Oracle Database Encryption Options on Amazon RDS
As a solutions architect at Amazon Web Services (AWS), I get opportunities to answer customer and partner queries. Many queries require extensive research.
This post is an outcome of my research on various encryption options such as Oracle Transparent Data Encryption (TDE) and Oracle Native Network Encryption (NNE) and SSL options on Amazon RDS. It explains how Amazon RDS supports Oracle TDE, Oracle NNE, and SSL.
If you are an architect or a developer, this post will help you plan and configure storage and network encryption on Amazon RDS. You should be aware of the need to encrypt data at rest and how Oracle TDE, Oracle NNE, and SSL can help you achieve your encryption goals.
Oracle Database uses authentication, authorization, and auditing mechanisms to secure data in the database, but not in the operating system data files where data is stored. To protect these data files, Oracle Database provides Transparent Data Encryption (TDE). TDE encrypts sensitive data stored in data files. To prevent unauthorized decryption, TDE stores the encryption keys in a security module external to the database.
TDE enables you to encrypt sensitive data, such as credit card numbers, stored in tables and tablespaces. Encrypted data is transparently decrypted for a database user or application that has access to data. TDE helps protect data stored on media in the event that the storage media or data file gets stolen.
Database users and applications do not need to manage key storage or create auxiliary tables, views, and triggers. An application that processes sensitive data can use TDE to provide strong data encryption with little or no change to the application.
TDE supports the Advanced Encryption Standard (AES-256, AES-192, and AES-128), and the Triple Data Encryption Algorithm (3DES).
Amazon RDS provides two distinct ways to perform Oracle DB instance encryption at rest:
Oracle Native Network Encryption (NNE) and SSL protect the confidentiality of Oracle data as it is transmitted across the network. Encrypting Oracle network traffic safeguards sensitive data such as social security numbers, credit card numbers and other personally identifiable information against packet sniffing. From Oracle 10.2.0.1 onward, Native Network Encryption and TCP/IP with SSL are no longer part of the Advanced Security Option. Amazon RDS for Oracle provides these options on all editions.
How to perform TDE using Option Groups for Amazon RDS for Oracle
Oracle TDE supports two encryption modes: TDE tablespace encryption and TDE column encryption. TDE tablespace encryption is used to encrypt entire application tables. TDE column encryption is used to encrypt individual data elements that contain sensitive data. You can also apply a hybrid encryption solution that uses both TDE tablespace and column encryption.
Amazon RDS uses option groups to enable and configure additional features that make it easier to manage data and databases, and to provide additional security for your database. The TDE option is a permanent option that cannot be removed from an option group. Once associated, that option group cannot be removed from a DB instance. You cannot disable TDE from a DB instance once that instance is associated with an option group with the Oracle TDE option.
Amazon RDS manages the Oracle Wallet and TDE master key for the DB instance. You do not need to set the encryption key using the command ALTER SYSTEM set encryption key.
The process for using Oracle TDE with Amazon RDS is as follows:
- You can create an option group and add the TDE option or modify the associated option group to add the TDE option if the DB instance is not associated with an option group that has the TDE option enabled. For information about creating or modifying an option group, see Working with Option Groups. For information about adding an option to an option group, see Adding an Option to an Option Group.
- Associate the DB instance with the option group with the TDE option. For information about associating a DB instance with an option group, see Modifying a DB Instance Running the Oracle Database Engine.
If you no longer want to use the TDE option with a DB instance, you must decrypt all your data on the DB instance, copy the data to a new DB instance that is not associated with an option group with TDE enabled, and then delete the original instance. You can rename the new instance to be the same as the previous DB instance if you prefer.
How to perform encryption using AWS CloudHSM for Amazon RDS for Oracle TDE
AWS CloudHSM is a service that lets you use a hardware appliance called a hardware security module (HSM) for secure key storage and cryptographic operations. You can use AWS CloudHSM with an Oracle Enterprise Edition DB instance to store TDE keys when using Oracle TDE. You enable an Amazon RDS DB instance to use AWS CloudHSM by setting up an HSM appliance, setting the proper permissions for cross-service access, and then setting up Amazon RDS and the DB instance that will use AWS CloudHSM.
To use AWS CloudHSM with an Amazon RDS Oracle DB instance, you must complete the following tasks:
When you complete the entire setup, you should have the following AWS components:
- An AWS CloudHSM control instance that will communicate with the HSM appliance using port 22, and the AWS CloudHSM endpoint. The AWS CloudHSM control instance is an EC2 instance that is in the same VPC as the HSMs and is used to manage the HSMs.
- An Amazon RDS Oracle DB instance that will communicate with the Amazon RDS service endpoint, as well as the HSM appliance, using port 1792.
How to perform encryption with AWS KMS
The AWS Key Management Service (AWS KMS) makes it easy for you to create and control the keys used to encrypt your data. AWS KMS is integrated with other AWS services, including Amazon Elastic Block Store (Amazon EBS), Amazon Simple Storage Service (Amazon S3), Amazon Redshift, Amazon Elastic Transcoder, Amazon WorkMail, and Amazon Relational Database Service (Amazon RDS), to make it simple to encrypt your data with encryption keys that you manage.
AWS KMS is the default option used to perform encryption in Amazon RDS for Oracle databases. While creating an Oracle 11g Enterprise Edition Database instance, you can optionally choose encryption.
How to enable Oracle Native Network Encryption for Amazon RDS for Oracle
Native network encryption (NNE) gives you the ability to encrypt database connections, without the configuration overhead of TCP/IP and SSL/TLS and without the need to open and listen on different ports. NNE not only encrypts the connections but also checks the integrity of the communication by comparing checksums.
Amazon RDS for Oracle uses option groups to enable and configure NNE. The NNE is not a permanent option, so the option can be removed if you no longer want to use the option. To use Oracle Native Network Encryption option on an Amazon RDS Oracle DB instance, you must follow the Oracle Native Network Encryption task.
How to enable Secure Socket Layer (SSL) connection for Amazon RDS for Oracle
You enable SSL encryption for an Amazon RDS Oracle DB instance by adding the Oracle SSL option to the option group associated with the DB instance. Amazon RDS uses a second port for SSL connections which allows clear text communication and SSL-encrypted connections to establish between an Amazon RDS Oracle DB instance and a client.
To establish SSL connection on an Amazon RDS Oracle DB instance, you must complete the following task:
You can use various clients such as Oracle SQL*Plus and JDBC client to connect to an Amazon RDS Oracle instance. You can reference the following sections to configure those clients.
In this post, I described how you can implement Oracle TDE, Oracle NNE, and SSL successfully on Amazon RDS, and also touched upon some important security and encryption services like Amazon KMS and AWS CloudHSM. If you’d like more information, you may find the security and compliance track at re:Invent useful.