1. Advanced Security Guide
  2. Changes in This Release for Oracle Database Advanced Security Guide

Changes in This Release for Oracle Database Advanced Security Guide

This preface contains:

Changes in Oracle Database Advanced Security 23ai

Oracle Database Advanced Security Guide for Oracle Database 23ai has new security features.

Parent topic: Changes in This Release for Oracle Database Advanced Security Guide

Changes for Encryption Algorithms and Modes

Starting with Oracle Database 23ai, the default encryption algorithms and the encryption modes have changed.

Encryption algorithm changes:

  • Encryption algorithm changes:
    • The default encryption algorithm for both TDE column encryption and TDE tablespace encryption is now AES256. The previous default for TDE column encryption was AES192. For TDE tablespace encryption, the default was AES128.
    • The decryption libraries for the GOST and SEED algorithms are deprecated. New keys cannot use these algorithms. The encryption libraries for both of these libraries are desupported. The GOST decryption libraries are desupported on HP Itanium platforms.
  • The column encryption mode is now Galois/Counter mode (GCM) instead of cipher block chaining (CBC), and in tablespace encryption, you can choose between the new "tweakable block ciphertext stealing (XTS)" operating mode or cipher feedback (CFB). XTS is the default.
  • The Oracle Recovery Manager (Oracle RMAN) integrity check for column encryption keys now uses SHA512 instead of SHA1.
  • The keys for Oracle RMAN and column keys are now derived from SHA512/AES for key generation. In previous releases, they used SHA-1/3DES as a pseudo-random function.

These enhancements enable your Oracle Database environment to use the latest, most secure algorithms and encryption modes.

Related Topics

Parent topic: Changes in Oracle Database Advanced Security 23ai

AES-XTS Encryption Mode Support for TDE Tablespace Encryption

Starting with Oracle Database 23ai, Transparent Database Encryption (TDE) tablespace encryption supports Advanced Encryption Standard (AES) XTS (XEX-based mode with ciphertext stealing mode) in the CREATE TABLESPACE and ALTER TABLESPACE statements.

AES-XTS provides improved security and better performance, especially on platforms where TDE can take advantage of parallel processing and specialized instructions built into processor hardware.

Related Topics

Parent topic: Changes in Oracle Database Advanced Security 23ai

Schema Privileges to Simplify Access Control in Oracle Data Redaction

Starting with Oracle Database 23ai, Oracle Database supports schema privileges, which affects Oracle Data Redaction.

This enhancement is as follows:

  • The ADMINISTER REDACTION POLICY privilege must be granted to users as either a system privilege or a schema privilege for using the DBMS_REDACT PL/SQL package and not CREATE TABLE or CREATE ANY TABLE, which was required in Oracle Database 21c. This privilege is required in addition to the EXECUTE privilege on the DBMS_REDACT package for data redaction policies.
  • The EXEMPT REDACTION POLICY privilege can be granted as either a system privilege or a schema privilege.

Related Topics

Parent topic: Changes in Oracle Database Advanced Security 23ai

BOOLEAN Data Type Supported in Oracle Data Redaction

Starting with Oracle Database 23ai, Oracle Data Redaction supports the BOOLEAN data type.

The BOOLEAN data type is now an Oracle Database built-in data type.

As part of this enhancement, the DBMS_REDACT.UPDATE_FULL_REDACTION_VALUES procedure has a new parameter, boolean_val, to support changing the default value for full redaction.

Related Topics

Parent topic: Changes in Oracle Database Advanced Security 23ai

Oracle Data Guard Redo Decryption for Hybrid Disaster Recovery Configurations

Available with Oracle Database 23ai, Oracle Data Guard enables you to decrypt redo operations in hybrid cloud disaster recovery configurations where the Cloud database is encrypted with TDE and the on-premises database is not.

To enable this feature, Oracle Database introduces the TABLESPACE_ENCRYPTION initialization parameter, which enables you to control the automatic encryption of tablespaces in both the primary and standby databases, for on-premises and Oracle Cloud Infrastructure (OCI) environments. For example, an on-premises database can be unencrypted and an OCI database can be encrypted.

Hybrid disaster recovery is often considered a quick-stepping stone to cloud adoption. By enabling the ability to quickly configure disaster recovery even in cases where on-premises databases might not already be encrypted with TDE, the steps required to configure hybrid disaster recovery environments are reduced while still ensuring that redo data is still encrypted during the transportation process.

Related Topics

Parent topic: Changes in Oracle Database Advanced Security 23ai

Updates to Oracle Database Advanced Security 23ai

Oracle Database Advanced Security Guide for Oracle Database 23ai as the following update.

Parent topic: Changes in This Release for Oracle Database Advanced Security Guide

New Parameter to Control the TDE Rekey Operations for Oracle Data Guard

You now can use the DB_RECOVERY_AUTO_REKEY initialization parameter for Oracle Data Guard environments..

DB_RECOVERY_AUTO_REKEY controls whether an Oracle Data Guard standby database recovery operation automatically performs the corresponding tablespace rekey when it encounters a redo that says the primary database has performed a tablespace rekey operation. 

This feature is useful for standby deployments with large tablespaces whose users must perform an online TDE conversion.

Related Topics

Parent topic: Updates to Oracle Database Advanced Security 23ai