Tablespace Encryption
By default, all new tablespaces that you create in an Exadata Cloud Service database are encrypted.
However, the tablespaces that are initially created in conjunction with the database deployment may not be encrypted by default.
-
For database deployments that use Oracle Database 12c Release 2 or later, only the
USERStablespaces initially created in conjunction with the database deployment are encrypted. No other tablespaces are encrypted including the non-USERStablespaces in:-
The root container (
CDB$ROOT). -
The seed pluggable database (
PDB$SEED). -
The first PDB, which is created in conjunction with the database deployment.
-
-
For database deployments that use Oracle Database 12c Release 1 or Oracle Database 11g, none of the tablespaces initially created in conjunction with the database deployment are encrypted.
For further information about the implementation of tablespace encryption in Exadata Cloud Service, along with how it impacts various deployment scenarios, see Oracle Database Tablespace Encryption Behavior in Oracle Cloud.
Creating Encrypted Tablespaces
User-created tablespaces are encrypted by default.
By default, any new tablespaces created by using the SQL CREATE TABLESPACE command are encrypted with the AES128 encryption algorithm. You do not need to include the USING 'encrypt_algorithm' clause to use the default encryption.
You can specify another supported algorithm by including the USING 'encrypt_algorithm' clause in the CREATE TABLESPACE command. Supported algorithms are AES256, AES192, AES128, and 3DES168.
Managing Tablespace Encryption
You can manage the software keystore (known as an Oracle wallet in Oracle Database 11g), the master encryption key, and control whether encryption is enabled by default.
Managing the Master Encryption Key
Tablespace encryption uses a two-tiered, key-based architecture to transparently encrypt (and decrypt) tablespaces. The master encryption key is stored in an external security module (software keystore). This master encryption key is used to encrypt the tablespace encryption key, which in turn is used to encrypt and decrypt data in the tablespace.
When a database deployment is created on Exadata Cloud Service, a local software keystore is created. The keystore is local to the compute nodes and is protected by the administration password specified during the deployment process. The auto-login software keystore is automatically opened when the database is started.
You can change (rotate) the master encryption key by using the ADMINISTER KEY MANAGEMENT SQL statement. For example:
SQL> ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY USING TAG 'tag'
IDENTIFIED BY password WITH BACKUP USING 'backup';
keystore altered.See "Managing the TDE Master Encryption Key" in Oracle Database Advanced Security Guide for Release 18, 12.2 or 12.1 or "Setting and Resetting the Master Encryption Key" in Oracle Database Advanced Security Administrator's Guide for Release 11.2.
Controlling Default Tablespace Encryption
The ENCRYPT_NEW_TABLESPACES initialization parameter controls the
default encryption of new tablespaces. In Exadata Cloud Service databases, this parameter is set to
CLOUD_ONLY by default.
Values of this parameter are as follows.
| Value | Description |
|---|---|
|
|
During creation, tablespaces are transparently encrypted with the AES128 algorithm unless a different algorithm is specified in the |
|
|
Tablespaces created in an Exadata Cloud Service database are transparently encrypted with the AES128 algorithm unless a different algorithm is specified in the |
|
|
During creation, tablespaces are not transparently encrypted by default, and are only encrypted if the |
Note:
With Oracle Database 12c Release 2 (12.2), or later, you can no longer create a new unencrypted tablespace on Exadata Cloud Service. An error message is returned if you setENCRYPT_NEW_TABLESPACES to DDL and issue a CREATE TABLESPACE command without specifying an ENCRYPTION clause.