Changes in This Release for Oracle Database Advanced Security Guide
This preface contains:
Changes in Oracle Database Advanced Security 23ai
Oracle Database Advanced Security Guide for Oracle Database 23ai has new security features.
- Changes for Encryption Algorithms and Modes
Starting with Oracle Database 23ai, the default encryption algorithms and the encryption modes have changed. - AES-XTS Encryption Mode Support for TDE Tablespace Encryption
Starting with Oracle Database 23ai, Transparent Database Encryption (TDE) tablespace encryption supports Advanced Encryption Standard (AES) XTS (XEX-based mode with ciphertext stealing mode) in theCREATE TABLESPACE
andALTER TABLESPACE
statements. - Schema Privileges to Simplify Access Control in Oracle Data Redaction
Starting with Oracle Database 23ai, Oracle Database supports schema privileges, which affects Oracle Data Redaction. - BOOLEAN Data Type Supported in Oracle Data Redaction
Starting with Oracle Database 23ai, Oracle Data Redaction supports theBOOLEAN
data type. - Oracle Data Guard Redo Decryption for Hybrid Disaster Recovery Configurations
Available with Oracle Database 23ai, Oracle Data Guard enables you to decrypt redo operations in hybrid cloud disaster recovery configurations where the Cloud database is encrypted with TDE and the on-premises database is not.
Changes for Encryption Algorithms and Modes
Starting with Oracle Database 23ai, the default encryption algorithms and the encryption modes have changed.
Encryption algorithm changes:
- Encryption algorithm changes:
- The default encryption algorithm for both TDE column encryption and TDE tablespace encryption is now AES256. The previous default for TDE column encryption was
AES192
. For TDE tablespace encryption, the default wasAES128
. - The decryption libraries for the
GOST
andSEED
algorithms are deprecated. New keys cannot use these algorithms. The encryption libraries for both of these libraries are desupported. The GOST decryption libraries are desupported on HP Itanium platforms.
- The default encryption algorithm for both TDE column encryption and TDE tablespace encryption is now AES256. The previous default for TDE column encryption was
- The column encryption mode is now Galois/Counter mode (GCM) instead of cipher block chaining (CBC), and in tablespace encryption, you can choose between the new "tweakable block ciphertext stealing (XTS)" operating mode or cipher feedback (CFB). XTS is the default.
- The Oracle Recovery Manager (Oracle RMAN) integrity check for column encryption keys now uses
SHA512
instead ofSHA1
. - The keys for Oracle RMAN and column keys are now derived from
SHA512
/AES for key generation. In previous releases, they usedSHA-1
/3DES as a pseudo-random function.
These enhancements enable your Oracle Database environment to use the latest, most secure algorithms and encryption modes.
Related Topics
Parent topic: Changes in Oracle Database Advanced Security 23ai
AES-XTS Encryption Mode Support for TDE Tablespace Encryption
Starting with Oracle Database 23ai, Transparent Database Encryption (TDE) tablespace encryption supports Advanced Encryption Standard (AES) XTS (XEX-based mode with ciphertext stealing mode) in the CREATE TABLESPACE
and ALTER TABLESPACE
statements.
AES-XTS provides improved security and better performance, especially on platforms where TDE can take advantage of parallel processing and specialized instructions built into processor hardware.
Related Topics
Parent topic: Changes in Oracle Database Advanced Security 23ai
Schema Privileges to Simplify Access Control in Oracle Data Redaction
Starting with Oracle Database 23ai, Oracle Database supports schema privileges, which affects Oracle Data Redaction.
This enhancement is as follows:
- The
ADMINISTER REDACTION POLICY
privilege must be granted to users as either a system privilege or a schema privilege for using theDBMS_REDACT
PL/SQL package and notCREATE TABLE
orCREATE ANY TABLE
, which was required in Oracle Database 21c. This privilege is required in addition to theEXECUTE
privilege on theDBMS_REDACT
package for data redaction policies. - The
EXEMPT REDACTION POLICY
privilege can be granted as either a system privilege or a schema privilege.
BOOLEAN Data Type Supported in Oracle Data Redaction
Starting with Oracle Database 23ai, Oracle Data Redaction supports the BOOLEAN
data type.
The BOOLEAN
data type is now an Oracle Database built-in data type.
As part of this enhancement, the DBMS_REDACT.UPDATE_FULL_REDACTION_VALUES
procedure has a new parameter, boolean_val
, to support changing the default value for full redaction.
Oracle Data Guard Redo Decryption for Hybrid Disaster Recovery Configurations
Available with Oracle Database 23ai, Oracle Data Guard enables you to decrypt redo operations in hybrid cloud disaster recovery configurations where the Cloud database is encrypted with TDE and the on-premises database is not.
To enable this feature, Oracle Database introduces the TABLESPACE_ENCRYPTION
initialization parameter, which enables you to control the automatic encryption of tablespaces in both the primary and standby databases, for on-premises and Oracle Cloud Infrastructure (OCI) environments. For example, an on-premises database can be unencrypted and an OCI database can be encrypted.
Hybrid disaster recovery is often considered a quick-stepping stone to cloud adoption. By enabling the ability to quickly configure disaster recovery even in cases where on-premises databases might not already be encrypted with TDE, the steps required to configure hybrid disaster recovery environments are reduced while still ensuring that redo data is still encrypted during the transportation process.
Updates to Oracle Database Advanced Security 23ai
Oracle Database Advanced Security Guide for Oracle Database 23ai as the following update.
- New Parameter to Control the TDE Rekey Operations for Oracle Data Guard
You now can use theDB_RECOVERY_AUTO_REKEY
initialization parameter for Oracle Data Guard environments..
New Parameter to Control the TDE Rekey Operations for Oracle Data Guard
You now can use the DB_RECOVERY_AUTO_REKEY
initialization parameter for Oracle Data Guard environments..
DB_RECOVERY_AUTO_REKEY
controls whether an Oracle Data Guard standby database recovery operation automatically performs the corresponding tablespace rekey when it encounters a redo that says the primary database has performed a tablespace rekey operation.
This feature is useful for standby deployments with large tablespaces whose users must perform an online TDE conversion.