oracle-databaseencryptionsalt-cryptographytde

Oracle TDE -- Salt and Encrypted Data


For Oracle TDE, there is both the option to add salt to plaintext (by default) or to ignore salt (using the NO SALT) parameter.

  1. I wanted to know if salt is unique per row/record in a table or common across all rows in a single table.
  2. Is there any way to see the encrypted value as the result of a query ? (Opening the wallet gives you the actual de-encrypted value, and I'm getting an error trying to query without opening the wallet and setting the master key).

Solution

  • Regarding your questions:

    1. SALT is a random value generated at row level. As you well know, in cryptography, salt is a way to strengthen the security of encrypted data by adding a random string to the data before it is encrypted, making it more difficult for attackers to steal. As it is random there is always a possibility of non uniqueness, but normally it should be unique. Those 16 bytes are added to the column, something you can see with a dump of the block. SALT cannot be used on indexed columns.
    1. There is no way to do that, that is precisely the objective of TDE. In order to query the data you need to open the wallet. When your database contains tables and columns encrypted with TDE, DBAs normally configure the wallet with auto-login, thereby you don't need to do it manually after restart.

    If you want to have the option to query the data at will, with or without encryption and without depending of a wallet, you can use DBMS_CRYPTO in a package to store the data using function to encrypt or decrypt at will. You have a good example of this last point here

    https://oracle-base.com/articles/10g/database-security-enhancements-10g#dbms_crypto