encryption
When you choose to encrypt a single table without selecting
any columns to your right, the Encryption Wizard will, of course, attempt to encrypt
every valid column within that table. As
discussed in the previous chapter, columns that are primary keys, unique keys,
foreign keys, default values, and conditional constraints are skipped.
When employing Table Encryption, specify a schema and table
name by using the two uppermost pick list that appears on the Encryption /
Decryption screen. Choose both the
schema owner and table name of the object that you want encrypted. After table encryption, all columns that
appear on the right of the screen will be encrypted.
Column Level
Encryption
Column Level Encryption is the fine-grain level of
encryption for the Encryption Wizard.
With column encryption you specify and encrypt distinct column(s)
only.
To define encryption at this level, first chose the table
owner and table name from the two uppermost pick-lists that appear at the top
of the Encryption / Decryption Screen.
Once you have chosen the appropriate table to encrypt, click on those
column(s) you wish to encrypt that appear in the column list on the right of
screen. To choose multiple columns,
press down on the CRTL key as you click with your mouse.
We recommend that the Encryption Wizard Administrator first
employ Column Encryption before attempting table or schema encryption.
Step Two - Choosing an Encryption
Type
After we
have defined our level of encryption, we must now instruct the Encryption
Wizard as to what type of encryption to perform on our given data set. For a discussion of the various encryption
types please refer to Chapter 2 - Encryption Wizard Overview.
To choose an encryption type, simply use the pick-list labeled: Encryption Type.
Warning: If you chose AES encryption for a Blob or Clob data type, the data will be encrypted using DES3 technology. AES encryption is not yet available.
Step Three - Key Generation
After we
have chosen our encryption type, we may optionally enter a key for
encryption. A key is like a password -
and can be used in recovery of data if your rdc_encrypt_user schema becomes
corrupt. You can also choose to have
your key automatically generated, in this case simply skip this step.
Caution:
If you choose to have the Encryption
Wizard automatically generate your keys, then we recommend backups of your rdc_encrypt_user schema before and after any encryption of
valuable data and before any decryption of valuable data.
If you
decide to enter a key, simply click “No” on the radio button labeled Automatically Generate Key. Now you can enter a key-phrase of up to 256 characters
in length. Make sure you save this key
outside the Oracle RDBMS, and label for which Tables and Columns it was used to
encrypt.
Note:
Key recovery is only available to
licensed users of the Encryption Wizard.
Demo users are prohibited from encrypting all but test data in the
Encryption Wizard license agreement.
Step Four – Specify a Temporary
Index for Speed (Optional)
If you are
encrypting over a few million rows you may choose to have the Encryption Wizard
build a Temporary Index for performance during encryption. Optionally, you may also specify a tablespace
to house this temporary index. If your
tables are small, this option will actually slow down the encryption process.
Step Five - Decrypted View Creation
(Optional)
After this
step, we can now optionally choose to create decrypted view(s) against our encrypted data. A Decrypted
View is a duplicate projection of any table that the Encryption Wizard
partially or completely encrypts.
Decrypted Views allow users to perform SQL operations to read and/or
write data to the encrypted table. Data appears in its original form when using
a Decrypted View.
If you plan
on migrating applications or SQL statements to your new encrypted data sets,
using Decrypted Views is the easiest option.
Refer to chapter 6 – Migrating
Applications to Encrypted Data Tables for more discussion of this topic.
Note:
We recommend the use of decrypted
views when first encrypting a column or table so as to verify the successful
encryption of data.
To specify
a Decrypted View to support your encryption efforts, simply answer the radio
button label titled: Create Decrypted
View - by clicking on the radio button for either Read-Only or Updateable view creation.
When you
specify read-only Decrypted Views,
the Encryption Wizard will create a decrypted view that gives authorized users
a transparent view of your encrypted data, but will not allow them to update,
delete, or insert records against that decrypted view.
