Oracle LiveLabs实验:DB Security - Transparent Data Encryption (TDE)
Posted dingdingfish
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Oracle LiveLabs实验:DB Security - Transparent Data Encryption (TDE)相关的知识,希望对你有一定的参考价值。
概述
此实验申请地址在这里,时间为1小时。
实验帮助在这里。
本实验使用的数据库为19.13。
Introduction
本研讨会介绍 Oracle 透明数据加密 (TDE) 的各种特性和功能。 它使用户有机会学习如何配置这些功能以加密敏感数据。
目标
- 如果需要,对数据库进行冷备份以启用数据库恢复
- 在数据库中启用透明数据加密
- 使用透明数据加密加密数据
Task 1: Allow DB Restore
此步骤是了后续将数据库恢复为未加密状态。
进入实验目录:
sudo su - oracle
cd $DBSEC_LABS/tde
运行数据库备份:
./tde_backup_db.sh
这实际是个冷备份,即将数据库shutdown后,对数据文件目录进行tar。其实还备份了pfile,因为后续会修改系统参数。
一旦完成,它将自动重启容器和可插拔数据库。
Task 2: Create Keystore
在操作系统中创建Keystore目录:
./tde_create_os_directory.sh
创建的目录如下:
/etc/ORACLE/WALLETS/cdb1/tde
/etc/ORACLE/WALLETS/cdb1/tde_seps
/etc/ORACLE/WALLETS/cdb1/okv
使用数据库参数来管理 TDE。 这将需要重新启动数据库才能使其中一个参数生效。 该脚本将为您执行重新启动。
./tde_set_tde_parameters.sh
脚本运行前后的变化如下:
## 运行前
## $ORACLE_HOME/network/admin/sqlnet.ora为空
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
wallet_root string
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
tde_configuration string
## 运行后
## $ORACLE_HOME/network/admin/sqlnet.ora仍为空
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
wallet_root string /etc/ORACLE/WALLETS/cdb1
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
tde_configuration string keystore_configuration=FILE
为容器数据库创建软件密钥库 (Oracle Wallet)。 您将看到状态结果从 NOT_AVAILABLE 变为 OPEN_NO_MASTER_KEY。
./tde_create_wallet.sh
实际执行的命令和输出为:
-- . Display the status of the Keystore
SQL> select a.con_id, b.name, a.wrl_type, a.wrl_parameter, a.status, a.wallet_type from v$encryption_wallet a, v$containers b where a.con_id=b.con_id order by a.con_id;
CON_ID NAME WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE
---------- ---------- ------------ ------------------------------------ ------------------------------ ------------
1 CDB$ROOT FILE /etc/ORACLE/WALLETS/cdb1/tde/ NOT_AVAILABLE UNKNOWN
2 PDB$SEED FILE NOT_AVAILABLE UNKNOWN
3 PDB1 FILE NOT_AVAILABLE UNKNOWN
4 PDB2 FILE NOT_AVAILABLE UNKNOWN
-- . Create the Keystore for CDB
SQL> administer key management create keystore identified by $DBUSR_PWD;
keystore altered.
-- . Create the Keystore for all PDBs
SQL> administer key management set keystore open identified by $DBUSR_PWD container=all;
keystore altered.
-- . Display the status of the Keystore
SQL> select a.con_id, b.name, a.wrl_type, a.wrl_parameter, a.status, a.wallet_type from v$encryption_wallet a, v$containers b where a.con_id=b.con_id order by a.con_id;
CON_ID NAME WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE
---------- ---------- ------------ ------------------------------------ ------------------------------ ------------
1 CDB$ROOT FILE /etc/ORACLE/WALLETS/cdb1/tde/ OPEN_NO_MASTER_KEY PASSWORD
2 PDB$SEED FILE OPEN_NO_MASTER_KEY PASSWORD
3 PDB1 FILE OPEN_NO_MASTER_KEY PASSWORD
4 PDB2 FILE OPEN_NO_MASTER_KEY PASSWORD
现在,您的 Oracle 钱包已创建,状态为打开,但还没有Master Key!
