6 Encryption Conversions for Tablespaces and Databases
You can perform encryption operations on both offline and online tablespaces and databases.
- About Encryption Conversion for Tablespaces and Databases
TheCREATE TABLESPACE
SQL statement can be used to create a new, encrypted tablespace.ALTER TABLESPACE
can encrypt existing tablespaces. - Impact of a Closed TDE Keystore on Encrypted Tablespaces
A TDE keystore can be closed or migrated when an Oracle-managed tablespace is encrypted, and the database system itself must be shut down to disallow operations on an Oracle-managed tablespace. - Restrictions on Using Transparent Data Encryption Tablespace Encryption
You should be aware of restrictions on using Transparent Data Encryption when you encrypt a tablespace. - Creating an Encrypted New Tablespace
When you create a new tablespace, you can configure its encryption settings during the creation process. - Setting the Tablespace Encryption Default Algorithm
TheTABLESPACE_ENCRYPTION_DEFAULT_ALGORITHM
applies to specific encryption scenarios. - Encrypting Future Tablespaces
You can configure Oracle Database to automatically encrypt future tablespaces that you will create. - Encrypted Sensitive Credential Data in the Data Dictionary
You can encrypt sensitive credential data in theSYS.LINK$
andSYS.SCHEDULER$_CREDENTIAL
system tables. - Encryption Conversions for Existing Offline Tablespaces
You can perform offline encryption conversions by using theALTER TABLESPACE
SQL statementOFFLINE
,ENCRYPT
, andDECRYPT
clauses. - Encryption Conversions for Existing Online Tablespaces
You can encrypt and decrypt an online existing tablespace by using theALTER TABLESPACE
SQL statement with theONLINE
andENCRYPT
orDECRYPT
clauses. - Rekeying an Encrypted Tablespace
Rekying an already encrypted tablespace enables you to change the data encryption keys from one algorithm to another, for example fromAES128
toAES256
. - Creating an Encrypted Database Using DBCA
You can use DBCA to create an encrypted database in both single instance multitenant and Oracle Data Guard environments. - Encryption Conversions for Existing Databases
You can encrypt both offline and online databases.
6.1 About Encryption Conversion for Tablespaces and Databases
The CREATE TABLESPACE
SQL statement can be used to create a new, encrypted tablespace. ALTER TABLESPACE
can encrypt existing tablespaces.
In addition to encrypting new and existing tablespaces, you can encrypt full databases, which entails the encryption of the Oracle-managed tablespaces (in this release, the SYSTEM
, SYSAUX
, TEMP
, and UNDO
tablespaces). An Oracle-supplied tablespace contains information necessary for the correct functioning (confidentiality, integrity, and availability) of the database system. This information includes the system's data dictionary, the system's temporary sort area, the system's undo segment, and the system's auxiliary data. This information is only expected to be updated internally by the Oracle database server itself, and does not normally be updated directly by users.
To encrypt a full database, you use the ALTER TABLESPACE
statement, not ALTER DATABASE
, to encrypt the Oracle-managed tablespaces.
The following table compares the differences between an offline and an online encryption conversion of tablespaces and databases.
Table 6-1 Offline and Online Tablespace and Database Encryption Conversions
Functionality | Offline Conversion | Online Conversion |
---|---|---|
Release with minimum conversion capability |
Oracle Database 11g release 2 (11.2) |
Oracle Database 12c release 2 (12.2) and later |
What can be backported? |
The ability to encrypt or decrypt a data file with the |
No |
Algorithms supported |
All symmetric encryption algorithms that TDE supports. |
All symmetric encryption algorithm that TDE supports. |
When can the conversion be run? |
When the tablespace is offline or the database is in the mount stage. |
When the tablespace is online and database is open in read/write mode. |
Is auxiliary space required for the conversion? |
No |
Yes. |
Oracle Data Guard conversion guidelines |
Convert both the primary and standby manually. Convert the standby first and then switch over to minimum downtime |
After you convert the primary, the standby conversion takes place automatically. You cannot perform an online conversion directly on the standby. |
Encrypt the |
Oracle Database 12c release 2 (12.2) and later only. You must set |
Oracle Database 12c release 2 (12.2) and later only. You must set |
Can an existing |
No, but you can create an encrypted |
No, but you can create an encrypted |
Can an existing tablespace be decrypted? |
You only can decrypt a tablespace or data file that was previously encrypted by an offline encrypt operation. Oracle does not recommend that you decrypt the |
Yes, but Oracle does not recommend that you decrypt the |
Can encryption keys be rekeyed? |
No, but after the tablespace is encrypted, you can then use online conversion to rekey in Oracle Database 12c release 2 (12.2) compatibility. |
Yes |
Can encryption operations be run in parallel? |
You can run parallel encryption conversions at the data file level with multiple user sessions running. |
You can run parallel encryption conversions at the tablespace level with multiple user sessions running. |
What to do if an encryption conversion SQL statement fails to complete? |
Re-issue the encryption or decryption SQL statement to ensure that all the data files within the tablespace are consistently either encrypted or decrypted. |
Rerun the SQL statement but use the |
6.2 Impact of a Closed TDE Keystore on Encrypted Tablespaces
A TDE keystore can be closed or migrated when an Oracle-managed tablespace is encrypted, and the database system itself must be shut down to disallow operations on an Oracle-managed tablespace.
