Document Type | Technical Information
Category | Security
Applicable Product Versions | 6FS06, 6FS07, 6FS07PS, 7FS01, 7FS02, 7FS02PS
Document Number | TSETI001
Overview
In Tibero, when you specify data to encrypt such as tablespaces or columns (columns of tables or tablespaces), the data is internally encrypted when stored and decrypted when queried.
This document explains how to set up encryption and describes the encryption algorithms.
Method
Tablespace Encryption
- Encryption is applied at the tablespace level. (Default: AES128 algorithm)
- Among Tibero-supported algorithms, only 3DES168, AES128, AES192, and AES256 can be used.
Example) Creating an encrypted tablespace - specifying 3DES168 algorithm
SQL> CREATE TABLESPACE encrypted_space
DATAFILE '/usr/tibero/data/encrypted001.dtf' SIZE 50M
AUTOEXTEND ON NEXT 1M
EXTENT MANAGEMENT LOCAL UNIFORM SIZE 256K
ENCRYPTION USING '3DES168'
DEFAULT STORAGE (ENCRYPT);
Tablespace 'ENCRYPTED_SPACE' created.
Column Encryption
- Encryption is applied at the table or column level. (Default: AES192 algorithm with SALT option)
- When encrypting columns, you can specify the encryption algorithm along with whether to use the SALT option.
NoteThe SALT option ensures that the same data value is not always encrypted to the same ciphertext. Using this option enhances security but you cannot create indexes on columns encrypted with the SALT option.
Example) Creating a table with encrypted columns - default encryption options (AES192 algorithm, SALT)
SQL> CREATE TABLE customer (
cust_id CHAR(4) CONSTRAINT cust_id_pk PRIMARY KEY NOT NULL,
cust_name VARCHAR(20) NULL,
cust_type VARCHAR(18) NULL,
cust_addr VARCHAR(40) NULL,
cust_tel VARCHAR(15) ENCRYPT NULL,
reg_date DATE NULL
);
Table 'CUSTOMER' created.
Example) Creating a table with encrypted columns - AES256 algorithm, NO SALT option set
SQL> CREATE TABLE customer (
cust_id CHAR(4) CONSTRAINT cust_id_pk PRIMARY KEY NOT NULL,
cust_name VARCHAR(20) NULL,
cust_type VARCHAR(18) NULL,
cust_addr VARCHAR(40) ENCRYPT USING 'AES256' NULL,
cust_tel VARCHAR(15) ENCRYPT NO SALT NULL,
reg_date DATE NULL
);
Table 'CUSTOMER' created.
Tibero Supported Algorithms
Keyword | Algorithm Name | Description |
|---|---|---|
DES | Data Encryption Standard | A classical symmetric key encryption algorithm using a 64-bit key (actual effective key is 56 bits). Currently considered weak in security and rarely used. |
3DES168 | Triple DES (3DES) | Applies DES three times, using three 56-bit keys for a total key length of 168 bits. More secure than DES but slower in processing speed. |
AES128 / AES192 / AES256 | Advanced Encryption Standard | Currently the most widely used symmetric key encryption standard. Security level varies with 128, 192, and 256-bit key lengths. Fast and provides strong security. |
SEED | SEED | A block cipher algorithm developed by the Korea Internet & Security Agency (KISA). Uses a 128-bit key and mainly used in domestic financial and public institutions. |
ARIA128 / ARIA192 / ARIA256 | ARIA | Another block cipher developed in Korea. Similar structure to AES, supports 128/192/256-bit keys. Designated as a national standard cipher. |
GOST | GOST (ะะะกะข) | A block cipher developed in Russia using a 256-bit key. It was the Soviet Union's national standard cipher and has evolved into modern GOST (e.g., R 34.12-2015). |
Wallet Setup Method
Wallet setup is required to use the encryption feature. The wallet creation and setup method is as follows.
1. Create Wallet
$ cd $TB_HOME/config $ tbwallet_gen -- The name and password below are examples and can be set as desired name: WALLET passwd: tibero
2. Set path and name in $TB_SID.tip and restart the database
$ vi $TB_HOME/config/$TB_SID.tip WALLET_FILE="[wallet path]" -- ex) /tibero_engine/tibero7/config/WALLET $ tbdown; tbboot
3. Execute ALTER SYSTEM SET ENCRYPTION [wallet name] OPEN IDENTIFIED BY '[password]';
$ tbsql [username/[passwd]] SQL > ALTER SYSTEM SET ENCRYPTION [wallet name] OPEN IDENTIFIED BY '[passwd]'; -- Use the wallet info set in step 1 ex) ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY 'tibero'; -- If using version 6 FS06 or below without patch 138447a (Check with tbboot -p | grep 138447 or tbboot -cs | grep 138447; if neither contains it) SQL > ALTER SYSTEM SET ENCRYPTION [wallet name] OPEN IDENTIFIED BY "[passwd]";