Oracle LiveLabs实验:DB Security - ASO (Transparent Data Encryption)

Posted dingdingfish

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Oracle LiveLabs实验:DB Security - ASO (Transparent Data Encryption)相关的知识,希望对你有一定的参考价值。

概述

此实验申请地址在这里,时间为1小时。

实验帮助在这里

本实验使用的数据库为19.13。

Introduction

本研讨会介绍 Oracle 透明数据加密 (TDE) 的各种特性和功能。 它使用户有机会学习如何配置这些功能以加密敏感数据。

目标

  • 如果需要,对数据库进行冷备份以启用数据库恢复
  • 在数据库中启用透明数据加密
  • 使用透明数据加密加密数据

Task 1: Allow DB Restore

此步骤是了后续将数据库恢复为未加密状态。

进入实验目录:

sudo su - oracle
cd $DBSEC_LABS/tde

运行数据库备份:

./tde_backup_db.sh

这实际是个冷备份,即将数据库shutdown后,对数据文件目录进行tar。其实还备份了pfile,因为后续会修改系统参数。

一旦完成,它将自动重启容器和可插拔数据库。

Task 2: Create Keystore

在操作系统中创建Keystore目录:

./tde_create_os_directory.sh

创建的目录如下:

/etc/ORACLE/WALLETS/cdb1/tde
/etc/ORACLE/WALLETS/cdb1/tde_seps
/etc/ORACLE/WALLETS/cdb1/okv

使用数据库参数来管理 TDE。 这将需要重新启动数据库才能使其中一个参数生效。 该脚本将为您执行重新启动。

./tde_set_tde_parameters.sh

脚本运行前后的变化如下:

## 运行前
## $ORACLE_HOME/network/admin/sqlnet.ora为空

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
wallet_root                          string

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
tde_configuration                    string


## 运行后
## $ORACLE_HOME/network/admin/sqlnet.ora仍为空

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
wallet_root                          string      /etc/ORACLE/WALLETS/cdb1

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
tde_configuration                    string      keystore_configuration=FILE

为容器数据库创建软件密钥库 (Oracle Wallet)。 您将看到状态结果从 NOT_AVAILABLE 变为 OPEN_NO_MASTER_KEY。

./tde_create_wallet.sh

实际执行的命令和输出为:

-- . Display the status of the Keystore
SQL> select a.con_id, b.name, a.wrl_type, a.wrl_parameter, a.status, a.wallet_type from v$encryption_wallet a, v$containers b where a.con_id=b.con_id order by a.con_id;

    CON_ID NAME       WRL_TYPE     WRL_PARAMETER                        STATUS                         WALLET_TYPE
---------- ---------- ------------ ------------------------------------ ------------------------------ ------------
         1 CDB$ROOT   FILE         /etc/ORACLE/WALLETS/cdb1/tde/        NOT_AVAILABLE                  UNKNOWN
         2 PDB$SEED   FILE                                              NOT_AVAILABLE                  UNKNOWN
         3 PDB1       FILE                                              NOT_AVAILABLE                  UNKNOWN
         4 PDB2       FILE                                              NOT_AVAILABLE                  UNKNOWN


-- . Create the Keystore for CDB
SQL> administer key management create keystore identified by $DBUSR_PWD;

keystore altered.


-- . Create the Keystore for all PDBs
SQL> administer key management set keystore open identified by $DBUSR_PWD container=all;

keystore altered.


-- . Display the status of the Keystore
SQL> select a.con_id, b.name, a.wrl_type, a.wrl_parameter, a.status, a.wallet_type from v$encryption_wallet a, v$containers b where a.con_id=b.con_id order by a.con_id;

    CON_ID NAME       WRL_TYPE     WRL_PARAMETER                        STATUS                         WALLET_TYPE
---------- ---------- ------------ ------------------------------------ ------------------------------ ------------
         1 CDB$ROOT   FILE         /etc/ORACLE/WALLETS/cdb1/tde/        OPEN_NO_MASTER_KEY             PASSWORD
         2 PDB$SEED   FILE                                              OPEN_NO_MASTER_KEY             PASSWORD
         3 PDB1       FILE                                              OPEN_NO_MASTER_KEY             PASSWORD
         4 PDB2       FILE                                              OPEN_NO_MASTER_KEY             PASSWORD

现在,您的 Oracle 钱包已创建,状态为打开,但还没有Master Key!

