5 Encrypting Columns in Tables
You can use Transparent Data Encryption to encrypt individual columns in database tables.
- About Encrypting Columns in Tables
You can encrypt individual columns in tables. - Data Types That Can Be Encrypted with TDE Column Encryption
Oracle Database supports a specific set of data types that can be used with TDE column encryption. - Restrictions on Using TDE Column Encryption
TDE column encryption is performed at the SQL layer. Oracle Database utilities that bypass the SQL layer cannot use TDE column encryption services. - Creating Tables with Encrypted Columns
Oracle Database provides a selection of different algorithms that you can use to define the encryption used in encrypted columns. - Encrypting Columns in Existing Tables
You can encrypt columns in existing tables. As with new tables, you have a choice of different algorithms to use to definite the encryption. - Creating an Index on an Encrypted Column
You can create an index on an encrypted column. - Adding Salt to an Encrypted Column
Salt, which is a random string added to data before encryption, is a way to strengthen the security of encrypted data. - Removing Salt from an Encrypted Column
You can use the ALTER TABLE SQL statement to remove salt from an encrypted column. - Changing the Encryption Key or Algorithm for Tables with Encrypted Columns
You can use theALTER TABLE
SQL statement to change the encryption key or algorithm used in encrypted columns. - Migrating the Algorithm to the Latest Supported Algorithm for Tables
Re-encrypting an already encrypted table column enables you to migrate an earlier algorithm (for example,3DES168
) to the latest supported algorithm.
5.1 About Encrypting Columns in Tables
You can encrypt individual columns in tables.
Whether you choose to encrypt individual columns or entire tablespaces depends on the data types that the table has. There are also several features that do not support TDE column encryption.
5.2 Data Types That Can Be Encrypted with TDE Column Encryption
Oracle Database supports a specific set of data types that can be used with TDE column encryption.
You can encrypt data columns that use a variety of different data types.
Supported data types are as follows:
-
BINARY_DOUBLE
-
BINARY_FLOAT
-
CHAR
-
DATE
-
INTERVAL DAY TO SECOND
-
INTERVAL YEAR TO MONTH
-
NCHAR
-
NUMBER
-
NVARCHAR2
-
RAW
(legacy or extended) -
TIMESTAMP
(includesTIMESTAMP WITH TIME ZONE
andTIMESTAMP WITH LOCAL TIME ZONE
) -
VARCHAR2
(legacy or extended)
If you want to encrypt large binary objects (LOBs), then you can use Oracle SecureFiles. Oracle SecureFiles enables you to store LOB data securely. To encrypt a LOB using SecureFiles, you use the CREATE TABLE
or ALTER TABLE
statements.
You cannot encrypt a column if the encrypted column size is greater than the size allowed by the data type of the column.
Table 5-1 shows the maximum allowable sizes for various data types.
Table 5-1 Maximum Allowable Size for Data Types
Data Type | Maximum Size |
---|---|
|
1932 bytes |
|
3932 bytes |
|
32,699 bytes |
|
1966 bytes |
|
16,315 bytes |
|
966 bytes |
|
32,699 bytes |
Note:
TDE tablespace encryption does not have these data type restrictions.
5.3 Restrictions on Using TDE Column Encryption
TDE column encryption is performed at the SQL layer. Oracle Database utilities that bypass the SQL layer cannot use TDE column encryption services.
Do not use TDE column encryption with the following database features:
-
Index types other than B-tree
-
Range scan search through an index
-
Synchronous change data capture
-
Transportable tablespaces
-
Columns that have been created as identity columns
In addition, you cannot use TDE column encryption to encrypt columns used in foreign key constraints.
Applications that must use these unsupported features can use the DBMS_CRYPTO
PL/SQL package for their encryption needs.
Transparent Data Encryption protects data stored on a disk or other media. It does not protect data in transit. Use the network encryption solutions discussed in Oracle Database Security Guide to encrypt data over the network.
5.4 Creating Tables with Encrypted Columns
Oracle Database provides a selection of different algorithms that you can use to define the encryption used in encrypted columns.
