Transparent Data Encryption (TDE)
Oracle Transparent Data Encryption (TDE) enables you to encrypt sensitive application data on storage media, i.e. files at rest, completely transparent to the application. TDE addresses encryption regulations associated with PCI DSS and the like.
TDE column encryption enables encryption of new and existing table columns containing sensitive information. An existing non-encrypted tablespace however cannot be encrypted. If you wish to encrypt the data for an entire tablespace create a new encrypted tablespace and then move the data from the old tablespace to the new one. The advantage in encrypting an entire tablespace is that you do not need to make any changes at the table level, i.e. less administration and more scalable.
The Oracle database instance name in these examples is DB42.
- Create wallet directory.
Make sure that the wallet location exists and can be read/written by the Oracle processes.
Default location: %ORACLE_BASE%\admin\DB42\wallet
If required you can change it from the default by creating a sqnet.ora entry.
- Create a master key.
SQL> alter system set encryption key identified by "MyWalletPassword";
This will cause the file %ORACLE_BASE%\admin\DB42\wallet\ewallet.p12 to be created and open the new wallet.
- Check Status
You can see the wallet status using:
SQL> SELECT * FROM v$encryption_wallet;
Encrypt New Tablespace
This is done using the below tablespace creation options:
- ENCRYPTION USING '<[AES128] | AES192 | AES256 | 3DES168>'
- DEFAULT STORAGE(ENCRYPT)
Display Encryption Status
Encrypt Table Column
Create a table by specifying the encrypt option.
If the table has many rows then this operation might take some time since all the values
stored in col2 must be replaced by encrypted strings.
- Don't use the Wallet Manager. Query the database using one of these two ways:
- SQL> SELECT * FROM v$encryption_wallet
- OS> orapki wallet display -wallet %ORACLE_BASE%\admin\DB42\wallet
- For disaster recovery (DR) to another location you must copy the wallet files (ewallet.p12 and cwallet.sso)
to the same location as in the primary database before using RMAN.
- To change the wallet password:
- OS> orapki wallet change_pwd -wallet %ORACLE_BASE%\admin\DB42\wallet
- If you are using a wallet with auto login enabled, you must regenerate the auto login wallet after changing the password.
- OS> orapki wallet create -wallet %ORACLE_BASE%\admin\DB42\wallet -auto_login