Task 3: Create Master Key

创建容器数据库 TDE 主密钥 (MEK):

./tde_create_mek_cdb.sh

实际执行的命令和输出为:

-- . Show the status of the current Master Key (MEK)
SQL> select a.con_id, b.name, a.wrl_type, a.wrl_parameter, a.status, a.wallet_type from v$encryption_wallet a, v$containers b where a.con_id=b.con_id order by a.con_id;

    CON_ID NAME       WRL_TYPE     WRL_PARAMETER                            STATUS
---------- ---------- ------------ ---------------------------------------- ------------------------------
         1 CDB$ROOT   FILE         /etc/ORACLE/WALLETS/cdb1/tde/            OPEN_NO_MASTER_KEY
         2 PDB$SEED   FILE                                                  OPEN_NO_MASTER_KEY
         3 PDB1       FILE                                                  OPEN_NO_MASTER_KEY
         4 PDB2       FILE                                                  OPEN_NO_MASTER_KEY


-- . Create the CDB Master Key (MEK)
SQL> ADMINISTER KEY MANAGEMENT SET KEY USING TAG 'CDB1: Initial Master Key' IDENTIFIED BY $DBUSR_PWD WITH BACKUP container=current;
keystore altered.


-- . Show the status of the current Master Key (MEK)
SQL> select a.con_id, b.name, a.wrl_type, a.wrl_parameter, a.status, a.wallet_type from v$encryption_wallet a, v$containers b where a.con_id=b.con_id order by a.con_id;

    CON_ID NAME       WRL_TYPE     WRL_PARAMETER                            STATUS
---------- ---------- ------------ ---------------------------------------- ------------------------------
         1 CDB$ROOT   FILE         /etc/ORACLE/WALLETS/cdb1/tde/            OPEN
         2 PDB$SEED   FILE                                                  OPEN
         3 PDB1       FILE                                                  OPEN_NO_MASTER_KEY
         4 PDB2       FILE                                                  OPEN_NO_MASTER_KEY


为可插入数据库 pdb1 创建主密钥 (MEK):

./tde_create_mek_pdb.sh pdb1

实际执行的命令和输出如下,命令和前面是一样的,但是为切换到PDB中执行:

-- 切换到PDB
SQL> alter session set container=$pdbname;

-- . Show the status of the current Master Key (MEK)
SQL> select a.con_id, b.name, a.wrl_type, a.wrl_parameter, a.status, a.wallet_type from v$encryption_wallet a, v$containers b where a.con_id=b.con_id order by a.con_id;


    CON_ID NAME       WRL_TYPE     WRL_PARAMETER                            STATUS
---------- ---------- ------------ ---------------------------------------- ------------------------------
         3 PDB1       FILE                                                  OPEN_NO_MASTER_KEY



-- . Create the CDB Master Key (MEK)
SQL> ADMINISTER KEY MANAGEMENT SET KEY USING TAG '$pdbname: Initial Master Key' IDENTIFIED BY $DBUSR_PWD WITH BACKUP container=current;

keystore altered.


-- . Show the status of the current Master Key (MEK)
SQL> select a.con_id, b.name, a.wrl_type, a.wrl_parameter, a.status, a.wallet_type from v$encryption_wallet a, v$containers b where a.con_id=b.con_id order by a.con_id;

    CON_ID NAME       WRL_TYPE     WRL_PARAMETER                            STATUS
---------- ---------- ------------ ---------------------------------------- ------------------------------
         3 PDB1       FILE                                                  OPEN

如果你愿意,你可以对 pdb2 做同样的事情……这不是必需的,显示一些带有 TDE 的数据库和一些没有 TDE 的数据库可能会有所帮助:

./tde_create_mek_pdb.sh pdb2

现在,您有一个主密钥,您可以开始加密表空间或列!

