0

Given a requirement from a customer, they want to anonymize their DB for their development team, but they are asking if primary keys can be encrypted. By looking a bit into the oracle TDE documentation seems this is not possible...

Is there an approach to this?

Juan Zamora
  • 386
  • 4
  • 11
  • 2
    TDE is Transparent Data Encryption so it would only encrypt data at rest, not when it is queried. It seems unlikely that using TDE would be a part of hiding sensitive information from the development team regardless of what columns we're talking about. Assuming that the goal is to give the development team access to a development database with obfuscated data, the Enterprise Manager Data Masking and Subsetting Packs https://www.oracle.com/database/technologies/security/data-masking-subsetting.html would be a reasonable place to start. – Justin Cave Sep 05 '20 at 12:50
  • Thanks Justin for your answer. my question is more on the primary key. Lets say for example that SSN is the primary key of a table. Is it possible to encrypt this column? I know TDE does not encript primary keys. thanks! – Juan Zamora Sep 07 '20 at 15:38
  • 1
    Are you looking to encrypt the data at rest, which is what TDE does? The T in TDE is transparent so the data will be decrypted automatically and transparently when it is read. It seems unlikely that is what you want to do given your description. If it is, though, there is no problem encrypting primary keys. Simply encrypt the tablespace rather than selectively encrypting the sensitive columns. – Justin Cave Sep 07 '20 at 15:48
  • yes sir, at rest. so tablespace encryption will encrypt all the columns including the PK then? – Juan Zamora Sep 07 '20 at 16:40
  • 1
    Yes. It'll encrypt everything. Of course, that won't hide any information from the development team who will simply see the data in the clear when they query it. It is really hard to see describing that as "anonymizing the database" but it'll definitely encrypt the data at rest. – Justin Cave Sep 07 '20 at 21:24
  • Oh I see, the encryption is just at the files that contains the info and not the data per-se. Ok, so this is good for someone that steals a backup or so, as they wont have a key to open the data, but open to everybody else in the org. – Juan Zamora Sep 08 '20 at 03:12

0 Answers0