A closed TDE keystore has no impact on operations that involve an encrypted Oracle-managed tablespace (in this release, the SYSTEM
, SYSAUX
, TEMP
, and UNDO
tablespaces). This enables operations that are performed by background processes (for example, the log writer) to continue to work on these tablespaces while the TDE keystore is closed. If you want to disallow operations on an encrypted Oracle-managed tablespace, then you must shut down the database.
With regard to user-created tablespaces, a closed TDE keystore causes operations such as rotating a key or decrypting the tablespace to fail with an ORA-28365 wallet is not open
error, just as it did in earlier releases. If you want to disallow operations on the user-created tablespace, then close the TDE keystore (or shut down the database).
User-created data can be copied into an encrypted Oracle-managed tablespace (for example, by an internal process such as DBMS_STATS
statistics gathering) from a user-created tablespace while the TDE keystore is open. Closing the keystore does not prevent a user from viewing this data afterward, when the TDE keystore is in the CLOSED
state at the time that you query the V$ENCRYPTION_WALLET
view. Access to the original data by attempting to query an encrypted user-created tablespace will fail, resulting in an ORA-28365 wallet is not open
error.
Table 6-2 describes the operations that are necessary to disallow or allow operations on encrypted data in user-created tablespaces and Oracle-managed tablespaces. For example, in the first scenario, both the user-created tablespaces and the Oracle-managed tablespaces are encrypted. In this case, for the encrypted data in the encrypted user-created tablespace, an administrator can close or open keystores, and shut down and open a database with an encrypted user-created tablespace. When an encrypted Oracle-managed tablespace is configured, the administrator can disallow operations by shutting down the database, and can allow operations by starting up in mount mode, opening the TDE keystore, and then opening the database. (It is necessary to open the TDE keystore before opening the database because the system may need the TDE master encryption key to decrypt the bootstrap dictionary tables, which are located in the encrypted Oracle-managed tablespace.) The N/A flags in this table refer to non-encrypted data, which you can always operate on, unless the instance is shut down.
Table 6-2 Necessary Commands to Disallow or Allow Operations on Encrypted Data
Tablespace Encryption Scenarios | Commands to Disallow Operations on Encrypted User-Created Tablespace Data | Commands to Disallow Operations on Encrypted Oracle-Managed Tablespace Data | Commands to Allow Operations on Encrypted User-Created Tablespace Data | Commands to Allow Operations on Encrypted Oracle-Managed Tablespace Data |
---|---|---|---|---|
Both user-created and Oracle-managed tablespaces encrypted |
|
SHUTDOWN |
|
|
User tablespace encrypted; Oracle-managed tablespace not encrypted |
|
N/A |
|
N/A |
User tablespace not encrypted; Oracle-managed tablespace encrypted | N/A | SHUTDOWN |
N/A |
|
Neither user nor Oracle-managed tablespaces encrypted | N/A | N/A | N/A | N/A |
Parent topic: Encryption Conversions for Tablespaces and Databases
6.3 Restrictions on Using Transparent Data Encryption Tablespace Encryption
You should be aware of restrictions on using Transparent Data Encryption when you encrypt a tablespace.