Task 3: Create Master Key
创建容器数据库 TDE 主密钥 (MEK):
./tde_create_mek_cdb.sh
实际执行的命令和输出为:
-- . Show the status of the current Master Key (MEK)
SQL> select a.con_id, b.name, a.wrl_type, a.wrl_parameter, a.status, a.wallet_type from v$encryption_wallet a, v$containers b where a.con_id=b.con_id order by a.con_id;
CON_ID NAME WRL_TYPE WRL_PARAMETER STATUS
---------- ---------- ------------ ---------------------------------------- ------------------------------
1 CDB$ROOT FILE /etc/ORACLE/WALLETS/cdb1/tde/ OPEN_NO_MASTER_KEY
2 PDB$SEED FILE OPEN_NO_MASTER_KEY
3 PDB1 FILE OPEN_NO_MASTER_KEY
4 PDB2 FILE OPEN_NO_MASTER_KEY
-- . Create the CDB Master Key (MEK)
SQL> ADMINISTER KEY MANAGEMENT SET KEY USING TAG 'CDB1: Initial Master Key' IDENTIFIED BY $DBUSR_PWD WITH BACKUP container=current;
keystore altered.
-- . Show the status of the current Master Key (MEK)
SQL> select a.con_id, b.name, a.wrl_type, a.wrl_parameter, a.status, a.wallet_type from v$encryption_wallet a, v$containers b where a.con_id=b.con_id order by a.con_id;
CON_ID NAME WRL_TYPE WRL_PARAMETER STATUS
---------- ---------- ------------ ---------------------------------------- ------------------------------
1 CDB$ROOT FILE /etc/ORACLE/WALLETS/cdb1/tde/ OPEN
2 PDB$SEED FILE OPEN
3 PDB1 FILE OPEN_NO_MASTER_KEY
4 PDB2 FILE OPEN_NO_MASTER_KEY
为可插入数据库 pdb1 创建主密钥 (MEK):
./tde_create_mek_pdb.sh pdb1
实际执行的命令和输出如下,命令和前面是一样的,但是为切换到PDB中执行:
-- 切换到PDB
SQL> alter session set container=$pdbname;
-- . Show the status of the current Master Key (MEK)
SQL> select a.con_id, b.name, a.wrl_type, a.wrl_parameter, a.status, a.wallet_type from v$encryption_wallet a, v$containers b where a.con_id=b.con_id order by a.con_id;
CON_ID NAME WRL_TYPE WRL_PARAMETER STATUS
---------- ---------- ------------ ---------------------------------------- ------------------------------
3 PDB1 FILE OPEN_NO_MASTER_KEY
-- . Create the CDB Master Key (MEK)
SQL> ADMINISTER KEY MANAGEMENT SET KEY USING TAG '$pdbname: Initial Master Key' IDENTIFIED BY $DBUSR_PWD WITH BACKUP container=current;
keystore altered.
-- . Show the status of the current Master Key (MEK)
SQL> select a.con_id, b.name, a.wrl_type, a.wrl_parameter, a.status, a.wallet_type from v$encryption_wallet a, v$containers b where a.con_id=b.con_id order by a.con_id;
CON_ID NAME WRL_TYPE WRL_PARAMETER STATUS
---------- ---------- ------------ ---------------------------------------- ------------------------------
3 PDB1 FILE OPEN
如果你愿意,你可以对 pdb2 做同样的事情……这不是必需的,显示一些带有 TDE 的数据库和一些没有 TDE 的数据库可能会有所帮助:
./tde_create_mek_pdb.sh pdb2
现在,您有一个主密钥,您可以开始加密表空间或列!
Task 4: Create Auto-login Wallet
运行脚本以查看操作系统上的 Oracle Wallet 内容:
./tde_view_wallet_on_os.sh
输出为:
===================================================================================
Display the Wallet info on the OS...