- About Creating Tables with Encrypted Columns
You can use theCREATE TABLE
SQL statement to create a table with an encrypted column. - Creating a Table with an Encrypted Column Using the Default Algorithm
By default, TDE uses theAES
encryption algorithm with a 256-bit key length (AES256
). - Creating a Table with an Encrypted Column Using No Algorithm or a Non-Default Algorithm
You an use theCREATE TABLE
SQL statement to create a table with an encrypted column. - Using the NOMAC Parameter to Save Disk Space and Improve Performance
You can bypass checks that Transparent Data Encryption (TDE) performs. This can save up to 20 bytes of disk space per encrypted value. - Example: Using the NOMAC Parameter in a CREATE TABLE Statement
You can use theCREATE TABLE
SQL statement to encrypt a table column using the NOMAC parameter. - Example: Changing the Integrity Algorithm for a Table
You can use theALTER TABLE
SQL statement in different foregrounds to convert different offline tablespaces in parallel. - Creating an Encrypted Column in an External Table
The external table feature enables you to access data in external sources as if the data were in a database table.
Parent topic: Encrypting Columns in Tables
5.4.1 About Creating Tables with Encrypted Columns
You can use the CREATE TABLE
SQL statement to create a table with an encrypted column.
To create relational tables with encrypted columns, you can specify the SQL ENCRYPT
clause when you define database columns with the CREATE TABLE
SQL statement.
Parent topic: Creating Tables with Encrypted Columns
5.4.2 Creating a Table with an Encrypted Column Using the Default Algorithm
By default, TDE uses the AES
encryption algorithm with a 256-bit key length (AES256
).
AES256
algorithm. TDE adds salt to plaintext before encrypting it. Adding salt makes it harder for attackers to steal data through a brute force attack. TDE also adds a Message Authentication Code (MAC) to the data for integrity checking. The SHA-1
integrity algorithm is used by default. (Starting with Oracle Database release 21c, SHA-1
is deprecated. If you use TDE column encryption, then Oracle recommends that you implement TDE tablespace encryption instead.)
Parent topic: Creating Tables with Encrypted Columns
5.4.3 Creating a Table with an Encrypted Column Using No Algorithm or a Non-Default Algorithm
You an use the CREATE TABLE
SQL statement to create a table with an encrypted column.
NO SALT
parameter.
- To create a table that uses an encrypted column that is a non-default algorithm or no algorithm, run the
CREATE TABLE
SQL statement as follows:- If you do not want to use any algorithm, then include the
ENCRYPT NO SALT
clause. - If you want to use a non-default algorithm, then use the
ENCRYPT USING
clause, followed by one of the following algorithms enclosed in single quotation marks:-
3DES168
-
AES128
-
AES192
(default) -
AES256
(default)
The following example shows how to specify encryption settings for the
empID
andsalary
columns.CREATE TABLE employee ( first_name VARCHAR2(128), last_name VARCHAR2(128), empID NUMBER ENCRYPT NO SALT, salary NUMBER(6) ENCRYPT USING 'AES128');
In this example:
-
The
empID
column is encrypted and does not use salt. Both theempID
andsalary
columns will use theAES128
encryption algorithm, because all of the encrypted columns in a table must use the same encryption algorithm. -
The
salary
column is encrypted using theAES128
encryption algorithm. Note that the string that specifies the algorithm must be enclosed in single quotation marks (' '). Thesalary
column uses salt by default.
-
- If you do not want to use any algorithm, then include the
Parent topic: Creating Tables with Encrypted Columns
5.4.4 Using the NOMAC Parameter to Save Disk Space and Improve Performance
You can bypass checks that Transparent Data Encryption (TDE) performs. This can save up to 20 bytes of disk space per encrypted value.
SHA-1
integrity algorithm by default. (Starting with Oracle Database release 21c, SHA-1
is deprecated. If you use TDE column encryption, then Oracle recommends that you implement TDE tablespace encryption instead.) All of the encrypted columns in a table must use the same integrity algorithm. If you already have a table column using the SHA-1
algorithm, then you cannot use the NOMAC
parameter to encrypt another column in the same table.
- To bypass the integrity check during encryption and decryption operations, use the
NOMAC
parameter in theCREATE TABLE
andALTER TABLE
statements.
Parent topic: Creating Tables with Encrypted Columns
5.4.5 Example: Using the NOMAC Parameter in a CREATE TABLE Statement
You can use the CREATE TABLE
SQL statement to encrypt a table column using the NOMAC parameter.
