Transparent Data Encryption (TDE) is an Oracle Advanced Security feature that is used for Oracle Database encryption. TDE provides strong protection from malicious access to database files by encrypting data before it is written to storage, decrypting data when being read from storage, and offering built-in key management.
For TDE implementation instructions, refer to the readme.txt file in the P6 EPPM physical media or download at database\scripts\common\tde.
For more information about TDE, refer to the Oracle Advanced Security Guide.
To start using TDE, you must create a wallet and set a master key. The wallet can be the default database wallet shared with other Oracle Database components or a separate wallet specifically used by TDE. In an effort to exercise these security practices, Oracle strongly recommends using a separate wallet to store the master encryption key.
Specifying a Wallet Location
If you choose to use a wallet specifically for TDE, specify a wallet location in the sqlnet.ora file by using the ENCRYPTION_WALLET_LOCATION parameter. The wallet location specified by this file and parameter is used to create the master encryption key. If the ENCRYPTION_WALLET_LOCATION parameter is not present in the sqlnet.ora file, then the WALLET_LOCATION value is used. A new wallet is created if one does not exist already.
If no wallet location is specified in the sqlnet.ora file, then the default database wallet location, ORACLE_BASE/admin/DB_UNIQUE_NAME/wallet or ORACLE_HOME/admin/DB_UNIQUE_NAME/wallet, is used. Here, DB_UNIQUE_NAME is the unique name of the database specified in the initialization parameter file.
If an existing auto-login wallet is present at the expected wallet location, then a new wallet is not created.
Setting the Master Encryption Key
Before you can encrypt or decrypt database columns or tablespaces, you must generate a master encryption key.
Opening the Encrypted Wallet
The database must load the master encryption key into memory before it can encrypt or decrypt columns/tablespaces. Opening the wallet allows the database to access the master encryption key. Once the wallet has been opened, it remains open until you shut down the database instance or close it explicitly.