Transparent Data Encryption: Experience from the Trenches

The Oracle Technology Network just published my latest article, titled Transparent Data Encryption: Experience from the Trenches. If you plan to use Oracle or back up databases using public cloud-based services such as’s EC2 or S3, then you will probably have special interest in this article because you will no doubt want to use Oracle’s TDE feature to encrypt any of your existing sensitive data before exposing it to a public cloud.


, , , ,

  1. #1 by Chris on January 19, 2009 - 2:49 pm

    When you use TDE, the keys will typically be stored on the machine in the so-called Oracle e-Wallet. While Oracle has taken it as far as they can with a software solution (and they’ve done a brilliant job), storing keys in software isn’t best security practice because you shouldn’t keep the key and the database in the same place. When you back up the machine, the key will be backed up with the database. Also, you will find it difficult to demonstrate a separation of duties between database security administration for compliance.

    Oracle 11g supports the use of hardware security modules (HSMs) that protect the keys, separate security and DB administration, and ensure that keys are never stored with the data. HSMs will also offer you to manage keys across database servers, reducing your total cost of ownership.
    I work for Thales e-Security (formerly nCipher), who offers such a solution. If you’re interested, please check out:

    • #2 by sbobrowski on January 22, 2009 - 8:23 am

      Chris, thanks for identifying an interesting issue regarding TDE configuration. As you point out, 11g has some additional options here that help. But with 10g, you shouldn’t have a problem separating the wallet backups from the database backups. The wallet is typically stored in $ORACLE_BASE/admin and protected by file system backups, while the database is typically stored in other file systems that operating system backups avoid altogether because the database files are backed up by RMAN. And even if the wallet and database were to somehow end up on the same tape, someone would only be able to open the wallet with its password. We’ve never given a sysadmin-type a database wallet password. That said, if you configure auto-open wallet (so that the wallet automatically opens when the database instance starts), you are at risk should someone recover both the wallet and database — but that’s the risk you take for the convenience of not having to manually open the wallet.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: