On Sun, Nov 11, 2012 at 4:19 PM, Jeffrey I Schiller <[email protected]> wrote: > This all sounds like another variation on "encrypting data at rest." It > protects against threats related to acquisition (legally or not) of the > media that the data is stored on.
[snip] > At first I thought all of this of limited value. However upon closer > thought, it actually provides some real value. In particular it makes > the destruction of the data much simpler. Destroy the key and the data > is effectively gone, without having to erase the actual media. So when I > "delete" a virtual disk on GCE, all Google has to do is erase the > corresponding encryption key to ensure that my data is really > unrecoverable. Simlarly, newer versions of the iPhone encrypt the > phone's flash. The Wipe function now only has to wipe the key for the > wipe to have effect. Prior to having this level of encryption, the whole > flash had to be wiped, which takes time, time in which the thief can > remove the battery to thwart the wipe. > > Although I am not familiar with this Oracle product. I suspect it offers > the same feature. As long as the encryption keys are on separate media > from the sensitive data, it can help avoid the compromise of the data > via decommissioned disks or just disks being shipped to off-site storage > (as disks do get lost in shipment). If this is the only threat that Oracle TDE protects against, then I think you would be better off just using hard drives that support FDE in the hardware (ideally) or at least at the OS layer. I guess that Oracle TDE might be a performance win over FDE, but it this is the threat you are trying to mitigate, I would also think that FDE would provide the stronger defense. -kevin -- Blog: http://off-the-wall-security.blogspot.com/ "The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We *cause* accidents." -- Nathaniel Borenstein _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
