Using Tablespace Encryption in Database Cloud Service

User-created tablespaces are encrypted by default for Oracle Database Cloud Service databases.

All new tablespaces that you create in a Database Cloud Service database are encrypted by default. However, the tablespaces that are created in conjunction with the database deployment are generally not encrypted by default:
  • For Oracle Database 11g databases, the tablespaces created in conjunction with the database are all not encrypted.

  • For Oracle Database 12c Release 1 databases (12.1.0.2), the tablespaces that are not encrypted include the tablespaces in the root (CDB$ROOT), the seed (PDB$SEED), and the PDB that is created in conjunction with the database.

Creating Encrypted Tablespaces

User-created tablespaces are encrypted by default.

By default, any new tablespaces you create by using the SQL CREATE TABLESPACE command, or any tool executing the CREATE TABLESPACE command, will be encrypted with the AES128 encryption algorithm. You do not need to include the USING 'encrypt_algorithm' clause to use the default encryption.

You can specify another supported algorithm by including the USING 'encrypt_algorithm' clause on the CREATE TABLESPACE command. Supported algorithms for Oracle Database 11g and Oracle Database 12c are AES256, AES192, AES128, and 3DES168.

Managing Tablespace Encryption

You can manage the software keystore (known as an Oracle wallet in Oracle Database 11g), the master encryption key, and control whether encryption is enabled by default.

Managing the Software Keystore and Master Encryption Key

Tablespace encryption uses a two-tiered, key-based architecture to transparently encrypt (and decrypt) tablespaces. The master encryption key is stored in an external security module (software keystore). This master encryption key is used to encrypt the tablespace encryption key, which in turn is used to encrypt and decrypt data in the tablespace.

When the database deployment is created on Database Cloud Service, a local auto-login software keystore is created. The keystore is local to the compute node and is protected by a system-generated password. The auto-login software keystore is automatically opened when accessed.

You can change (rotate) the master encryption key by using the tde rotate masterkey subcommand of the dbaascli utility. When you execute this subcommand you will be prompted for the keystore password. Enter the password specified during the database deployment creation process. For example:

DBAAS>tde rotate masterkey
Executing command tde rotate masterkey
Enter keystore password:
Successfully rotated TDE masterkey

For more information about changing the master encryption key, see "Managing the TDE Master Encryption Key" in Oracle Database Advanced Security Guide for Release 12.2 or 12.1 or "Setting and Resetting the Master Encryption Key" in Oracle Database Advanced Security Administrator's Guide for Release 11.2.

Controlling Default Tablespace Encryption

The ENCRYPT_NEW_TABLESPACES initialization parameter controls default encryption of new tablespaces. In Database Cloud Service databases, this parameter is set to CLOUD_ONLY. See Viewing and Modifying Initialization Parameters for additional information.

Values of this parameter are as follows.

Value Description

ALWAYS

Any tablespace created will be transparently encrypted with the AES128 algorithm unless a different algorithm is specified on the ENCRYPTION clause.

CLOUD_ONLY

Tablespaces created in a Database Cloud Service database will be transparently encrypted with the AES128 algorithm unless a different algorithm is specified on the ENCRYPTION clause. For non-Database Cloud Service databases, tablespaces will only be encrypted if the ENCRYPTION clause is specified. This is the default value.

DDL

Tablespaces are not transparently encrypted and are only encrypted if the ENCRYPTION clause is specified.