Note the following restrictions:
-
Transparent Data Encryption (TDE) tablespace encryption encrypts or decrypts data during read and write operations, as opposed to TDE column encryption, which encrypts and decrypts data at the SQL layer. This means that most restrictions that apply to TDE column encryption, such as data type restrictions and index type restrictions, do not apply to TDE tablespace encryption.
-
To perform import and export operations, use Oracle Data Pump.
6.4 Creating an Encrypted New Tablespace
When you create a new tablespace, you can configure its encryption settings during the creation process.
- Step 1: Set the COMPATIBLE Initialization Parameter for Tablespace Encryption
You must set theCOMPATIBLE
initialization parameter before creating an encrypted tablespace. - Step 2: Set the TDE Master Encryption Key
You must ensure that you have configured TDE by setting theWALLET_ROOT
andTDE_CONFIGURATION
parameters. - Step 3: Create the Encrypted Tablespace
After you have set theCOMPATIBLE
initialization parameter, you are ready to create the encrypted tablespace.
Parent topic: Encryption Conversions for Tablespaces and Databases
6.4.1 Step 1: Set the COMPATIBLE Initialization Parameter for Tablespace Encryption
You must set the COMPATIBLE
initialization parameter before creating an encrypted tablespace.
- About Setting the COMPATIBLE Initialization Parameter for Tablespace Encryption
A minimumCOMPATIBLE
initialization parameter setting of11.2.0.0
enables the full set of tablespace encryption features. - Setting the COMPATIBLE Initialization Parameter for Tablespace Encryption
To set theCOMPATIBLE
initialization parameter, you must edit the initialization parameter file for the database instance.
Parent topic: Creating an Encrypted New Tablespace
6.4.1.1 About Setting the COMPATIBLE Initialization Parameter for Tablespace Encryption
A minimum COMPATIBLE
initialization parameter setting of 11.2.0.0
enables the full set of tablespace encryption features.
Setting the compatibility to 11.2.0.0
enables the following functionality:
-
The
11.2.0.0
setting enables the database to use any of the four supported algorithms for data encryption (3DES168
,AES128
,AES192
, andAES256
). -
The
11.2.0.0
setting enables the migration of a key from a TDE wallet to an external keystore (ensure that the TDE master encryption key was configured for the external keystore) -
The
11.2.0.0
setting enables rekeying the TDE master encryption key
Be aware that once you set the COMPATIBLE
parameter to 11.2.0.0
, the change is irreversible. To use tablespace encryption, ensure that the compatibility setting is at the minimum, which is 11.2.0.0
.
6.4.2 Step 2: Set the TDE Master Encryption Key
You must ensure that you have configured TDE by setting the WALLET_ROOT
and TDE_CONFIGURATION
parameters.
- Set the TDE master encryption key either in the Oracle wallet, or in Oracle Key Vault. The commands for united and isolated PDBs are the same.
Parent topic: Creating an Encrypted New Tablespace
6.4.3 Step 3: Create the Encrypted Tablespace
After you have set the COMPATIBLE
initialization parameter, you are ready to create the encrypted tablespace.
- About Creating Encrypted Tablespaces
To create an encrypted tablespace, you can use theCREATE TABLESPACE
SQL statement. - Creating an Encrypted Tablespace
To create an encrypted tablespace, you must use theCREATE TABLESPACE
statement with theENCRYPTION USING
clause. - Example: Creating an Encrypted Tablespace That Uses AES192
You can use theCREATE TABLESPACE
SQL statement to create an encrypted tablespace. - Example: Creating an Encrypted Tablespace That Uses the Default Algorithm
You can use theCREATE TABLESPACE
SQL statement to create an encrypted tablespace that uses the default algorithm.
Parent topic: Creating an Encrypted New Tablespace
6.4.3.1 About Creating Encrypted Tablespaces
To create an encrypted tablespace, you can use the CREATE TABLESPACE
SQL statement.
You must have the CREATE TABLESPACE
system privilege to create an encrypted tablespace.
You can import data into an encrypted tablespace by using Oracle Data Pump. You can also use a SQL statement such as CREATE TABLE...AS SELECT...
or ALTER TABLE...MOVE...
to move data into an encrypted tablespace. The CREATE TABLE...AS SELECT...
statement creates a table from an existing table. The ALTER TABLE...MOVE...
statement moves a table into the encrypted tablespace.
