TDE tablespace encryption encrypts and decrypts data during read/write operations.
To create an encrypted tablespace, run the following:
CREATE
[ BIGFILE | SMALLFILE ]
{ permanent_tablespace_clause
| temporary_tablespace_clause
| undo_tablespace_clause
} ;
where
permanent_tablespace_clause=
TABLESPACE tablespace
.........
ENCRYPTION [USING algorithm]
.........
storage_clause
.........
where
storage_clause=
.........
[ENCRYPT]
.........
For example:
CREATE TABLESPACE securespace
DATAFILE '/home/user/oradata/secure01.dbf'
SIZE 150M
ENCRYPTION USING 'AES128'
DEFAULT STORAGE(ENCRYPT);
Note: An existing tablespace cannot be encrypted; however, you can import data into an encrypted tablespace using the Oracle Data Pump utility.
The keystore is container-level and keys can be separate for pdbs. To configuring a keystore, complete the following steps:
- Set the location of the wallet in sqlnet.ora.
- After logging into the database with SYSDBA or at least SYSKM role, create a password protected wallet:
SQL> administer key management create keystore '/PATH/TO/ORACLE/WALLET/DIR' identified by tdecdb;
- Open the keystore.
SQL> administer key management set keystore open identified by tdecdb container=all;
- With the wallet open, a TDE key can be created. For multitenant environments, a TDE key can be used by all PDBs or each PDB can have a dedicated TDE key.
SQL> administer key management set key using tag 'cdb_shared' identified by tdecdb with backup using '/tmp/wallet.bak' container=all;
- Create encrypted tablespaces:
CREATE SMALLFILE TABLESPACE STAR_DAT1 DATAFILE 'star_dat1.dbf' SIZE 100M AUTOEXTEND ON NEXT 10M MAXSIZE UNLIMITED LOGGING EXTENT MANAGEMENT LOCAL UNIFORM SIZE 1M SEGMENT SPACE MANAGEMENT AUTO
ENCRYPTION USING 'AES128'
DEFAULT STORAGE(ENCRYPT);
CREATE SMALLFILE TABLESPACE STAR_HST1 DATAFILE
'star_hst1.dbf' SIZE 10M AUTOEXTEND ON NEXT 100M MAXSIZE UNLIMITED LOGGING EXTENT MANAGEMENT LOCAL UNIFORM SIZE 1M SEGMENT SPACE MANAGEMENT AUTO
ENCRYPTION USING 'AES128'
DEFAULT STORAGE(ENCRYPT);