Here is a short little entry just to make everyone aware of a truly handy feature of the new Oracle 11g Database Advanced Security Option.
The new version of the database 11g R2 adds some nice new security features for us identity and security folks. One of which is tablespace encryption. No longer does one have to pick which field is encrypted. Now, if it makes sense, the whole table can be encrypted. And the good engineers at Oracle make it simple and easy to do.
Hey, if you use some newer servers with the Intel Westmere chips in them, they now include the Intel AES-NI encryption onboard the chip. This now gives hardware encryption speeds without having to buy and install a separate encryption board. The 7x – 10x increase in speed means there is NO reason not to encrypt your database. This makes any encryption performance hit nearly nothing, so there is no excuse.
But one of the quiet features thats hidden in ASO is how the keys are stored. It helps with that major problem of key management that has bollixed up great encryption plans over the years. For every table (or column for those going old school), ASO generates a new encryption key. All keys are kept in an Oracle Wallet (a PKCS #12 wallet) which are then re-encrypted to triple-DES strength with a master key that is kept away from the database and hopefully the wallet.
But what is missed by many is that by taking these keys and storing them in one wallet under a master key encryption means that key refreshes are much easier to accomplish. Instead of having to generate new keys, recrypt the tables with the new key, etc., all you have to do is use Oracle Wallet Manager (included with ASO) to generate a new master key and recrypt the keys in the wallet. The tablespace keys stay the same, but you now have fulfilled your change the key storage for the database on a regular basis.
This now makes key refreshing much simpler and easier to do. So now you can implement a stronger security maintenance program of refreshing database encryption keys on a more timely fashion (once a quarter is nice, definitely after any major changes to the database). Encrypting tables is easy to do, keeping the keys rotated is not so easy as it sounds. Within this nice key management utility in ASO, life just got easier. And more secure.