===================================================================================
. Wallet location and files
/etc/ORACLE/WALLETS/cdb1
/etc/ORACLE/WALLETS/cdb1/tde
/etc/ORACLE/WALLETS/cdb1/tde/ewallet.p12
/etc/ORACLE/WALLETS/cdb1/tde/ewallet_2022040512542332.p12
/etc/ORACLE/WALLETS/cdb1/tde/ewallet_2022040512585020.p12
/etc/ORACLE/WALLETS/cdb1/tde/ewallet_2022040513003638.p12
/etc/ORACLE/WALLETS/cdb1/tde_seps
/etc/ORACLE/WALLETS/cdb1/okv
. Display the keystore from the OS
-------------------------
Note:
To view it, run the following OS command:
$ orapki wallet display -wallet /etc/ORACLE/WALLETS/cdb1/tde -pwd Oracle123
-------------------------
Oracle PKI Tool Release 23.0.0.0.0 - Production
Version 23.0.0.0.0
Copyright (c) 2004, 2021, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
Subject: CN=oracle
User Certificates:
Oracle Secret Store entries:
ORACLE.SECURITY.DB.ENCRYPTION.ATUz2AQZmU8Nvyj893ElHvIAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.AVZFZbolYE+9v8Cjqpx1z9cAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.AZkQFsCj3E+nv0hvGcuDcG4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY.9623C50C30AD638EE0532C00000A4926
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY.9623C58F05F064BFE0532C00000ACDFE
ORACLE.SECURITY.ID.ENCRYPTION.
ORACLE.SECURITY.KB.ENCRYPTION.
ORACLE.SECURITY.KM.ENCRYPTION.ATUz2AQZmU8Nvyj893ElHvIAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KM.ENCRYPTION.AVZFZbolYE+9v8Cjqpx1z9cAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KM.ENCRYPTION.AZkQFsCj3E+nv0hvGcuDcG4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KT.ENCRYPTION.ATUz2AQZmU8Nvyj893ElHvIAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KT.ENCRYPTION.AVZFZbolYE+9v8Cjqpx1z9cAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KT.ENCRYPTION.AZkQFsCj3E+nv0hvGcuDcG4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Trusted Certificates:
您可以查看 Oracle Wallet 在数据库中的样子:
./tde_view_wallet_in_db.sh
实际的执行与输出为:
-- . Display the keystore status
SQL> select a.con_id, b.name, a.wrl_type, a.wrl_parameter, a.status, a.wallet_type from v$encryption_wallet a, v$containers b where a.con_id=b.con_id order by a.con_id;
CON_ID NAME WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE
---------- ---------- ------------ ----------------------------------- ------------------------------ ------------
1 CDB$ROOT FILE /etc/ORACLE/WALLETS/cdb1/tde/ OPEN PASSWORD
2 PDB$SEED FILE OPEN PASSWORD
3 PDB1 FILE OPEN PASSWORD
4 PDB2 FILE OPEN PASSWORD
-- . Display the keys in the DB
SQL> select con_id, activation_time, key_use, tag from v$encryption_keys order by con_id;
CON_ID ACTIVATION_TIME KEY_USE TAG
---------- ------------------------------------ -------------- --------------------------------------------
1 05-APR-22 12.54.23.463760 PM +00:00 TDE IN PDB CDB1: Initial Master Key
3 05-APR-22 12.58.50.293916 PM +00:00 TDE IN PDB pdb1: Initial Master Key
4 05-APR-22 01.00.36.560789 PM +00:00 TDE IN PDB pdb2: Initial Master Key
现在,创建 Autologin Oracle 钱包:
./tde_create_autologin_wallet.sh
实际执行命令为:
SQL> administer key management create auto_login keystore from keystore '$WALLET_DIR/tde' identified by $DBUSR_PWD;
keystore altered.
运行相同的查询以查看操作系统上的 Oracle Wallet 内容:
./tde_view_wallet_on_os.sh
您现在应该看到 cwallet.sso 文件。
===================================================================================
Display the Wallet info on the OS...