You can query the ENCRYPTED
column of the DBA_TABLESPACES
and USER_TABLESPACES
data dictionary views to verify if a tablespace was encrypted.
Parent topic: Step 3: Create the Encrypted Tablespace
6.4.3.2 Creating an Encrypted Tablespace
To create an encrypted tablespace, you must use the CREATE TABLESPACE
statement with the ENCRYPTION USING
clause.
CREATE TABLESPACE
statement, using its encryption clauses.
For example:
CREATE TABLESPACE encrypt_ts
DATAFILE '$ORACLE_HOME/dbs/encrypt_df.dbf' SIZE 1M
ENCRYPTION ENCRYPT;
In this specification:
-
ENCRYPTION ENCRYPT
uses the default for encryption algorithm (AES256
) and cipher mode (XTS). TheENCRYPT
clause encrypts the tablespace. Enclose this setting in single quotation marks (' '). The key lengths are included in the names of the algorithms. If you do not specify an encryption algorithm, then the default encryption algorithm,AES128
, is used.
Related Topics
Parent topic: Step 3: Create the Encrypted Tablespace
6.4.3.3 Example: Creating an Encrypted Tablespace That Uses AES192
You can use the CREATE TABLESPACE
SQL statement to create an encrypted tablespace.
Example 6-1 creates a tablespace called securespace_1
that is encrypted using the AES192
algorithm.
Example 6-1 Creating an Encrypted Tablespace That Uses AES192
CREATE TABLESPACE securespace_1 DATAFILE '/home/user/oradata/secure01.dbf' SIZE 150M ENCRYPTION USING 'AES192' ENCRYPT;
Parent topic: Step 3: Create the Encrypted Tablespace
6.4.3.4 Example: Creating an Encrypted Tablespace That Uses the Default Algorithm
You can use the CREATE TABLESPACE
SQL statement to create an encrypted tablespace that uses the default algorithm.
Example 6-2 creates a tablespace called securespace_2
. Because no encryption algorithm is specified, the default encryption algorithm (AES256
) is used.
Example 6-2 Creating an Encrypted Tablespace That Uses the Default Algorithm
CREATE TABLESPACE securespace_2 DATAFILE '/home/user/oradata/secure01.dbf' SIZE 150M ENCRYPTION ENCRYPT;
Parent topic: Step 3: Create the Encrypted Tablespace
6.5 Setting the Tablespace Encryption Default Algorithm
The TABLESPACE_ENCRYPTION_DEFAULT_ALGORITHM
applies to specific encryption scenarios.
- Encryption commands that do not allow to specify the encryption algorithm
- New tablespaces that are created without the encryption syntax
- The encryption algorithm for the
SYSTEM
tablespace
TABLESPACE_ENCRYPTION_DEFAULT_ALGORITHM
only becomes effective if it is set before the first SET KEY
operation with Oracle Key Vault, or the CREATE KEYSTORE
command for TDE wallet-based TDE configuration.
TABLESPACE_ENCRYPTION_DEFAULT_ALGORITHM
applies to both offline and online tablespace encryption operations. It also applies to future encrypted tablespaces, if TABLESPACE_ENCRYPTION
has been set appropriately. In a multitenant environment, you can set TABLESPACE_ENCRYPTION_DEFAULT_ALGORITHM
in the CDB root or in individual PDBs.
Parent topic: Encryption Conversions for Tablespaces and Databases
6.6 Encrypting Future Tablespaces
You can configure Oracle Database to automatically encrypt future tablespaces that you will create.
- About Encrypting Future Tablespaces
TheENCRYPT_NEW_TABLESPACES
dynamic database initialization parameter controls if future tablespaces are encrypted. - Setting Future Tablespaces to be Encrypted
You can set theENCRYPT_NEW_TABLESPACES
database initialization parameter to automatically encrypt future tablespaces that you create.
Parent topic: Encryption Conversions for Tablespaces and Databases
6.6.1 About Encrypting Future Tablespaces
The ENCRYPT_NEW_TABLESPACES
dynamic database initialization parameter controls if future tablespaces are encrypted.
By default, all Oracle Cloud databases are encrypted. If you install an off-the-shelf application into such a database, its installation scripts most likely do not have the encryption syntax. In this case, because ENCRYPT_NEW_TABLESPACES
is set to CLOUD_ONLY
, those tablespaces would be created encrypted regardless.
