Tablespace Encryption
By default, all new tablespaces that you create in a Database Classic Cloud Service database are encrypted.
-
In an Oracle Database 11g database, none of the tablespaces created when you create a database deployment are encrypted.
-
In an Oracle Database 12c Release 1 database, none of the tablespaces created when you create a database deployment are encrypted. This includes the tablespaces in the root (
CDB$ROOT
), the seed (PDB$SEED
), and the PDB created when you create a database deployment. -
In an Oracle Database 12c Release 2 or later database, only the USERS tablespaces created when you create a database deployment are encrypted. None of the other tablespaces are encrypted. This includes the tablespaces in the root (
CDB$ROOT
), the seed (PDB$SEED
), and the PDB created when you create a database deployment.
Creating Encrypted Tablespaces
User-created tablespaces are encrypted by default.
By default, any new tablespaces created by using the SQL CREATE TABLESPACE
command are encrypted with the AES128 encryption algorithm. You do not need to include the USING 'encrypt_algorithm'
clause to use the default encryption.
You can specify another supported algorithm by including the USING 'encrypt_algorithm'
clause in the CREATE TABLESPACE
command. Supported algorithms are AES256, AES192, AES128, and 3DES168.
Managing Tablespace Encryption
You can manage the software keystore (known as an Oracle wallet in Oracle Database 11g), the master encryption key, and control whether encryption is enabled by default.
Managing the Software Keystore and Master Encryption Key
Tablespace encryption uses a two-tiered, key-based architecture to transparently encrypt (and decrypt) tablespaces. The master encryption key is stored in an external security module (software keystore). This master encryption key is used to encrypt the tablespace encryption key, which in turn is used to encrypt and decrypt data in the tablespace.
When the database deployment is created on Database Classic Cloud Service, a local auto-login software keystore is created. The keystore is local to the compute node and is protected by a system-generated password. The auto-login software keystore is automatically opened when accessed.
You can change (rotate) the master encryption key by using the tde rotate masterkey
subcommand of the dbaascli
utility. When you execute this subcommand you will be prompted for the keystore password. Enter the password specified during the database deployment creation process. For example:
DBAAS>tde rotate masterkey
Executing command tde rotate masterkey
Enter keystore password:
Successfully rotated TDE masterkey
For more information about changing the master encryption key, see "Managing the TDE Master Encryption Key" in Oracle Database Advanced Security Guide for Release 18, 12.2 or 12.1 or "Setting and Resetting the Master Encryption Key" in Oracle Database Advanced Security Administrator's Guide for Release 11.2.
Controlling Default Tablespace Encryption
The ENCRYPT_NEW_TABLESPACES
initialization parameter controls default encryption of new tablespaces. In Database Classic Cloud Service databases, this parameter is set to CLOUD_ONLY
by default. See Viewing and Modifying Initialization Parameters for additional information.
Values of this parameter are as follows.
Value | Description |
---|---|
|
During creation, tablespaces are transparently encrypted with the AES128 algorithm unless a different algorithm is specified in the |
|
Tablespaces created in a Database Classic Cloud Service database are transparently encrypted with the AES128 algorithm unless a different algorithm is specified in the |
|
During creation, tablespaces are not transparently encrypted by default, and are only encrypted if the |
Note:
With Oracle Database 12c Release 2 (12.2), or later, you can no longer create a new unencrypted tablespace on Database Classic Cloud Service. An error message is returned if you setENCRYPT_NEW_TABLESPACES
to DDL
and issue a CREATE TABLESPACE
command without specifying an ENCRYPTION
clause.