===================================================================================
. Wallet location and files
/etc/ORACLE/WALLETS/cdb1
/etc/ORACLE/WALLETS/cdb1/tde
/etc/ORACLE/WALLETS/cdb1/tde/ewallet.p12
/etc/ORACLE/WALLETS/cdb1/tde/ewallet_2022040512542332.p12
/etc/ORACLE/WALLETS/cdb1/tde/ewallet_2022040512585020.p12
/etc/ORACLE/WALLETS/cdb1/tde/ewallet_2022040513003638.p12
/etc/ORACLE/WALLETS/cdb1/tde/ewallet.p12.lck
/etc/ORACLE/WALLETS/cdb1/tde/cwallet.sso <- 说的就是这一行
/etc/ORACLE/WALLETS/cdb1/tde_seps
/etc/ORACLE/WALLETS/cdb1/okv
. Display the keystore from the OS
-------------------------
Note:
To view it, run the following OS command:
$ orapki wallet display -wallet /etc/ORACLE/WALLETS/cdb1/tde -pwd Oracle123
-------------------------
Oracle PKI Tool Release 23.0.0.0.0 - Production
Version 23.0.0.0.0
Copyright (c) 2004, 2021, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
Subject: CN=oracle
User Certificates:
Oracle Secret Store entries:
ORACLE.SECURITY.DB.ENCRYPTION.ATUz2AQZmU8Nvyj893ElHvIAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.AVZFZbolYE+9v8Cjqpx1z9cAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.AZkQFsCj3E+nv0hvGcuDcG4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY.9623C50C30AD638EE0532C00000A4926
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY.9623C58F05F064BFE0532C00000ACDFE
ORACLE.SECURITY.ID.ENCRYPTION.
ORACLE.SECURITY.KB.ENCRYPTION.
ORACLE.SECURITY.KM.ENCRYPTION.ATUz2AQZmU8Nvyj893ElHvIAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KM.ENCRYPTION.AVZFZbolYE+9v8Cjqpx1z9cAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KM.ENCRYPTION.AZkQFsCj3E+nv0hvGcuDcG4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KT.ENCRYPTION.ATUz2AQZmU8Nvyj893ElHvIAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KT.ENCRYPTION.AVZFZbolYE+9v8Cjqpx1z9cAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KT.ENCRYPTION.AZkQFsCj3E+nv0hvGcuDcG4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Trusted Certificates:
并且数据库中的 Oracle Wallet 没有任何变化。
./tde_view_wallet_in_db.sh
现在您的自动登录Wallet已创建!
Task 5: Encrypt Existing Tablespace
使用 Linux 命令 strings 查看与 EMPDATA_PROD 表空间关联的数据文件 empdata_prod.dbf 中的数据。 这是一个绕过数据库查看数据的操作系统命令。 这被称为“旁路攻击”,因为数据库不知道它。
./tde_strings_data_empdataprod.sh
输出如下:
===================================================================================
View the datafile data of the tablespace EMPDATA_PROD...
===================================================================================
. Search the datafile path of the tablespaces EMPDATA_PROD
FILE_NAME ONLINE_STATUS
--------------------------------------------- ---------------
/u01/oradata/cdb1/pdb1/empdata_prod.dbf ONLINE
. View the datafile content directly through the OS file
----------------
Note:
To view the datafile content directly through the OS file, we use the command:
$ strings /u01/oradata/cdb1/pdb1/empdata_prod.dbf | tail -40
----------------
[...]
aKd4
aKd4
aKd4
aKd4
aKd4
aKd4
aKd4
aKd4
aKd4
aKd4
aKd4
/D8@
aKd4
/D8@
aKd4
aKd4
aKd4
aKd4
aKd4
aKd4
aKd4
aKd4
testuser
rwark
rlowenth
pjones
mmalfoy
malfoy
hradmin
eu_evan
ebabel
can_candy
bbest
agoodie
aKd4
AAAAAAAA
p V < "
w k _ S G ; / #
t h \\ P D 8 ,
; / #
接下来,通过加密整个表空间来加密数据:
./tde_encrypt_tbs.sh
实际执行的命令和输出如下:
===================================================================================
Encrypt the tablespace EMPDATA_PROD...