Note:
Starting with Oracle Database 23ai, theENCRYPT_NEW_TABLESPACES
initialization parameter is deprecated. Oracle recommends that you use the initialization parameter TABLESPACE_ENCRYPTION
.
In an Oracle Cloud environment, the following scenarios may occur when you create encrypted tablespaces in Oracle Cloud and on-premises environments:
-
You create a database in Oracle Cloud; the tablespaces are encrypted because the
TABLESPACE_ENCRYPTION
parameter is set toAUTO_ENABLE
. However, you may not have the intention or even an Advanced Security Option license to bring the encrypted database back on premises. For this use case, Oracle Recovery Manager (Oracle RMAN) provides the option to duplicate or restoreAS DECRYPTED
. -
You create a hybrid environment where the primary database is on premises and the standby database is on Oracle Cloud. If a switchover operation takes place, then the new primary is on Oracle Cloud. For example, suppose you do not have an Advanced Security Option (ASO) license, and you have an automatically encrypted tablespace in the Oracle Cloud. The standby database on premises is also automatically encrypted, then the standby database on premises can set
TABLESPACE_ENCRYPTION
toDECRYPT_ONLY
. See the Hybrid Oracle Data Guard without Transparent Data Encryption (TDE) License Oracle Database Product Management Youtube video.
Parent topic: Encrypting Future Tablespaces
6.6.2 Setting Future Tablespaces to be Encrypted
You can set the ENCRYPT_NEW_TABLESPACES
database initialization parameter to automatically encrypt future tablespaces that you create.
Note:
Starting with Oracle Database 19.16, theENCRYPT_NEW_TABLESPACES
has been deprecated.
Oracle recommends that you use the initialization parameter TABLESPACE_ENCRYPTION
, which is new for Oracle Database 23ai.
Related Topics
Parent topic: Encrypting Future Tablespaces
6.7 Encrypted Sensitive Credential Data in the Data Dictionary
You can encrypt sensitive credential data in the SYS.LINK$
and SYS.SCHEDULER$_CREDENTIAL
system tables.
By default, the credential data in the SYS.LINK$
and SYS.SCHEDULER$_CREDENTIAL
system tables is obfuscated. However, because of the availability of many types of de-obfuscation algorithms, Oracle recommends that you encrypt this sensitive credential data. To check the status the data dictionary credentials, you can query the DICTIONARY_CREDENTIALS_ENCRYPT
data dictionary view.
The encryption of sensitive credential data in these two system tables uses Transparent Data Encryption. Encryption of credential data uses the AES256 algorithm. To encrypt credential data, you do not need an Oracle Advanced Security Option license, but you must be granted the SYSKM
administrative privilege and the database must have an open keystore.
Related Topics
Parent topic: Encryption Conversions for Tablespaces and Databases
6.8 Encryption Conversions for Existing Offline Tablespaces
You can perform offline encryption conversions by using the ALTER TABLESPACE
SQL statement OFFLINE
, ENCRYPT
, and DECRYPT
clauses.
- About Encryption Conversions for Existing Offline Tablespaces
You can encrypt or decrypt an existing data file of a user tablespace when the tablespace is offline or when the database is not open. - Encrypting an Existing User-Defined Tablespace with Offline Conversion
To encrypt an existing tablespace with offline conversion, you can use theALTER TABLESPACE
SQL statement with theOFFLINE
andENCRYPT
clauses. - Decrypting an Existing Tablespace with Offline Conversion
To decrypt an existing tablespace with offline conversion, you can use theALTER TABLESPACE
SQL statement with theOFFLINE
andDECRYPT
clauses.
Parent topic: Encryption Conversions for Tablespaces and Databases
6.8.1 About Encryption Conversions for Existing Offline Tablespaces
You can encrypt or decrypt an existing data file of a user tablespace when the tablespace is offline or when the database is not open.
