Comments for native Read http://www.nativeread.com Sat, 13 Mar 2010 16:27:45 +0000 http://wordpress.org/?v=2.6.5 Comment on Tablespace encryption by Chris Kirsch http://www.nativeread.com/2009/01/12/tablespace-encryption/#comment-2 Chris Kirsch Mon, 12 Jan 2009 20:00:04 +0000 http://dba.nativeread.com/?p=70#comment-2 When you use TDE, the keys will typically be stored on the machine in the so-called Oracle e-Wallet. While this is the best Oracle could do with a pure software integration, it's not the best security practice because you shouldn't keep the key and the database in the same place. When you back up the machine, the key will be backed up with the database. Also, you will find it difficult to demonstrate a separation of duties between database security administration for compliance. Oracle 11g supports the use of hardware security modules (HSMs) that protect the keys, separate security and DB administration, and ensure that keys are never stored with the data. My employer Thales e-Security (formerly nCipher) offers such a solution. If you're interested, please check out: http://www.ncipher.com/en/Solutions/Business%20Solutions/Databases.aspx When you use TDE, the keys will typically be stored on the machine in the so-called Oracle e-Wallet. While this is the best Oracle could do with a pure software integration, it’s not the best security practice because you shouldn’t keep the key and the database in the same place. When you back up the machine, the key will be backed up with the database. Also, you will find it difficult to demonstrate a separation of duties between database security administration for compliance.

Oracle 11g supports the use of hardware security modules (HSMs) that protect the keys, separate security and DB administration, and ensure that keys are never stored with the data.

My employer Thales e-Security (formerly nCipher) offers such a solution. If you’re interested, please check out:
http://www.ncipher.com/en/Solutions/Business%20Solutions/Databases.aspx

]]>