===================================================================================
-- . Check if the tablespace EMPDATA_PROD is encrypted or not
SQL> select tablespace_name, encrypted from dba_tablespaces where tablespace_name = 'EMPDATA_PROD';
TABLESPACE_NAME ENCRYPTED
------------------------------ ----------
EMPDATA_PROD NO
-- . Encrypt the tablespace EMPDATA_PROD
SQL> ALTER TABLESPACE EMPDATA_PROD ENCRYPTION ONLINE USING 'AES256' ENCRYPT;
Tablespace altered.
-- . Check if the tablespace EMPDATA_PROD is encrypted now
SQL> select tablespace_name, encrypted from dba_tablespaces where tablespace_name = 'EMPDATA_PROD';
TABLESPACE_NAME ENCRYPTED
------------------------------ ----------
EMPDATA_PROD YES
-- . Display all the encrypted tablespaces in the DB
SQL> select a.name pdb_name, b.name tablespace_name, c.ENCRYPTIONALG algorithm
from v$pdbs a, v$tablespace b, v$encrypted_tablespaces c
where a.con_id = b.con_id
and b.con_id = c.con_id
and b.ts# = c.ts#;
PDB_NAME TABLESPACE_NAME ALGORITHM
-------------------- ------------------------------ ----------
PDB1 EMPDATA_PROD AES256
现在,再次尝试“旁路攻击”:
./tde_strings_data_empdataprod.sh
输出如下:
===================================================================================
View the datafile data of the tablespace EMPDATA_PROD...
===================================================================================
. Search the datafile path of the tablespaces EMPDATA_PROD
FILE_NAME ONLINE_STATUS
--------------------------------------------- ---------------
/u01/oradata/cdb1/pdb1/empdata_prod.dbf ONLINE
. View the datafile content directly through the OS file
----------------
Note:
To view the datafile content directly through the OS file, we use the command:
$ strings /u01/oradata/cdb1/pdb1/empdata_prod.dbf | tail -40
----------------
[...]
.c</v
(by
o$4bw
,l\\/
1'vv
>HO/R
9W55
V]JMP
8Jbxf
EY8F
roVu
O0k^
J?.1
#]Bs
O(^1
lLEu
?iRV
)Xe5
,IF7
YfeH
ZRHy
FYm|
1NYj;
'"OL
oMKCG
7q.
RuA:
.SGc:B
8mJC
%\\6]
E M
~l)v
u>"L:
][5:
i> 4
AUgT^y
)f(*a
Bi*o
Tn_A
gKK:$
您会看到所有数据现在都已加密并且不再可见!
Task 6: Encrypt All New Tablespaces
首先,检查初始化参数的当前设置:
./tde_check_init_params.sh
实际执行的命令和输出为:
SQL> select name, value
from v$parameter
where name in ('encrypt_new_tablespaces'
,'tde_configuration'
,'external_keystore_credential_location'
,'wallet_root'
,'one_step_plugin_for_pdb_with_tde');
NAME VALUE
---------------------------------------- ----------------------------------------
encrypt_new_tablespaces CLOUD_ONLY
one_step_plugin_for_pdb_with_tde FALSE
external_keystore_credential_location
wallet_root /etc/ORACLE/WALLETS/cdb1
tde_configuration keystore_configuration=FILE
接下来,将初始化参数 ENCRYPT_NEW_TABLESPACES 更改为 ALWAYS,以便所有新表空间都被加密:
./tde_encrypt_all_new_tbs.sh
实际执行的命令和输出为:
==================以上是关于Oracle LiveLabs实验:DB Security - Transparent Data Encryption (TDE)的主要内容,如果未能解决你的问题,请参考以下文章
Oracle LiveLabs实验:DB Security - ASO (Data Redaction)
Oracle LiveLabs实验:DB Security - Audit Vault and DB Firewall
Oracle LiveLabs实验:DB Security - Native Network Encryption (NNE)
Oracle LiveLabs实验:DB Security - Database Vault