There are two options for performing the encryption or decryption:
- Offline encryption of the data file level: This type does not have the option to specify an encryption algorithm. It uses the default encryption algorithm. For example:
ALTER DATABASE DATAFILE 'path_to_data_file.dbf' ENCRYPT;
- Offline encrypting a tablespace: Use the following syntax. If you omit the
[USING 'algorithm']
, then the default encryption algorithm is used.ALTER TABLESPACE tablespace_name ENCRYPTION OFFLINE [USING 'algorithm'] ENCRYPT;
Use the offline encryption method if you do not plan to change the compatibility of your databases from Oracle Database 11c release 2 (11.2) or Oracle Database 12c release 1 (12.1) to release 19c, which is irreversible. The offline encryption method is also useful if you want to quickly make use of Transparent Data Encryption before you upgrade this database to release 19c. You can both encrypt and decrypt offline tablespaces.
Note the following:
-
If you want to encrypt the Oracle Database-supplied tablespaces (
SYSTEM
,SYSAUX
, andUNDO
) using the offline conversion method, then you must use the method that is recommended when you encrypt an existing database with offline conversion. -
You can use the online method to rekey, change the encryption algorithm, or decrypt a tablespace that was previously encrypted with the offline method.
-
If you have configured Oracle Data Guard, then you can minimize downtime by encrypting the tablespaces on the standby first, switching over to the primary, and then performing an offline encryption the tablespaces on the new standby database. Offline encryption (both on the data file and tablespace level) are is performed on the standby first. Online encryption is an Oracle Data Guard transaction, and as such, it is replayed on the standby database.
-
You can use the
USING ... ENCRYPT
clause to specify an encryption algorithm. Supported algorithms are AES and ARIA with 128, 192, and 256 bits key length. To check the encryption key, query theENCRYPTIONALG
column in theV$DATABASE_KEY_INFO
view.Note:
Starting with Oracle Database 23ai, the Transparent Data Encryption (TDE) decryption libraries for the GOST and SEED algorithms are deprecated, and encryption to GOST and SEED are desupported. Starting with Oracle Database 23ai, the Transparent Data Encryption (TDE) encryption libraries for the GOST and SEED algorithms are desupported and removed. The GOST and SEED decryption libraries are deprecated. Both are removed on HP Itanium platforms.GOST 28147-89 has been deprecated by the Russian government, and SEED has been deprecated by the South Korean government. If you need South Korean government-approved TDE cryptography, then use ARIA instead. If you are using GOST 28147-89, then you must decrypt and encrypt with another supported TDE algorithm. The decryption algorithms for GOST 28147-89 and SEED are included with Oracle Database 23ai, but are deprecated, and the GOST encryption algorithm is desupported with Oracle Database 23ai. If you are using GOST or SEED for TDE encryption, then Oracle recommends that you perform an online rekey operation before upgrading to Oracle Database 23ai. However, with the exception of the HP Itanium platform, the GOST and SEED decryption libraries are available with Oracle Database 23ai, so you can also decrypt after upgrading.
-
To set the default encryption algorithm for future offline tablespace encryption operations, set the
TABLESPACE_ENCRYPTION_DEFAULT_ALGORITHM
dynamic parameter. -
You can use the
ALTER TABLESPACE
statement to convert offline tablespaces in parallel by using multiple foreground sessions to encrypt different data files. -
If you are using Oracle Data Guard, you can minimize the downtime by encrypting the tablespaces on the standby first, switching over, and then encrypting the tablespaces on the original primary next.
-
For Oracle Database 11g release 2 (11.2.0.4) and Oracle Database 12c release 1 (12.1.0.2), you cannot perform an offline encryption of the
SYSTEM
andSYSAUX
tablespaces. For releases earlier than Oracle Database 19c, you cannot encrypt theSYSTEM
,SYSAUX
,TEMP
, andUNDO
tablespaces. Also, Oracle does not recommend encrypting offline theUNDO
tablespace in these releases. Doing so prevents the keystore from being closed, and this prevents the database from functioning. In addition, encrypting theUNDO
tablespace while the database is offline is not necessary because all undo records that are associated with any encrypted tablespaces are already automatically encrypted in theUNDO
tablespace. If you want to encrypt theTEMP
tablespace, you must drop and then recreate it as encrypted.
6.8.2 Encrypting an Existing User-Defined Tablespace with Offline Conversion
To encrypt an existing tablespace with offline conversion, you can use the ALTER TABLESPACE
SQL statement with the OFFLINE
and ENCRYPT
clauses.
