Enter value for new_data_tbs: data_002
Enter value for new_indx_tbs: indx_002
Enter value for old_indx_tbs: indx_001
Enter value for old_data_tbs: data_001
Enter value for owner: app_001
ALTER TABLE app_001.transactions MOVE TABLESPACE data_002;
ALTER INDEX app_001.transactions_pk REBUILD TABLESPACE indx_002;
ALTER INDEX app_001.transactions_ndx1 REBUILD TABLESPACE indx_002;
SQL> SET HEADING ON;
SQL> SET VERIFY ON;
SQL> SET ECHO ON;
SQL> -- execute script output
SQL> ALTER TABLE app_001.transactions MOVE TABLESPACE data_002;
Table altered.
SQL> ALTER INDEX app_001.transactions_pk REBUILD TABLESPACE indx_002;
Index altered.
SQL> ALTER INDEX app_001.transactions_ndx1 REBUILD TABLESPACE indx_002;
Index altered.
SQL> -- Check for any unusable indexes
SQL> SELECT owner, index_name, tablespace_name
2 FROM dba_indexes
3 WHERE STATUS = ’UNUSABLE’;
no rows selected
SQL> -- Gather new schema stats
SQL> EXEC dbms_stats.gather_schema_stats(’app_001’);
PL/SQL procedure successfully completed.
SQL> -- Check for remaining segments in old tablespaces
SQL> SELECT distinct owner
2 FROM dba_segments
3 WHERE tablespace_name IN (UPPER(’&&OLD_DATA_TBS’), UPPER(’&&OLD_INDX_TBS’));
old 3: WHERE tablespace_name IN (UPPER(’&&OLD_DATA_TBS’), UPPER(’&&OLD_INDX_TBS’))
new 3: WHERE tablespace_name IN (UPPER(’data_001’), UPPER(’indx_001’))
no rows selected
SQL> -- Check for users assigned to old tablespaces
SQL> SELECT username, default_tablespace FROM dba_users
2 WHERE default_tablespace IN (UPPER(’&&OLD_DATA_TBS’), UPPER(’&&OLD_INDX_TBS’));
old 2: WHERE default_tablespace IN (UPPER(’&&OLD_DATA_TBS’), UPPER(’&&OLD_INDX_TBS’))
new 2: WHERE default_tablespace IN (UPPER(’data_001’), UPPER(’indx_001’))
USERNAME DEFAULT_TABLESPACE
------------------------------ ------------------------------
APP_001 DATA_001
SQL> -- Assign new default tablespaces for users, as necessary
SQL> ALTER USER app_001
2 DEFAULT TABLESPACE data_002;
User altered.
SQL> -- List the data file names of old tablespaces
SQL> COL tablespace_name FOR A15;
SQL> COL file_name FOR A70;
SQL> SET LINES 100;
SQL> SELECT tablespace_name, file_name
2 FROM dba_data_files
3 WHERE tablespace_name IN (UPPER(’&&OLD_DATA_TBS’), UPPER(’&&OLD_INDX_TBS’));
old 3: WHERE tablespace_name IN (UPPER(’&&OLD_DATA_TBS’), UPPER(’&&OLD_INDX_TBS’))
new 3: WHERE tablespace_name IN (UPPER(’data_001’), UPPER(’indx_001’))
TABLESPACE_NAME FILE_NAME
--------------- ----------------------------------------------------------------------
DATA_001 /data01/oracle/db001/datafile/o1_mf_data_001_4m081w7m_.dbf
INDX_001 /data01/oracle/db001/datafile/o1_mf_indx_001_4m082l4q_.dbf
SQL> -- Drop old tablespaces, but keep data files in place
SQL> DROP TABLESPACE data_001
2 INCLUDING CONTENTS KEEP DATAFILES;
Tablespace dropped.
SQL> DROP TABLESPACE indx_001
2 INCLUDING CONTENTS KEEP DATAFILES;
Tablespace dropped.
SQL> -- Shred/remove old data files
SQL> HOST shred -n 200 -z -u /data01/oracle/db001/datafile/o1_mf_data_001_4m081w7m_.dbf
SQL> HOST shred -n 200 -z -u /data01/oracle/db001/datafile/o1_mf_indx_001_4m082l4q_.dbf
列表 3 删除剩余敏感数据的未加密虚副本需要一系列步骤才能解决很多相关性。
列表 3 中的最后一步针对特定的操作系统。在本例中,我演示了 Linux/Unix shred 实用程序的用法。其他您可能想探究的实用程序是 Linux/Unix wipe、scrub 和 srm 程序。
准备可能的重新生成密钥操作
我的客户还想做些准备以应对将来可能需要重新生成密钥的情况。为现有数据重新生成密钥意味着您要使用新密钥对现有数据重新加密。当您怀疑某人已经获得对现有表密钥的访问权限并且可能会在您的控制之外破解敏感数据时,可能需要执行该操作。
完成重新生成密钥操作的步骤与最初加密现有数据的步骤类似:删除目标列上的索引,重新生成该列数据的密钥,然后重建删除的索引。或者,如果您担心与使用以前的密钥加密的数据相对应的虚副本,可以重复将段移动到新表空间、删除旧表空间、然后清除旧表空间的数据文件的过程。
注:以我的经验,PCI 审计员会对重新生成万能加密密钥非常满意,因为该过程不需要访问任何数据,并且 PCI 标准不包含对 2 层密钥体系结构(如 Oracle 的体系结构)的建议。从符合 PCI 的角度看,重新生成万能加密密钥应该足够了,而且 PCI 审计员无法强制具有几十亿行的公司将其业务关闭几天,仅仅只是为了重新生成密钥。
确定可能的查询计划更改
Oracle 文档、若干文章以及我阅读过的一些论坛帖子几乎都提到了有关加密列的数据后现有查询执行计划可能发生更改的概要信息以及某些具体信息。一般来说,相对于没有索引的列,在加密具有索引的列时,您必须注意执行 SQL 语句所发生的情况。当 Oracle 加密具有索引的列时,Oracle 还将加密相应的索引值。如果您花点时间考虑这个问题,就会清楚地发现以具有索引的数据为目标的相等谓词应该继续利用索引,但由于该索引值存储在索引中的方式,加密值的随机性质使得加密索引的范围扫描成本过高。列表 4 演示了这些详细描述的基本情况。
SQL> CONNECT app_001
Enter password:
Connected.
SQL> -- Create a plan table
SQL> @?/rdbms/admin/utlxplan.sql;
Table created.
SQL> -- Disable encryption of the credit card column
SQL> ALTER TABLE app_001.transactions
2 MODIFY (credit_card DECRYPT);
Table altered.
SQL> -- Ensure schema stats are current
SQL> EXEC dbms_stats.gather_schema_stats(’app_001’);
PL/SQL procedure successfully completed.
SQL> -- Display some representative data
SQL> COL credit_card FOR 9999999999999999;
SQL> SELECT * FROM app_001.transactions
2 WHERE rownum < 5;
TRANS_ID CREDIT_CARD
---------- -----------------
389 3469681098409570
390 3441050723354352
391 3485598407754404
392 3485458104610650
SQL> -- Enable tracing and explain plan output
SQL> SET AUTOTRACE ON EXPLAIN;
SQL> -- Demonstrate an equality predicate targeting the
SQL> -- encrypted column
SQL> SELECT * FROM app_001.transactions
责任编辑:小草
您现在的位置: 