User-created tablespaces are encrypted by default for Oracle Database Cloud Service databases.
For Oracle Database 11g databases, the tablespaces created in conjunction with the database are all not encrypted.
For Oracle Database 12c Release 1 databases (126.96.36.199), the tablespaces that are not encrypted include the tablespaces in the root (
CDB$ROOT), the seed (
PDB$SEED), and the PDB that is created in conjunction with the database.
Creating Encrypted Tablespaces
User-created tablespaces are encrypted by default.
By default, any new tablespaces you create by using the SQL
CREATE TABLESPACE command, or any tool executing the
CREATE TABLESPACE command, will be encrypted with the AES128 encryption algorithm. You do not need to include the
USING 'encrypt_algorithm' clause to use the default encryption.
You can specify another supported algorithm by including the
USING 'encrypt_algorithm' clause on the
CREATE TABLESPACE command. Supported algorithms for Oracle Database 11g and Oracle Database 12c are AES256, AES192, AES128, and 3DES168.
Managing Tablespace Encryption
You can manage the software keystore (known as an Oracle wallet in Oracle Database 11g), the master encryption key, and control whether encryption is enabled by default.
Managing the Software Keystore and Master Encryption Key
Tablespace encryption uses a two-tiered, key-based architecture to transparently encrypt (and decrypt) tablespaces. The master encryption key is stored in an external security module (software keystore). This master encryption key is used to encrypt the tablespace encryption key, which in turn is used to encrypt and decrypt data in the tablespace.
When the database deployment is created on Database Cloud Service, a local auto-login software keystore is created. The keystore is local to the compute node and is protected by a system-generated password. The auto-login software keystore is automatically opened when accessed.
You can change (rotate) the master encryption key by using the
tde rotate masterkey subcommand of the
dbaascli utility. When you execute this subcommand you will be prompted for the keystore password. Enter the password specified during the database deployment creation process. For example:
DBAAS>tde rotate masterkey Executing command tde rotate masterkey Enter keystore password: Successfully rotated TDE masterkey
For more information about changing the master encryption key, see "Managing the TDE Master Encryption Key" in Oracle Database Advanced Security Guide for Release 12.2 or 12.1 or "Setting and Resetting the Master Encryption Key" in Oracle Database Advanced Security Administrator's Guide for Release 11.2.
Controlling Default Tablespace Encryption
ENCRYPT_NEW_TABLESPACES initialization parameter controls default encryption of new tablespaces. In Database Cloud Service databases, this parameter is set to
CLOUD_ONLY. See Viewing and Modifying Initialization Parameters for additional information.
Values of this parameter are as follows.
Any tablespace created will be transparently encrypted with the AES128 algorithm unless a different algorithm is specified on the
Tablespaces created in a Database Cloud Service database will be transparently encrypted with the AES128 algorithm unless a different algorithm is specified on the
Tablespaces are not transparently encrypted and are only encrypted if the