0

For Oracle TDE, there is both the option to add salt to plaintext (by default) or to ignore salt (using the NO SALT) parameter.

  1. I wanted to know if salt is unique per row/record in a table or common across all rows in a single table.
  2. Is there any way to see the encrypted value as the result of a query ? (Opening the wallet gives you the actual de-encrypted value, and I'm getting an error trying to query without opening the wallet and setting the master key).
Prasanth Ravi
  • 145
  • 1
  • 11

1 Answers1

1

Regarding your questions:

  1. SALT is a random value generated at row level. As you well know, in cryptography, salt is a way to strengthen the security of encrypted data by adding a random string to the data before it is encrypted, making it more difficult for attackers to steal. As it is random there is always a possibility of non uniqueness, but normally it should be unique. Those 16 bytes are added to the column, something you can see with a dump of the block. SALT cannot be used on indexed columns.
  1. There is no way to do that, that is precisely the objective of TDE. In order to query the data you need to open the wallet. When your database contains tables and columns encrypted with TDE, DBAs normally configure the wallet with auto-login, thereby you don't need to do it manually after restart.

If you want to have the option to query the data at will, with or without encryption and without depending of a wallet, you can use DBMS_CRYPTO in a package to store the data using function to encrypt or decrypt at will. You have a good example of this last point here

https://oracle-base.com/articles/10g/database-security-enhancements-10g#dbms_crypto

Roberto Hernandez
  • 8,231
  • 3
  • 14
  • 43
  • Thanks for the answer. Let me rephrase the first question, is SALT different for each row in the table or is the SALT common for all rows in a particular table ? – Prasanth Ravi Jul 16 '20 at 12:52
  • 1
    it is different for each row, becuase the value is random and generated in runtime. It is added specifically at the end of the row, so in case when you disable Oracle knows which characters need to be removed from the encrypted value – Roberto Hernandez Jul 16 '20 at 12:55
  • You'd need the salt to de-encrypt the data, so Oracle would store the salt for each row right ? The context for this, is I'm trying to see if I can implement encryption/decryption (but at application level) for a database that does not have TDE atm. And I wanted to see if I can use similar design to Oracle, because of it being a major player. And salt per record is hard because you'd need to query for the salt before you can de-encrypt the data, but the any identification would still need to be encrypted for the record. – Prasanth Ravi Jul 16 '20 at 13:00
  • if you want to implement encryption/decryption and having some control, using your own pl/sql code with dbms_crypto without SALT and without using TDE – Roberto Hernandez Jul 16 '20 at 13:26