Skip to Main Content
  • Questions

  • A theoretical question based on Data block encryption (TDE)

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question, Vicky .

Asked: June 13, 2023 - 7:25 pm UTC

Last updated: July 03, 2023 - 2:27 am UTC

Version: 19c

Viewed 1000+ times

You Asked

Hallo Everyone!

I am a student and currently writing a Project on Transparent Data Encryption in collaboration with a company which deployed some On-Premises Oracle Databases. I have read about how the logical structures in oracle are, how each block has a Data Block Overhead to store information about the Block and how row pieces in a data block have their header too to store information about the row piece itself. My question is:

When I encrypt a tablespace with Transparent Data Encryption, which part of the data block exactly gets encrypted? Are the header information also encrypted or it is only the column data parts of every row pieces of every data blocks relevant to that specific tablespace that gets encrypted?

If I assume that every part of a data block is encrypted, would not it be a problem to locate and manage data blocks? Or if at all, the whole data block gets encrypted, then my question would be: Should not the whole tablespace be read and cached to buffer to manage and access data blocks?

Greetings
Vicky

and Connor said...

TDE encrypts the data at rest, not when its in database memory, so the concern with metadata in the block (header or otherwise) is not an issue.

(Theoretical example here).

I need to scan a table and find a row where SURNAME = 'SMITH'. That (loosely) consists of (assuming nothing already in memory)

- read locally managed tablespace bitmap to find segment header block location for table
- read segment header block and extract extent info from it
- read batch of blocks from 1st extent
- for each block, read block header, find row locations in the block
- go through row, scan along until "SURNAME" column found, look for SMITH

In a TDE scenario, pretty much nothing changes ... except some decryption along the way ("extra" steps with an "*")

- read locally managed tablespace bitmap to find segment header block location for table
* - issue read request to segment header block. Get from disk, decrypt it, load into memory
- read segment header block and extract extent info from it
- read batch of blocks from 1st extent
* - decrypt each block as read from disk
- for each block, read block header, find row locations in the block
- go through row, scan along until "SURNAME" column found, look for SMITH

Thus by the time the "heavy lifting" (of getting the data from disk into memory) is done...the block is now decrypted and is utilised as per normal.

Hope that helps

Rating

  (1 rating)

We're not taking comments currently, so please try again later if you want to add a comment.

Comments

Thank you for the nice explaination !!!

Vicky Sharma, June 30, 2023 - 6:47 am UTC

Thank you so much Conor, i understood it.

I tried implementing TDE for a user created tablespace and it worked fine. After verifying the datafile of the tablespace with DBVERIFY utility i get the following result:

[oracle@v01edv13 myPDB1]$ dbv file=mypdb1tablespace.dbf

DBVERIFY: Release 19.0.0.0.0 - Production on Thu Jun 29 15:32:10 2023

Copyright (c) 1982, 2019, Oracle and/or its affiliates.  All rights reserved.

DBVERIFY- Verification starting : FILE = /oracle/TDETEST/oradata/myPDB1/mypdb1tablespace.dbf


DBVERIFY - Verification complete

Total Pages Examined         : 12800
Total Pages Processed (Data) : 0
Total Pages Failing   (Data) : 0
Total Pages Processed (Index): 0
Total Pages Failing   (Index): 0
Total Pages Processed (Other): 1
Total Pages Processed (Seg)  : 0
Total Pages Failing   (Seg)  : 0
Total Pages Empty            : 12549
Total Pages Marked Corrupt   : 0
Total Pages Influx           : 0
Total Pages Encrypted        : 250
Highest block SCN            : 0 (0.0)



Can that one page that is not encrypted (12800-12549=251) be well the page for storing the bitmap of the tablespace, since you mentioned in the answer, that the bitmaps must be read first. This would mean the bitmap of the tablespace should not get encrypted, since they would be no way to begin with data retrieval from the storage?

Thank you so much


Connor McDonald
July 03, 2023 - 2:27 am UTC

Quite possibly. (I do not know for sure - it could be a file header style block or something like that),. but it defintely will not be a block that holds your data.
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's latest video and Chris's latest video from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

Administration

Need more information on Administration? Check out the Administrators guide for the Oracle Database