为提高效率,提问时请提供以下信息,问题描述清晰可优先响应。 【DM版本】:dm8 【操作系统】:centos7.6 【CPU】: 【问题描述】*:达梦数据库透明加密,对加密列name采用sm4加密算法,w未加索引查询效率很低,对name列添加索引后查询,效率有较大提高。考虑到数据安全问题,请问索引是以明文形式存储还是密文存储,或者该索引的建立是采用的什么机制
刚做了个试验,初步能验证加密列的表数据和索引数据都是加密方式存储的,验证过程略繁琐,简但在下面说下
--创建测试表,COL1加密,IDX和COL2明文 CREATE TABLE TST_ENC ( IDX INT, COL1 VARCHAR2(100) ENCRYPT WITH OPENSSL_SM4_CBC HASH WITH SHA256 SALT, COL2 VARCHAR2(100) ); --初始化几条数据 INSERT INTO TST_ENC VALUES(1,'AAA','1234'),(2,'BBB','1234'),(3,'CCC','1234'),(4,'DDD','1234'),(5,'EEE','1234'); COMMIT; --针对加密字段和明文字段各建立一个索引,并创建一个混合索引用于对比 CREATE INDEX IDX_TST_ENC_ENC ON TST_ENC(COL1); CREATE INDEX IDX_TST_ENC_NML ON TST_ENC(COL2); CREATE INDEX IDX_TST_ENC_MIX ON TST_ENC(COL1,COL2); --查询表数据及各索引数据页面号,用于获取页面数据 SELECT IDX.NAME,IDX_INFO.GROUPID,IDX_INFO.ROOTFILE,IDX_INFO.ROOTPAGE FROM SYSOBJECTS TAB ,SYSOBJECTS IDX ,SYSINDEXES IDX_INFO WHERE TAB.NAME = 'TST_ENC' AND TAB.ID = IDX.PID AND IDX_INFO.ID = IDX.ID --查询结果 NAME GROUPID ROOTFILE ROOTPAGE INDEX33592129 4 0 49552 --表簇集索引,也就是表数据地址 IDX_TST_ENC_NML 4 0 49584 IDX_TST_ENC_ENC 4 0 49568 IDX_TST_ENC_MIX 4 0 49600 --表数据页内容,含页头、数据头、索引信息和数据区 --数据区从第99字节(对应0x62位置)开始 --从中能看出COL1字段是加密存储,IDX和COL2则为明文存储,数据太长,所以只保留前两条记录部分 ------------INDEX33592129 4 0 49552------------------------- 0 1 2 3 4 5 6 7 8 9 a b c d e f ↓PAGE_HEAD (00000000)00000000 04 00 00 00 90 C1 00 00 FF FF FF FF FF FF FF FF GP_ID FL_ID --PAGENO--- (00000016)00000010 FF FF FF FF 14 00 00 00 00 00 00 00 CE 02 32 04 PAGE_TYPE CHECKSUM ----LSN---- ↓DATA_PAGE_HEAD (00000032)00000020 00 00 00 00 07 00 F2 01 00 00 00 00 05 00 FF FF N_SLT HP_LO HP_HI BR_NO N_REC ↓DATA_PAGE_IND_HEAD (00000048)00000030 52 00 5A 00 00 00 08 02 00 00 41 93 00 02 04 00 MIN MAX EXT USED INDEX_ID LEAF_GP_ID (00000064)00000040 00 00 0D 00 00 00 94 03 04 00 00 00 0D 00 00 00 --LEAF_PAGE LOFS IN_GO IN_FL INNER_PAGE_NO (00000080)00000050 4C 03 00 00 00 00 00 00 00 00 FF FF FF FF FF FF INOFS ↓DATA REC (00000096)00000060 FF FF 00 50 00 01 00 00 00 B0 18 B2 60 D9 30 01 LEN 1 -------------------- (00000112)00000070 5E B0 DF 87 C6 EF 56 2D A7 29 CB 1A D2 11 9D 8F ----------------------------------------------- (00000128)00000080 AF B6 95 66 51 0E E7 12 66 1F 9F 14 B8 33 85 00 ----------------------------------------------- (00000144)00000090 6E F9 2A EC 47 F5 23 A3 83 58 84 31 32 33 34 01 ------------------------------ 1 2 3 4 ROWID (00000160)000000A0 00 00 00 00 00 FF FF FF FF 7F FF FF 70 6C 0F 00 --TRX_ID--- (00000176)000000B0 00 00 00 50 00 02 00 00 00 B0 45 1B F9 4B D5 E8 LEN 2 -------------------- (00000192)000000C0 F9 1D 3A AC 7F 78 15 8A 73 83 DC DB 70 41 09 A4 (00000208)000000D0 54 78 4B 81 22 9D 2B 05 F3 68 69 2E 75 8B FA 33 ----------------------------------------------- (00000224)000000E0 CB 61 D0 4C 1B 93 79 1B 02 73 84 31 32 33 34 02 ------------------------------ 1 2 3 4 ROWID (00000240)000000F0 00 00 00 00 00 FF FF FF FF 7F FF FF 70 6C 0F 00 --TRX_ID--- (00000256)00000100 00 00 00 50 00 03 00 00 00 B0 61 32 56 CB D0 22
