Skip to Main Content
  • Questions

  • TDE Tablespace encryption - assign separate, distinct duties to database administrators and security administrators

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question, Jason.

Asked: January 22, 2019 - 9:27 am UTC

Last updated: February 01, 2019 - 2:47 pm UTC

Version: 12g

Viewed 1000+ times

You Asked

Hi Tom,

Our situation is that we are going to put some sensitive data in an Oracle DB hosted by vendor (external party). To minimize impact to App, we like to choose TDE tablespace encryption.

Since the data is highly restricted, we don't allow anyone in vendor side to read the data even database admin.

Our question is... can we prevent any DB user (even DBA) except the App user to read encrypted data after we applied TDE tablespace encryption?

We expected the answer is YES. Until we read below article - it only mentioned duties segregation in TDE column-based encryption part, but not in tablespace part.

<quote>
"Using an external security module separates ordinary program functions from encryption operations, making it possible to assign separate, distinct duties to database administrators and security administrators. Security is enhanced because the keystore password can be unknown to the database administrator, requiring the security administrator to provide the password."
</quote>

https://docs.oracle.com/database/121/ASOAG/introduction-to-transparent-data-encryption.htm#GUID-547EA215-9576-4C61-A414-3DA3287692A4__CIHJECGF

Supposedly, the duties segregation is implemented by HSM but not Oracle itself, am I correct?

Or, if we choose tablespace encryption, we cannot avoid DBA to read data from it?


and Chris said...

TDE tablespace encryption only encrypts data at rest. i.e. the information stored in data files. When you query it, the database decrypts it so you can read it.

So anyone with select privileges on your tables can see the data.

You need TDE column encryption so that normal queries return encrypted values. This stops DBAs reading the unencrypted values. Only those with access to the external security module will be able to see the plaintext.

Ultimately, if the database and security module are hosted and managed by a third party (i.e. they're the DBA and security admins) they've got everything they need to view the data. So you're trusting them not to abuse this power and view your unencrypted data.

Rating

  (1 rating)

Is this answer out of date? If it is, please let us know via a Comment

Comments

DataVault

J. Laurindo Chiappa, January 23, 2019 - 6:13 pm UTC

And what about database Vault - could be it an option to 'isolate' the data from the DBAs ?
Connor McDonald
February 01, 2019 - 2:47 pm UTC

Yes. Database Vault is a solution for data isolation (from admins)
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's latest video and Chris's latest video from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

Administration

Need more information on Administration? Check out the Administrators guide for the Oracle Database