Example 5-1 creates a table with an encrypted column. The empID
column is encrypted using the NOMAC
parameter.
Example 5-1 Using the NOMAC parameter in a CREATE TABLE statement
CREATE TABLE employee (
first_name VARCHAR2(128),
last_name VARCHAR2(128),
empID NUMBER ENCRYPT 'NOMAC' ,
salary NUMBER(6));
Parent topic: Creating Tables with Encrypted Columns
5.4.6 Example: Changing the Integrity Algorithm for a Table
You can use the ALTER TABLE
SQL statement in different foregrounds to convert different offline tablespaces in parallel.
Example 5-2 shows how to change the integrity algorithm for encrypted columns in a table. The encryption algorithm is set to AES256
and the integrity algorithm is set to SHA-1
. The second ALTER TABLE
statement sets the integrity algorithm to NOMAC
.
Example 5-2 Changing the Integrity Algorithm for a Table
ALTER TABLE EMPLOYEE REKEY USING 'AES256' 'SHA-1'; ALTER TABLE EMPLOYEE REKEY USING 'AES256' 'NOMAC';
Parent topic: Creating Tables with Encrypted Columns
5.4.7 Creating an Encrypted Column in an External Table
The external table feature enables you to access data in external sources as if the data were in a database table.
ORACLE_DATAPUMP
access driver.
Parent topic: Creating Tables with Encrypted Columns
5.5 Encrypting Columns in Existing Tables
You can encrypt columns in existing tables. As with new tables, you have a choice of different algorithms to use to definite the encryption.
- About Encrypting Columns in Existing Tables
TheALTER TABLE
SQL statement enables you to encrypt columns in an existing table. - Adding an Encrypted Column to an Existing Table
You can encrypt columns in existing tables, use a different algorithm, and useNO SALT
to index the column. - Encrypting an Unencrypted Column
You can use theALTER TABLE MODIFY
statement to encrypt an existing unencrypted column. - Decrypting an Application Table Column
You may want to decrypt an encrypted application table column, for example after encrypting the tablespace that contains the application table.
Parent topic: Encrypting Columns in Tables
5.5.1 About Encrypting Columns in Existing Tables
The ALTER TABLE
SQL statement enables you to encrypt columns in an existing table.
To add an encrypted column to an existing table, or to encrypt or decrypt an existing column, you use the ALTER TABLE
SQL statement with the ADD
or MODIFY
clause.
Parent topic: Encrypting Columns in Existing Tables
5.5.2 Adding an Encrypted Column to an Existing Table
You can encrypt columns in existing tables, use a different algorithm, and use NO SALT
to index the column.
Parent topic: Encrypting Columns in Existing Tables
5.5.3 Encrypting an Unencrypted Column
You can use the ALTER TABLE MODIFY
statement to encrypt an existing unencrypted column.
Parent topic: Encrypting Columns in Existing Tables
5.5.4 Decrypting an Application Table Column
You may want to decrypt an encrypted application table column, for example after encrypting the tablespace that contains the application table.
Parent topic: Encrypting Columns in Existing Tables
5.6 Creating an Index on an Encrypted Column
You can create an index on an encrypted column.
ORA-28338: cannot encrypt indexed column(s) with salt
error is raised.
Parent topic: Encrypting Columns in Tables
5.7 Adding Salt to an Encrypted Column
Salt, which is a random string added to data before encryption, is a way to strengthen the security of encrypted data.
Parent topic: Encrypting Columns in Tables
5.8 Removing Salt from an Encrypted Column
You can use the ALTER TABLE SQL statement to remove salt from an encrypted column.
Parent topic: Encrypting Columns in Tables
5.9 Changing the Encryption Key or Algorithm for Tables with Encrypted Columns
You can use the ALTER TABLE
SQL statement to change the encryption key or algorithm used in encrypted columns.
ALTER TABLE
statement. This process generates a new key, decrypts the data in the table using the previous key, reencrypts the data using the new key, and then updates the table metadata with the new key information. You can also use a different encryption algorithm for the new TDE table key.
Parent topic: Encrypting Columns in Tables
5.10 Migrating the Algorithm to the Latest Supported Algorithm for Tables
Re-encrypting an already encrypted table column enables you to migrate an earlier algorithm (for example, 3DES168
) to the latest supported algorithm.
Parent topic: Encrypting Columns in Tables