刚做了个试验,初步能验证加密列的表数据和索引数据都是加密方式存储的,验证过程略繁琐,简但在下面说下
--创建测试表,COL1加密,IDX和COL2明文 CREATE TABLE TST_ENC ( IDX INT, COL1 VARCHAR2(100) ENCRYPT WITH OPENSSL_SM4_CBC HASH WITH SHA256 SALT, COL2 VARCHAR2(100) ); --初始化几条数据 INSERT INTO TST_ENC VALUES(1,'AAA','1234'),(2,'BBB','1234'),(3,'CCC','1234'),(4,'DDD','1234'),(5,'EEE','1234'); COMMIT; --针对加密字段和明文字段各建立一个索引,并创建一个混合索引用于对比 CREATE INDEX IDX_TST_ENC_ENC ON TST_ENC(COL1); CREATE INDEX IDX_TST_ENC_NML ON TST_ENC(COL2); CREATE INDEX IDX_TST_ENC_MIX ON TST_ENC(COL1,COL2); --查询表数据及各索引数据页面号,用于获取页面数据 SELECT IDX.NAME,IDX_INFO.GROUPID,IDX_INFO.ROOTFILE,IDX_INFO.ROOTPAGE FROM SYSOBJECTS TAB ,SYSOBJECTS IDX ,SYSINDEXES IDX_INFO WHERE TAB.NAME = 'TST_ENC' AND TAB.ID = IDX.PID AND IDX_INFO.ID = IDX.ID --查询结果 NAME GROUPID ROOTFILE ROOTPAGE INDEX33592129 4 0 49552 --表簇集索引,也就是表数据地址 IDX_TST_ENC_NML 4 0 49584 IDX_TST_ENC_ENC 4 0 49568 IDX_TST_ENC_MIX 4 0 49600 --表数据页内容,含页头、数据头、索引信息和数据区 --数据区从第99字节(对应0x62位置)开始 --从中能看出COL1字段是加密存储,IDX和COL2则为明文存储,数据太长,所以只保留前两条记录部分 ------------INDEX33592129 4 0 49552------------------------- 0 1 2 3 4 5 6 7 8 9 a b c d e f ↓PAGE_HEAD (00000000)00000000 04 00 00 00 90 C1 00 00 FF FF FF FF FF FF FF FF GP_ID FL_ID --PAGENO--- (00000016)00000010 FF FF FF FF 14 00 00 00 00 00 00 00 CE 02 32 04 PAGE_TYPE CHECKSUM ----LSN---- ↓DATA_PAGE_HEAD (00000032)00000020 00 00 00 00 07 00 F2 01 00 00 00 00 05 00 FF FF N_SLT HP_LO HP_HI BR_NO N_REC ↓DATA_PAGE_IND_HEAD (00000048)00000030 52 00 5A 00 00 00 08 02 00 00 41 93 00 02 04 00 MIN MAX EXT USED INDEX_ID LEAF_GP_ID (00000064)00000040 00 00 0D 00 00 00 94 03 04 00 00 00 0D 00 00 00 --LEAF_PAGE LOFS IN_GO IN_FL INNER_PAGE_NO (00000080)00000050 4C 03 00 00 00 00 00 00 00 00 FF FF FF FF FF FF INOFS ↓DATA REC (00000096)00000060 FF FF 00 50 00 01 00 00 00 B0 18 B2 60 D9 30 01 LEN 1 -------------------- (00000112)00000070 5E B0 DF 87 C6 EF 56 2D A7 29 CB 1A D2 11 9D 8F ----------------------------------------------- (00000128)00000080 AF B6 95 66 51 0E E7 12 66 1F 9F 14 B8 33 85 00 ----------------------------------------------- (00000144)00000090 6E F9 2A EC 47 F5 23 A3 83 58 84 31 32 33 34 01 ------------------------------ 1 2 3 4 ROWID (00000160)000000A0 00 00 00 00 00 FF FF FF FF 7F FF FF 70 6C 0F 00 --TRX_ID--- (00000176)000000B0 00 00 00 50 00 02 00 00 00 B0 45 1B F9 4B D5 E8 LEN 2 -------------------- (00000192)000000C0 F9 1D 3A AC 7F 78 15 8A 73 83 DC DB 70 41 09 A4 (00000208)000000D0 54 78 4B 81 22 9D 2B 05 F3 68 69 2E 75 8B FA 33 ----------------------------------------------- (00000224)000000E0 CB 61 D0 4C 1B 93 79 1B 02 73 84 31 32 33 34 02 ------------------------------ 1 2 3 4 ROWID (00000240)000000F0 00 00 00 00 00 FF FF FF FF 7F FF FF 70 6C 0F 00 --TRX_ID--- (00000256)00000100 00 00 00 50 00 03 00 00 00 B0 61 32 56 CB D0 22