To encrypt obfuscated database link passwords and use the TDE framework to manage the encryption key.


  • The TDE keystore must exist. The DDL first checks that the TDE:

    • Keystore exists.

    • Keystore is open.

    • Master Encryption Key exists in the TDE keystore.

      If any of the checks fail, the DDL fails. When this happens you must create a TDE keystore and provision a TDE Master Key. For more on this refer to the Database Security Guide.

  • The instance initialization parameter COMPATIBLE must be set to

  • You must have SYSKM privileges to execute the command.




This DDL encrypts existing and future obfuscated sensitive information in data dictionaries, for example database link passwords stored in SYS.LINKS$.

It performs the following actions:

  • Inserts a new entry in ENC$ corresponding to SYS.LINK$.

  • It creates and initializes the SGA variable.

  • De-obfuscates obfuscated passwords in SYS.LINK$.

  • Encrypts the de-obfuscated passwords using the generated encryption key in ENC$ for SYS.LINK$.

  • Sets the flag to indicate a valid/usable dblink entry in SYS.LINK$.


This DDL is used to change the data encryption key. It is applied to SYS.LINK$ and any other tables covered under the data dictionary encryption framework.


This DDL marks encrypted passwords unusuable. That means that current password entries in SYS.LINK$ are marked unusable. It deletes the key in ENC$ that was used to encrypt the credentials, and clears the SGA variable to prevent future encryption.