EFS Private Keys Storage

  • Thread starter Thread starter Choi Wai Kin
  • Start date Start date
C

Choi Wai Kin

I am currently working on a new project using Oracle database to store
condifental information. My boss wants me to use EFS to encrypt the
data files. However, according to our department policy, the private
key used for encrypting condifental must be stored in a different
machine or in some kind of removable device (not in the database
server).

If I use a domain accout to encrypt the data files and then run all
Oracle services on the domain account, is it ture that the private key
will be stored in the domain controller instead of the local machine
and the private key will only be retrieved from the domain controller
when the Oracle services need to access the data file? And will the
private key be cached in the local harddisk?

BTW, is it possible to store the private key in a smart card? If so,
I wonder if there is any reference or white paper that I can refer to.

Thank you very much.

Regards,
Wai.

PS: I guess my boss does carry if the data is really secure, and he
only want to keep sure that we meet the department policy. :-)
 
EFS private keys are stored in a user's application data. I haven't tried
this, but if the user has redirected AppData and the profile is scrubbed
from your Oracle server on logoff you might be able to meet your needs. The
key will exist on the machine at any time that the user is logged on (with
user profile) - I don't know if that matters.

If the database is going to be online all the time there's no way to keep
the private key somewhere else. That's true of EFS or any other kind of
encryption.

EFS doesn't support private keys on smartcards currently.
 
Thank you for your response. It helps a lot.
If the database is going to be online all the time there's no way to keep
the private key somewhere else. That's true of EFS or any other kind of
encryption.
Click to expand...

And, I have one more question.

When the private key is downloaded from the domain controller for
decryption, is the private key stored in memory only? OR Must it be
stored in the harddisk? If it must be stored in the harddisk, where
will it be stored?

Thank you very much.

Regards,
Wai.
 
private keys are not stored on the domain controlller - if you use a roaming
user profile, they will be cached to a file server in encrypted form - same
as they are today in a user profile.
 
Back
Top