1. Administering Oracle Database Exadata Cloud Service (OCI-C)
  2. Getting Started with Exadata Cloud Service
  3. About Exadata Cloud Service Database Deployments
  4. Data Security

Data Security

In Oracle Database Exadata Cloud Service databases, data security is provided for data in transit and data at rest. Security of data in transit is achieved through network encryption. Security of data at rest is achieved through encryption of data stored in database data files and backups.

Data in Oracle Database files, including backups, is secured by the use of encryption implemented through a key management framework. Security of data across the network is provided by native Oracle Net Services encryption and integrity capabilities.

Topics

Security of Data at Rest

Oracle Database Exadata Cloud Service uses Oracle Transparent Data Encryption (TDE) to encrypt data in the database data files and in backups. Encrypted data is also protected in temporary tablespaces, undo segments, redo logs and during internal database operations such as JOIN and SORT.

TDE includes a keystore (referred to as a wallet in Oracle Database 11g and previous releases) to securely store master encryption keys, and a management framework to securely and efficiently manage the keystore and perform key maintenance operations.

TDE is the underlying mechanism used for default tablespace encryption and encrypted backups. It uses a two-tiered, key-based architecture to transparently encrypt and decrypt data. The master encryption key is stored in the software keystore. For tablespace encryption, this master encryption key is used to encrypt the tablespace encryption key, which in turn is used to encrypt and decrypt data in the tablespace. Refer to Tablespace Encryption for details on the implementation of tablespace encryption by default in Exadata Cloud Service.

When a database deployment is created on Exadata Cloud Service, a local auto-login software keystore is created. The keystore is local to the compute node and is protected by a system-generated password. The auto-login software keystore is automatically opened when accessed.

The keystore location is specified in the ENCRYPTION_WALLET_LOCATION parameter in the $ORACLE_HOME/network/admin/dbname/sqlnet.ora file, and can also be located in the database by querying V$ENCRYPTION_WALLET.

The Oracle keystore stores a history of retired TDE master encryption keys, which enables you to change them and still be able to decrypt data that was encrypted under an earlier TDE master encryption key.

For additional information on TDE and the keystore, refer to "Introduction to Transparent Data Encryption" in Oracle Database Advanced Security Guide for Release 18, 12.2 or 12.1 or "Securing Stored Data Using Transparent Data Encryption" in Oracle Database Advanced Security Administrator’s Guide for Release 11.2.

By default, backups to Cloud Storage for Enterprise Edition databases are encrypted. Recovery Manager (RMAN) performs transparent encryption using the auto-login software keystore. Refer to "Configuring Backup Encryption" in Oracle Database Backup and Recovery User's Guide for Release 18, 12.2 or 12.1 or "Encrypting RMAN Backups" in Oracle Database Backup and Recovery User's Guide for Release 11.2.

Security of Data in Transit

Oracle Database Exadata Cloud Service uses native Oracle Net Services encryption and integrity capabilities to secure connections to the database.

Refer to Using Network Encryption and Integrity for details on how to check your configuration and verify the use of native Oracle Net Services encryption and integrity.