Task 4: Create Auto-login Wallet

运行脚本以查看操作系统上的 Oracle Wallet 内容:

./tde_view_wallet_on_os.sh

输出为:

===================================================================================
 Display the Wallet info on the OS...
===================================================================================

. Wallet location and files
/etc/ORACLE/WALLETS/cdb1
/etc/ORACLE/WALLETS/cdb1/tde
/etc/ORACLE/WALLETS/cdb1/tde/ewallet.p12
/etc/ORACLE/WALLETS/cdb1/tde/ewallet_2022040512542332.p12
/etc/ORACLE/WALLETS/cdb1/tde/ewallet_2022040512585020.p12
/etc/ORACLE/WALLETS/cdb1/tde/ewallet_2022040513003638.p12
/etc/ORACLE/WALLETS/cdb1/tde_seps
/etc/ORACLE/WALLETS/cdb1/okv

. Display the keystore from the OS
  -------------------------
  Note:
  To view it, run the following OS command:
  $ orapki wallet display -wallet /etc/ORACLE/WALLETS/cdb1/tde -pwd Oracle123
  -------------------------

Oracle PKI Tool Release 23.0.0.0.0 - Production
Version 23.0.0.0.0
Copyright (c) 2004, 2021, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
Subject:        CN=oracle
User Certificates:
Oracle Secret Store entries:
ORACLE.SECURITY.DB.ENCRYPTION.ATUz2AQZmU8Nvyj893ElHvIAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.AVZFZbolYE+9v8Cjqpx1z9cAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.AZkQFsCj3E+nv0hvGcuDcG4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY.9623C50C30AD638EE0532C00000A4926
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY.9623C58F05F064BFE0532C00000ACDFE
ORACLE.SECURITY.ID.ENCRYPTION.
ORACLE.SECURITY.KB.ENCRYPTION.
ORACLE.SECURITY.KM.ENCRYPTION.ATUz2AQZmU8Nvyj893ElHvIAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KM.ENCRYPTION.AVZFZbolYE+9v8Cjqpx1z9cAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KM.ENCRYPTION.AZkQFsCj3E+nv0hvGcuDcG4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KT.ENCRYPTION.ATUz2AQZmU8Nvyj893ElHvIAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KT.ENCRYPTION.AVZFZbolYE+9v8Cjqpx1z9cAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KT.ENCRYPTION.AZkQFsCj3E+nv0hvGcuDcG4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Trusted Certificates:

您可以查看 Oracle Wallet 在数据库中的样子:

./tde_view_wallet_in_db.sh

实际的执行与输出为:

-- . Display the keystore status
SQL> select a.con_id, b.name, a.wrl_type, a.wrl_parameter, a.status, a.wallet_type from v$encryption_wallet a, v$containers b where a.con_id=b.con_id order by a.con_id;

    CON_ID NAME       WRL_TYPE     WRL_PARAMETER                       STATUS                         WALLET_TYPE
---------- ---------- ------------ ----------------------------------- ------------------------------ ------------
         1 CDB$ROOT   FILE         /etc/ORACLE/WALLETS/cdb1/tde/       OPEN                           PASSWORD
         2 PDB$SEED   FILE                                             OPEN                           PASSWORD
         3 PDB1       FILE                                             OPEN                           PASSWORD
         4 PDB2       FILE                                             OPEN                           PASSWORD


-- . Display the keys in the DB
SQL> select con_id, activation_time, key_use, tag from v$encryption_keys order by con_id;

    CON_ID ACTIVATION_TIME                      KEY_USE        TAG
---------- ------------------------------------ -------------- --------------------------------------------
         1 05-APR-22 12.54.23.463760 PM +00:00  TDE IN PDB     CDB1: Initial Master Key
         3 05-APR-22 12.58.50.293916 PM +00:00  TDE IN PDB     pdb1: Initial Master Key
         4 05-APR-22 01.00.36.560789 PM +00:00  TDE IN PDB     pdb2: Initial Master Key

现在,创建 Autologin Oracle 钱包:

./tde_create_autologin_wallet.sh

实际执行命令为:

SQL> administer key management create auto_login keystore from keystore '$WALLET_DIR/tde' identified by $DBUSR_PWD;

keystore altered.

