Mysql, oracle, sqlserver enable built-in encryption

Enable table-level encryption for mysql, enable table space encryption for oracle, and enable database encryption for sqlserver

DB configuration encryption

db-mysql

mysql uses the master key to encrypt the database table, table-level encryption

prerequisites

1. Refer to the mysql official document InnoDB static data encryption to take a look

Configuration

1. Check version number()

mysql> SELECT @@version;
+-----------+
| @@version |
+-----------+
| 5.7.33    |
+-----------+
1 row in set (0.00 sec)

2. Enter the mysql installation path (you can try other paths, I tried without success)

[root@clear mysql]# chmod -R 750 keyring/
[root@clear mysql]# chown -R mysql.mysql keyring 
#给定权限后立马运行此句可能会出现报错，-bash: chown -R mysql.mysql keyring: command not found

3. SQL installation kering plug-in (file configuration needs to be restarted to take effect, but there is no guarantee that the user will restart, so a temporary plug-in should be configured, which will take effect immediately. When the system is restarted, the sql command configuration will become invalid)

mysql> install plugin keyring_file soname 'keyring_file.so'；#配置此句时会出现语法报错，建议手敲
Query OK, 0 rows affected (0.00 sec)

4. Specify the directory for the keyring plug-in

mysql> set global keyring_file_data='/var/lib/mysql/keyring/keyring';
Query OK, 0 rows affected (0.00 sec)

5. Configure the my.cnf file (to prevent the plug-in configured by the command from becoming invalid upon restart)

[mysqld]
early-plugin-load=keyring_file.so
keyring_file_data= /var/lib/mysql/keyring/keyring
#

sql

1. Check version

select version()

3. Check the encryption plug-in status

mysql> SELECT PLUGIN_NAME, PLUGIN_STATUS
    ->        FROM INFORMATION_SCHEMA.PLUGINS
    ->        WHERE PLUGIN_NAME LIKE 'keyring%';
+--------------+---------------+
| PLUGIN_NAME  | PLUGIN_STATUS |
+--------------+---------------+
| keyring_file | ACTIVE        |
+--------------+---------------+
1 row in set (0.00 sec)

4. Turn encryption on and off

use 'database'
alter table aaa encryption='n'
alter table aaa encryption='y'

db-oracle

Oracle uses encrypted table spaces to achieve encryption by migrating tables, space-level encryption

Crypto prerequisites

1. Refer to Oracle’s official documentation on using transparent data encryption to protect stored data.

Configure encryption

Understand legends

File configuration

1. Create wallet

[root@localhost ~]# su - oracle
[oracle@localhost orcl]$ mkdir $ORACLE_BASE/admin/orcl/wallet  #创建钱包
[oracle@localhost wallet]$ cd $ORACLE_BASE/
[oracle@localhost oracle]$ pwd
/u01/app/oracle
[oracle@localhost oracle]$ find $ORACLE_BASE/ -name sqlnet.ora  #找到sqlnet.ora文件
/u01/app/oracle/product/12.0.4/db_1/network/admin/samples/sqlnet.ora
[oracle@localhost oracle]$ vi /u01/app/oracle/product/12.0.4/db_1/network/admin/samples/sqlnet.ora
#------------------------------------------------------------加入如下内容
ENCRYPTION_WALLET_LOCATION=
    (SOURCE=
        (METHOD=FILE)
        (METHOD_DATA=
        (DIRECTORY=$ORACLE_BASE/admin/orcl/wallet)
        )
)

2 Start encryption (sys)

alter system set encryption key identified by "123456";
-- 开启关闭钱包
alter system set wallet open identified by "123456";
alter system set wallet close identified by "123456";

3. Determine whether the wallet is open

select * from v$encryption_wallet;

Notice

When performing table space migration, the index will become invalid, so the index must be reconstructed.

db-sqlserver

SQL Server uses the encryption master key to first encrypt the certificate, and then encrypts the database through the certificate, which is library-level encryption.

Crypto prerequisites

1. Check out the official sqlserver document Transparent Data Encryption (TDE)

Understand legends

Encryption configuration

1. Switch the mast main database (the comment content is the auxiliary query content)

use master;
-- 删除主数据库
-- drop MASTER KEY ; 
-- 查询数据库主密钥
--  select name,is_master_key_encrypted_by_server from sys.databases

2. Set master key based on custom password

CREATE MASTER KEY ENCRYPTION BY PASSWORD = '密码';

3.Create certificate

CREATE CERTIFICATE 证书名 WITH SUBJECT = '测试主题';
-- 删除加密证书
-- DROP CERTIFICATE TDE_Server_Certificate

4. Back up the certificate (the first one is feasible, others need to be checked) (the above is only used once)

BACKUP MASTER KEY TO FILE = '位置\文件名' ENCRYPTION BY PASSWORD = '密码'

5. Switch user database

use 用户数据库;

6. Create a database key based on the encryption algorithm and certificate

CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_128 ENCRYPTION BY SERVER CERTIFICATE 证书名;
-- 删除密钥
-- DROP DATABASE ENCRYPTION KEY;   
-- 修改加密库加密证书
-- ALTER DATABASE ENCRYPTION KEY ENCRYPTION BY SERVER CERTIFICATE HTDE
-- 查看证书		
-- SELECT  * FROM    sys.certificates

7. Turn on database encryption

ALTER DATABASE 用户数据库 SET ENCRYPTION ON;

– Check whether the database is encrypted

SELECT  is_encrypted FROM    sys.databases WHERE   name = '数据库名'

– Query encryption library

-- 查询加密库
-- SELECT *  FROM sys.dm_database_encryption_keys WHERE encryption_state = 3 

– Check whether the database is encrypted

SELECT  is_encrypted FROM    sys.databases WHERE   name = '数据库名'

– Query encryption library

-- 查询加密库
-- SELECT *  FROM sys.dm_database_encryption_keys WHERE encryption_state = 3