SYSTEM
and UNDO
tablespaces cannot be brought offline. If you want to encrypt the tablespaces offline, then you must use the method that is described in Encrypting an Existing Database with Offline Conversion.
Related Topics
Parent topic: Encryption Conversions for Existing Offline Tablespaces
6.8.3 Decrypting an Existing Tablespace with Offline Conversion
To decrypt an existing tablespace with offline conversion, you can use the ALTER TABLESPACE
SQL statement with the OFFLINE
and DECRYPT
clauses.
Parent topic: Encryption Conversions for Existing Offline Tablespaces
6.9 Encryption Conversions for Existing Online Tablespaces
You can encrypt and decrypt an online existing tablespace by using the ALTER TABLESPACE
SQL statement with the ONLINE
and ENCRYPT
or DECRYPT
clauses.
- About Encryption Conversions for Existing Online Tablespaces
You can encrypt, decrypt, or rekey existing user tablespaces, and theSYSTEM
,SYSAUX
, andUNDO
tablespace when they are online. - Encrypting an Existing Tablespace with Online Conversion
To encrypt an existing tablespace with online conversion, useALTER TABLESPACE
with theONLINE
andENCRYPT
clauses. - Rekeying an Existing Tablespace with Online Conversion
To rekey an existing tablespace that is online, you can use theREKEY
clause of theALTER TABLESPACE
SQL statement. - Rekeying the SYSAUX and UNDO Tablespaces with Online Conversion
To rekey theSYSAUX
andUNDO
onlne tablespaces, you can use theREKEY
clause of theALTER TABLESPACE
SQL statement. - Decrypting an Existing Tablespace with Online Conversion
To decrypt an existing tablespace with online conversion, you can use theALTER TABLESPACE
SQL statement withDECRYPT
clause. - Finishing an Interrupted Online Encryption Conversion
If an online encryption process is interrupted, then you can complete the conversion by rerunning theALTER TABLESPACE
statement using theFINISH
clause.
Parent topic: Encryption Conversions for Tablespaces and Databases
6.9.1 About Encryption Conversions for Existing Online Tablespaces
You can encrypt, decrypt, or rekey existing user tablespaces, and the SYSTEM
, SYSAUX
, and UNDO
tablespace when they are online.
However, you cannot encrypt, decrypt, or rekey a temporary tablespace online.
An online tablespace can be created by using the ONLINE
clause of the CREATE TABLESPACE
SQL statement. When you encrypt or rekey a tablespace online, the tablespace will have its own independent encryption keys and algorithms.
Note the following:
-
If an offline tablespace has been encrypted, then you can rekey it online to use a different algorithm.
-
You can encrypt multiple tablespaces online in parallel by using multiple foreground sessions to encrypt different tablespaces. Within each tablespace, the data files are encrypted sequentially.
-
To set the default encryption algorithm for future online tablespace encryption operations, set the
TABLESPACE_ENCRYPTION_DEFAULT_ALGORITHM
dynamic parameter. -
If the conversion is interrupted, then you can resume the process by issuing the
FINISH
clause of theALTER TABLESPACE
SQL statement. -
A redo log is generated for each online tablespace conversion.
-
Do not encrypt the
SYSTEM
andUNDO
tablespaces concurrently with other tablespaces. -
You cannot use the transportable tablespace feature with Oracle Data Pump while you are encrypting a tablespace.
-
You cannot run the
ALTER TABLESPACE
statement concurrently with the following features:-
ADMINISTER KEY MANAGEMENT SET KEY
SQL statement -
FLASHBACK DATABASE
SQL statement
-
-
If you are using Oracle-managed files for the data files, then the encryption process rekeys the data files that are associated with the tablespace and then copies or moves them to the default Oracle-managed files location.
-
You can add new files to the tablespace after you have encrypted it. Oracle Database reformats the new file with the new encryption key. Blocks will be encrypted using the new key.