运行相同的查询以查看操作系统上的 Oracle Wallet 内容:

./tde_view_wallet_on_os.sh

您现在应该看到 cwallet.sso 文件。

===================================================================================
 Display the Wallet info on the OS...
===================================================================================

. Wallet location and files
/etc/ORACLE/WALLETS/cdb1
/etc/ORACLE/WALLETS/cdb1/tde
/etc/ORACLE/WALLETS/cdb1/tde/ewallet.p12
/etc/ORACLE/WALLETS/cdb1/tde/ewallet_2022040512542332.p12
/etc/ORACLE/WALLETS/cdb1/tde/ewallet_2022040512585020.p12
/etc/ORACLE/WALLETS/cdb1/tde/ewallet_2022040513003638.p12
/etc/ORACLE/WALLETS/cdb1/tde/ewallet.p12.lck
/etc/ORACLE/WALLETS/cdb1/tde/cwallet.sso <- 说的就是这一行
/etc/ORACLE/WALLETS/cdb1/tde_seps
/etc/ORACLE/WALLETS/cdb1/okv

. Display the keystore from the OS
  -------------------------
  Note:
  To view it, run the following OS command:
  $ orapki wallet display -wallet /etc/ORACLE/WALLETS/cdb1/tde -pwd Oracle123
  -------------------------

Oracle PKI Tool Release 23.0.0.0.0 - Production
Version 23.0.0.0.0
Copyright (c) 2004, 2021, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
Subject:        CN=oracle
User Certificates:
Oracle Secret Store entries:
ORACLE.SECURITY.DB.ENCRYPTION.ATUz2AQZmU8Nvyj893ElHvIAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.AVZFZbolYE+9v8Cjqpx1z9cAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.AZkQFsCj3E+nv0hvGcuDcG4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY.9623C50C30AD638EE0532C00000A4926
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY.9623C58F05F064BFE0532C00000ACDFE
ORACLE.SECURITY.ID.ENCRYPTION.
ORACLE.SECURITY.KB.ENCRYPTION.
ORACLE.SECURITY.KM.ENCRYPTION.ATUz2AQZmU8Nvyj893ElHvIAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KM.ENCRYPTION.AVZFZbolYE+9v8Cjqpx1z9cAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KM.ENCRYPTION.AZkQFsCj3E+nv0hvGcuDcG4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KT.ENCRYPTION.ATUz2AQZmU8Nvyj893ElHvIAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KT.ENCRYPTION.AVZFZbolYE+9v8Cjqpx1z9cAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KT.ENCRYPTION.AZkQFsCj3E+nv0hvGcuDcG4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Trusted Certificates:

并且数据库中的 Oracle Wallet 没有任何变化。

./tde_view_wallet_in_db.sh

现在您的自动登录Wallet已创建!

Task 5: Encrypt Existing Tablespace

使用 Linux 命令 strings 查看与 EMPDATA_PROD 表空间关联的数据文件 empdata_prod.dbf 中的数据。 这是一个绕过数据库查看数据的操作系统命令。 这被称为“旁路攻击”,因为数据库不知道它。

./tde_strings_data_empdataprod.sh

输出如下:

===================================================================================
 View the datafile data of the tablespace EMPDATA_PROD...
===================================================================================

. Search the datafile path of the tablespaces EMPDATA_PROD

FILE_NAME                                     ONLINE_STATUS
--------------------------------------------- ---------------
/u01/oradata/cdb1/pdb1/empdata_prod.dbf       ONLINE


. View the datafile content directly through the OS file
  ----------------
  Note:
  To view the datafile content directly through the OS file, we use the command:
  $ strings /u01/oradata/cdb1/pdb1/empdata_prod.dbf | tail -40
  ----------------

[...]
aKd4
aKd4
aKd4
aKd4
aKd4
aKd4
aKd4
aKd4
aKd4
aKd4
aKd4
/D8@
aKd4
/D8@
aKd4
aKd4
aKd4
aKd4
aKd4
aKd4
aKd4
aKd4
testuser
rwark
rlowenth
pjones
mmalfoy
malfoy
hradmin
eu_evan
ebabel
        can_candy
bbest
agoodie
aKd4
AAAAAAAA
        p       V       <       "
        w       k       _       S       G       ;       /       #
        t       h       \\       P       D       8       ,
;       /       #

接下来,通过加密整个表空间来加密数据:

./tde_encrypt_tbs.sh

实际执行的命令和输出如下:

===================================================================================
 Encrypt the tablespace EMPDATA_PROD...
===================================================================================

-- . Check if the tablespace EMPDATA_PROD is encrypted or not
SQL> select tablespace_name, encrypted from dba_tablespaces where tablespace_name = 'EMPDATA_PROD';

TABLESPACE_NAME                ENCRYPTED
------------------------------ ----------
EMPDATA_PROD                   NO


-- . Encrypt the tablespace EMPDATA_PROD
SQL> ALTER TABLESPACE EMPDATA_PROD ENCRYPTION ONLINE USING 'AES256' ENCRYPT;

Tablespace altered.