If instead,
you select updateable decrypted views, the Encryption Wizard will create
decrypted views through which authorized users may insert, update, or delete
encrypted records via instead of triggers
automatically generated by the Encryption Wizard supporting the decrypted view.
After
specifying which type of decrypted view(s) you would like the Encryption Wizard
to create, we need to choose a schema for that view and, optionally, a prefix
for the decrypted view. By default, all
decrypted views are created in the Encryption Wizard schema, rdc_encrypt_user.
You may instead assign the schema owner of your data, in this case
SCOTT, as the owner of your decrypted view(s).
Simply change the current schema owner name in the field under the
label: Schema to Own Decrypted Views
to the owner of the table(s) you are about to encrypt.
By default,
our decrypted view will have the same name as our base table, unless it is
created in the schema of the base table.
In this case, the base table can be renamed prior to entering this screen,
to allow for the decrypted view to have the base table name. Strategies for decrypted view creation are
discussed in length in Chapter 6 – Migrating Applications to
Encrypted Data.
If we
choose to create our decrypted view in the same schema as our encrypted table
we must first assign a prefix to it - so the view name will not conflict with
the base table name. Later we can rename
our decrypted view to any valid object name.
To enter a
decrypted view prefix, enter a short prefix in the field under the label: decrypted view prefix. For
example, if the table we are encrypting is scott.emp, we might enter a decrypted view prefix like: dv_. In this case our
decrypted view would have the name: dv_emp and would exist in whatever schema we choose for
it. The decrypted view prefix is
optional if you are creating the view in the schema rdc_encrypt_user.
Note:
When encrypting an entire schema,
the decrypted view prefix will be applied to all tables.
If you are
not sure of a decrypted view naming strategy - don’t be concerned. The Encryption Wizard allows you to drop,
rename, or recreate any decrypted view dynamically using the Encrypted Data
Management Screen discussed in Chapter Five – Managing &
Auditing Encrypted Data.
Step Six - Encrypting Data
After we
have specified a decrypted view, we are ready to encrypt our data. Encrypting data is a very disk and CPU
intensive task. When you encrypt data,
all rows of the specified data set are encrypted. Encryption also involves key-generation
activities that are very CPU intensive.
Thus it is ideal to start encryption during off-hours. Before encrypting data make sure no users are
modifying the data tables being encrypted.
Caution:
Always back-up your data before
encryption!
Note:
If, for some reason, you need access
to your encrypted data table while the Encryption Wizard is encrypting the
data, you may delete records and/or insert records into your partially
encrypted tables without any data loss. If you encounter a lock-contention
error, these errors do not affect the integrity of the encrypted data set and
can be corrected by restarting the encryption process again.
When you
are ready to encrypt your data simply click on the button at the lower part of
the Encryption / Decryption Screen labeled: Encrypt
Object. At this point, the Java
interface will lose control of the screen and the Encryption Wizard will
encrypt, table by table, the data set you specified. At the end of the encryption round a message
will appear giving a total number of rows that were successfully encrypted.
Once the
Encryption Wizard notifies you that your tables and/or columns have been
encrypted, it is vital that you now point all users and applications to the
decrypted views and not to the original encrypted tables. If data is entered into these tables by
mistake, you will need to use the Encryption Wizard API to manually encrypt or
decrypt the inconsistent data.
Encryption Recovery
If
something happens during the encryption process, such as your database shuts
down, or another user exclusively locks the table being encrypted, the
Encryption Wizard provides simple recovery from these potential disasters.
In these
above cases, if the Encryption Wizard is interrupted, your data will be in an
intermediate state. Some of the rows
will be encrypted and some will not be.
Thus it is important to perform encryption
recovery if your encryption process is interrupted.
To perform encryption recovery, simply pick again the schema, table, and/or column which you originally encrypted that is in need of recovery. To recover this object, you can either choose decryption or encryption. Decryption will back-out your partially encrypted