22 Managing Oracle Transparent Data Encryption

Transparent Data Encryption (TDE) encrypts sensitive data stored in data files. Encrypted data is transparently decrypted for a database user or application that has access to data.

Oracle Database uses authentication, authorization, and auditing mechanisms to secure data in the database, but not in the operating system data files where data is stored. To protect these data files, Oracle Database provides Transparent Data Encryption (TDE). TDE encrypts sensitive data stored in data files. Encrypted data is transparently decrypted for a database user or application that has access to data. TDE helps protect data stored on media in the event that the storage media or data file gets stolen.

Online tablespace encryption is an encryption process wherein a tablespace which is online and being used, is encrypted by creating alternate data files of the tablespace thereby causing no data loss. Offline tablespace encryption is an encryption process wherein a tablespace is encrypted after placing the tablespace in offline mode.

For more information on database encryption and TDE, see Oracle Database Advanced Security Administrator's Guide.

Figure 22-1 Transparent Data Encryption Home Page

This chapter contains the following sections:

22.1 Prerequisites for Transparent Data Encryption Operations

To encrypt or decrypt a tablespace using TDE, meet the following prerequisites:

Setup the wallet.
Ensure the Keystore Status is Open in the Transparent Data Encryption home page.
Ensure that the space available in the database is equivalent or more than the tablespace size that is being encrypted, as auxiliary data files need to be created for online encryption.
Only Database versions 12.2 and above are supported for online encryption.

22.2 Encrypting a Tablespace in Online Mode

To encrypt a tablespace, follow the steps below:

From the Database home page, click Security and then select Transparent Data Encryption.
On the Transparent Data Encryption home page, expand the Encrypted Objects section.
Click Online Operation menu in the Encrypted Tablespaces pane, and select Encrypt.
In the Encrypt pop-up window, select the tablespace and the encryption algorithm.
The Target path column indicates the new data files that will be created post-encryption for online encryption. To retain the old data files post the encryption operation, select the relevant check box.
You may schedule the encryption for a future time. Select the relevant radio button and configure the scheduled time, if required.
Click OK.

A job is scheduled to complete the encryption process. You can view the job status in the Jobs section on the Transparent Data Encryption home page.

Note:

You may need to refresh the view to see the latest status of tablespaces in the Encrypted Objects section and the jobs.

22.3 Decrypting a Tablespace in Online Mode

To decrypt an encrypted tablespace, follow the steps below:

From the Database home page, click Security and then select Transparent Data Encryption.
On the Transparent Data Encryption home page, expand the Encrypted Objects section.
Select the encrypted tablespace from the Encrypted Tablespaces table.
Click Online Operation menu in the Encrypted Tablespaces pane, and select Decrypt.
In the Decrypt pop-up window,the Target path column under Datafiles section indicates the new data files that will be created post-encryption for online encryption. To retain the old data files post the encryption operation select the relevant check box.
You may schedule the encryption for a future time. Select the relevant radio button and configure the scheduled time, if required.
Click OK.

A job is scheduled to complete the encryption process. You can view the job status in the Jobs section on the Transparent Data Encryption home page.

22.4 Changing the Encryption Algorithm of an Encrypted Tablespace - Rekey

To change the encryption algorithm of a tablespace which is also known as Rekey, follow the steps below:

From the Database home page, click Security and then select Transparent Data Encryption.
On the Transparent Data Encryption home page, expand the Encrypted Objects section.
Click Online Operation menu in the Encrypted Tablespaces pane, and select Rekey.
In the Rekey pop-up window select the new encryption algorithm.
The Target path column indicates the new data files that will be created post-encryption for online encryption. To retain the old data files post the encryption operation select the relevant check box.
You may schedule the encryption for a future time. Select the relevant radio button and configure the scheduled time, if required.
Click OK.

A job is scheduled to complete the encryption process. You can view the job status in the Jobs section on the Transparent Data Encryption home page.

22.5 Encrypting a Tablespace in Offline Mode

To encrypt a tablespace in the offline mode, you will have to first switch the tablespace to offline mode. To do so, follow the steps below:

From the Database home page, click Security and then select Transparent Data Encryption.
On the Transparent Data Encryption home page, expand the Encrypted Objects section.
Click Offline Operation menu in the Encrypted Tablespaces pane, and select Offline.
In the Offline pop-up window, select the tablespace and schedule, and click OK.

A job is scheduled to switch the tablespace to offline mode.

After the tablespace is in offline mode, follow the steps below to encrypt the tablespace:

Click Offline Operation menu, and select Encrypt.
Select the tablespace and the schedule.

Note:
In the Datafiles section you have an option to selectively choose the data files that need to be encrypted. However, the tablespace cannot be placed in the online mode if all the data files are not encrypted. Moreover, if you do not select the check box all the data files are encrypted and the tablespace is automatically switched to the online mode post-encryption. Do note that in case you select the check box and then select all the data files under the tablespace, all the data files will be encrypted but, the tablespace will not be switched to the online mode.
Click OK.

22.6 Decrypting a Tablespace in Offline Mode

To decrypt a tablespace in the offline mode, you will have to first switch the tablespace to offline mode. To do so, follow the steps below:

From the Database home page, click Security and then select Transparent Data Encryption.
On the Transparent Data Encryption home page, expand the Encrypted Objects section.
Click Offline Operation menu in the Encrypted Tablespaces pane, and select Offline.
In the Offline pop-up window, select the tablespace and schedule, and click OK.

A job is scheduled to switch the tablespace to offline mode.

After the tablespace is in offline mode, follow the steps below to decrypt the tablespace:

Select the encrypted tablespace from the Encrypted Tablespaces table.
Click Offline Operation menu in the Encrypted Tablespaces pane, and select Decrypt.
In the Datafiles section you have an option to selectively choose the data files that need to be decrypted. However, the tablespace cannot be placed in the online mode if only some of the data files are decrypted. Moreover, if you do not select the check box all the data files are decrypted and the tablespace is automatically switched to the online mode post-decryption. Do note that in case you select the check box and then select all the data files under the tablespace, all the data files will be decrypted but, the tablespace will not be switched to the online mode automatically.
You may schedule the decryption for a future time. Select the relevant radio button and configure the scheduled time, if required.
Click OK.

A job is scheduled to complete the decryption process. You can view the job status in the Jobs section on the Transparent Data Encryption home page.