-- . Check if the tablespace EMPDATA_PROD is encrypted now
SQL> select tablespace_name, encrypted from dba_tablespaces where tablespace_name = 'EMPDATA_PROD';

TABLESPACE_NAME                ENCRYPTED
------------------------------ ----------
EMPDATA_PROD                   YES


-- . Display all the encrypted tablespaces in the DB
SQL> select a.name pdb_name, b.name tablespace_name, c.ENCRYPTIONALG algorithm
  from v$pdbs a, v$tablespace b, v$encrypted_tablespaces c
  where a.con_id = b.con_id
    and b.con_id = c.con_id
    and b.ts# = c.ts#;

PDB_NAME             TABLESPACE_NAME                ALGORITHM
-------------------- ------------------------------ ----------
PDB1                 EMPDATA_PROD                   AES256

现在,再次尝试“旁路攻击”:

./tde_strings_data_empdataprod.sh

输出如下:

===================================================================================
 View the datafile data of the tablespace EMPDATA_PROD...
===================================================================================

. Search the datafile path of the tablespaces EMPDATA_PROD

FILE_NAME                                     ONLINE_STATUS
--------------------------------------------- ---------------
/u01/oradata/cdb1/pdb1/empdata_prod.dbf       ONLINE


. View the datafile content directly through the OS file
  ----------------
  Note:
  To view the datafile content directly through the OS file, we use the command:
  $ strings /u01/oradata/cdb1/pdb1/empdata_prod.dbf | tail -40
  ----------------

[...]
.c</v
(by
o$4bw
,l\\/
1'vv
>HO/R
9W55
V]JMP
8Jbxf
EY8F
roVu
O0k^
J?.1
#]Bs
O(^1
lLEu
?iRV
)Xe5
,IF7
YfeH
ZRHy
FYm|
1NYj;
'"OL
oMKCG
 7q.
RuA:
.SGc:B
8mJC
%\\6]
E        M
~l)v
u>"L:
][5:
i> 4
AUgT^y
)f(*a
Bi*o
Tn_A
gKK:$

您会看到所有数据现在都已加密并且不再可见!

Task 6: Encrypt All New Tablespaces

首先,检查初始化参数的当前设置:

./tde_check_init_params.sh

实际执行的命令和输出为:

SQL> select name, value
  from v$parameter
 where name in ('encrypt_new_tablespaces'
               ,'tde_configuration'
               ,'external_keystore_credential_location'
               ,'wallet_root'
               ,'one_step_plugin_for_pdb_with_tde');

NAME                                     VALUE
---------------------------------------- ----------------------------------------
encrypt_new_tablespaces                  CLOUD_ONLY
one_step_plugin_for_pdb_with_tde         FALSE
external_keystore_credential_location
wallet_root                              /etc/ORACLE/WALLETS/cdb1
tde_configuration                        keystore_configuration=FILE

接下来,将初始化参数 ENCRYPT_NEW_TABLESPACES 更改为 ALWAYS,以便所有新表空间都被加密:

./tde_encrypt_all_new_tbs.sh

实际执行的命令和输出为:

==================

以上是关于Oracle LiveLabs实验:DB Security - ASO (Transparent Data Encryption)的主要内容,如果未能解决你的问题,请参考以下文章

Oracle LiveLabs实验:DB Security - ASO (Data Redaction)

Oracle LiveLabs实验:DB Security - Audit Vault and DB Firewall

Oracle LiveLabs实验:DB Security - Native Network Encryption (NNE)

Oracle LiveLabs实验:DB Security - Database Vault

Oracle LiveLabs实验:DB Security - Database Vault

Oracle LiveLabs实验:DB Security - Database Assessment Tool