This preface contains:
Changes in Oracle Database Advanced Security 21c
The following are changes in Oracle Database Advanced Security Guide for Oracle Database 21c.
Sharing of TDE Master Encryption Key Across Oracle Processes
Starting with this release, you can enable sharing of Transparent Data Encryption (TDE) master encryption keys across Oracle processes.
This enhancement allows TDE-enabled Oracle databases to have their TDE master encryption keys managed by the Oracle Cloud Infrastructure (OCI) key management service (KMS). To control this functionality, you set the
TDE_KEY_CACHE initialization parameter.
Ability to Control Heartbeats in United Mode and Isolated Mode PDBs
You now can control the size of the batch of heartbeats that that use Oracle Key Vault or OCI KMS (OCI Vault) for centralized key management.
HEARTBEAT_BATCH_SIZE initialization parameter, new with this release, enables you to set the heartbeat batch size. The duration of the heartbeat period defaults to 3 seconds.
This enhancement benefits the situation where you have a very large deployment of PDBs (for example, 1000) that use Oracle Key Vault. By setting the heartbeat batch size, you can stagger the heartbeats across batches of PDBs to ensure that for each batch a heartbeat can be completed for each PDB within the batch during the heartbeat period, and also ensure that PDB keys can be reliably fetched from an Oracle Key Vault server and cached in the persistent state.
Ability to Set the Default Tablespace Encryption Algorithm
You now can set the
TABLESPACE_ENCRYPTION_DEFAULT_ALGORITHM dynamic parameter to define the default encryption algorithm for tablespace creation operations.
For example, if you set
AES256, then future tablespace creation operations will use
AES256 as the default encryption algorithm.
TABLESPACE_ENCRYPTION_DEFAULT_ALGORITHM applies to both offline and online tablespace encryption operations.
Supported encryption algorithms are
GOST256. The default value is
AES128. If you do not set
TABLESPACE_ENCRYPTION_DEFAULT_ALGORITHM, then the default encryption algorithm is the default that was used in previous releases:
Enhanced Database Availability with Zero Downtime Switch Over to an Updated PKCS#11 Library
Starting with this release, Oracle Database can switch over to an updated PKCS#11 library without incurring any system downtime.
This release introduces a new
ADMINISTER KEY MANAGEMENT SWITCHOVER TO LIBRARY 'updated_fully_qualified_file_name_of_library' FOR ALL CONTAINERS; statement, which will enable an Oracle database to switch over from the PKCS#11 library that it is currently using to the updated PKCS#11 library.
In previous releases, it was necessary to completely shut down any TDE-enabled database that used an online TDE master encryption key in Oracle Key Vault before an update to the Oracle Key Vault endpoint software could be installed. After the updated PKCS#11 library was installed, the TDE-enabled database would need to be started up again. This complete shut down followed by a start up of the database instance was necessary because long-running background processes of the database instance could not be told to unload the earlier PKCS#11 library and load the updated one.
Starting with this release, to switch over the database server to use an updated endpoint shared PKCS#11 library, you execute the
ADMINISTER KEY MANAGEMENT SWITCHOVER TO LIBRARY 'updated_fully_qualified_file_name_of_library' FOR ALL CONTAINERS; statement to initiate the switch over operation.
Improved Performance with Large Numbers of TDE Keys in Wallets or Oracle Key Vault
Oracle Database release 21c introduces improved performance for Transparent Data Encryption (TDE).
This enhancement enables faster wallet loading and key rotations in multitenant databases. It allows for faster execution of TDE administration tasks and PDB cloning operations.