Data encryption with Oracle Standard Edition

Posted on 2010-01-12
Medium Priority
Last Modified: 2013-12-18
We have a third-party application that for licensing cost reasons we have employed Oracle 10g Standard Edition for the back-end database. We need to encrypt a handful of sensitive data fields in the database. The third-party application vendor has informed us that they do not offer data encryption, nor do they intend to in the future, and they suggested that we use Oracle's Transparent Data Encryption. Unfortunately, this feature is only available in the Enterprise Edition, and even then only at additional cost.

So, the $564,000 question is this: Is there any simple way to do database-level data encryption that would be transparent to the third-party application? In other words, we do not want to mess with our vendor's code unless we absolutely have no other alternative. Are there any Oracle third-party tools that would work for us?
Question by:DanielBorson
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 77

Expert Comment

by:slightwv (䄆 Netminder)
ID: 26294857

Author Comment

ID: 26295290
Our DBA is looking into this. A few of the potential problems we see with DBMS_CRYPTO:

1) The existing data fields are not sufficiently large to store encrypted values.

2) Our DBA's thinking is that we would need to create a custom table to store encrypted values and then create functions that would select, insert, update or delete these values. We would then replace the column name with the appropriate function in each and every place in our vendor's backend code where the column is referenced.

3) We would need to update all this code each and every time that we receive a back-end code update from our vendor. Also, we're not yet sure what modifying this code would do to any warranties or support contracts.

4) What happens with reporting tools, such as Discoverer, when we need to select one of these encrypted fields and bring it into a report?

Are there any third-party Oracle tools that would provide us with similar functionality to Oracle's Transparent Data Encryption?
LVL 77

Accepted Solution

slightwv (䄆 Netminder) earned 1000 total points
ID: 26295451
Data encryption isn't my strong point but I've never heard of any 'seamless' 3rd party plug-in to do this.  Leave this open for a while.  Maybe other experts will know of a way.

I agree with all the pitfalls for dbms_crypto you mentioned above.  A possible work-around (with it's own problems):
create a new table to store the encrypted values.  replace the apps table with a view that decrypts the data on the fly that exactly mimics the apps table.

You'll still have some of the problems above with one additional one:  You will have to hard-code the key in the view's text which kind of defeats the purpose of encrypting.  It will fool the 'common' folk but probably wouldn't fool someone bent on seeing the data for long.
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.


Author Comment

ID: 26295694
Thanks, slightwv. Okay, all you other Oracle experts out there -- anyone else have anything encouraging or enlightening to add?
LVL 40

Assisted Solution

mrjoltcola earned 1000 total points
ID: 26297331
Just remember, transparent encryption has limited usefulness. It will protect the database and backups, if stolen, but wont protect the data if accessed by an Oracle session. To an Oracle user, or an app connected via the Oracle client TDE hides the encryption, and the columns are plainly visible.

The question is: what are you trying to protect against? Stolen database files / backups, or live hacking?

Like slightwv, I am not aware of another transparent solution than TDE. One could be probably architect a solution with Oracle tools like materialized views and the VPD/context API. The main requirement is that the encryption key must not be stored in a location that it can be stolen along with the database. TDE protects the key but requires the DBA to provide a password or "open the wallet" manually after starting the instance. To architect another transparent solution, you'd need to solve that same problem.

Author Comment

ID: 26306656
We're mostly interested in protecting against stolen data, not live hacking, but we would definitely need to have the encryption key stored outside the database. We have an appointment to talk with our Oracle account rep about options, and in the meantime, I'll just leave this open in case anyone else has any other ideas.
LVL 77

Expert Comment

by:slightwv (䄆 Netminder)
ID: 27286856
I suggest even split as follows:

accept httP:#26297331


Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Checking the Alert Log in AWS RDS Oracle can be a pain through their user interface.  I made a script to download the Alert Log, look for errors, and email me the trace files.  In this article I'll describe what I did and share my script.
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
This video shows syntax for various backup options while discussing how the different basic backup types work.  It explains how to take full backups, incremental level 0 backups, incremental level 1 backups in both differential and cumulative mode a…
This video shows how to configure and send email from and Oracle database using both UTL_SMTP and UTL_MAIL, as well as comparing UTL_SMTP to a manual SMTP conversation with a mail server.
Suggested Courses
Course of the Month8 days, 20 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question