-
Previous operations that took place in the root or the PDB may require the control files to be cross-checked against the data dictionary before you can begin the online conversion process. An
ORA-241 operation disallowed: control file is not yet checked against data dictionary
error may occur. To resolve this problem, restart the root or PDB, and then try issuing the online conversion commands again. - For security reasons, once online conversion processes a data file, Oracle will zero out the original data file before deletion. This prevents the database from leaving ghost data on disk sectors. However, there is a known limitation that can occur if you are performing an online tablespace conversion at the same time that Oracle Recovery Manager (Oracle RMAN) is validating files. The online tablespace conversion processes each file one at a time. If Oracle RMAN is validating a file at the same time that it is being processed by the online tablespace conversion, then Oracle RMAN could report a corruption problem (
ORA-01578: ORACLE data block corrupted (file # , block # )
). It does this because it sees the blocks that comprise the file as zero. This is a false alarm and you can ignore the error. If this occurs, then try running the Oracle RMAN validation process again.
6.9.2 Encrypting an Existing Tablespace with Online Conversion
To encrypt an existing tablespace with online conversion, use ALTER TABLESPACE
with the ONLINE
and ENCRYPT
clauses.
STATUS
column of the V$ENCRYPTED_TABLESPACES
dynamic view. The ENCRYPTIONALG
column of this view shows the encryption algorithm that is used. If the conversion process was interrupted, then you can resume it by running ALTER TABLESPACE
with the FINISH
clause. For example, if the primary data file converts but the standby data file does not, then you can run ALTER TABLESPACE ... FINISH
on the standby database for the standby data files.
6.9.3 Rekeying an Existing Tablespace with Online Conversion
To rekey an existing tablespace that is online, you can use the REKEY
clause of the ALTER TABLESPACE
SQL statement.
-
You cannot rekey the
TEMP
tablespace. If you want to assign a different encryption algorithm to aTEMP
tablespace, then dropTEMP
and recreate it with the correct encryption algorithm. -
Do not perform an online tablespace rekey operation with a master key operation concurrently. To find if any tablespaces are currently being rekeyed, issue the following query to find the rekey status of encrypted tablespaces:
SELECT TS#,ENCRYPTIONALG,STATUS FROM V$ENCRYPTED_TABLESPACES;
A status of
REKEYING
means that the corresponding tablespace is still being rekeyed. Do not rekey the master key while this status is in effect.
To rekey an existing tablespace with online conversion:
ALTER TABLESPACE
with the FINISH
clause.
6.9.4 Rekeying the SYSAUX and UNDO Tablespaces with Online Conversion
To rekey the SYSAUX
and UNDO
onlne tablespaces, you can use the REKEY
clause of the ALTER TABLESPACE
SQL statement.
Related Topics
Parent topic: Encryption Conversions for Existing Online Tablespaces
6.9.5 Decrypting an Existing Tablespace with Online Conversion
To decrypt an existing tablespace with online conversion, you can use the ALTER TABLESPACE
SQL statement with DECRYPT
clause.
ALTER TABLESPACE
with the FINISH
clause.
6.9.6 Finishing an Interrupted Online Encryption Conversion
If an online encryption process is interrupted, then you can complete the conversion by rerunning the ALTER TABLESPACE
statement using the FINISH
clause.
ORA-28425: missing a valid FILE_NAME_CONVERT clause
error in the FILE_NAME_CONVERT
clause of the ALTER TABLESPACE
SQL statement. Other examples of interrupted processes are if the conversion skips a data file, which can happen if there is an error when an Oracle DataBase WRiter (DBWR) process offlines a data file, or if there is not enough space for the auxiliary file. The tablespace should be operational even if you do not rerun the ALTER TABLESPACE
statement with the FINISH
clause.
In addition to interrupted encryption processes, the tablespace encryption process can fail during the period when the status is ENCRYPTING
. In this case, you can either decrypt the tablespace back to its original state, or you can resume the encryption by using the ENCRYPTION ONLINE FINISH ENCRYPT
clause of ALTER TABLEPSPACE
.
Parent topic: Encryption Conversions for Existing Online Tablespaces
6.10 Rekeying an Encrypted Tablespace
Rekying an already encrypted tablespace enables you to change the data encryption keys from one algorithm to another, for example from AES128
to AES256
.
Parent topic: Encryption Conversions for Tablespaces and Databases
6.11 Creating an Encrypted Database Using DBCA
You can use DBCA to create an encrypted database in both single instance multitenant and Oracle Data Guard environments.
- Using DBCA to Create an Encrypted Database
Before you run DBCA to create an encrypted database, you must create theWALLET_ROOT
directory. - Using DBCA to Create an Oracle Data Guard Standby Database from an Encrypted Primary Database
Before you run DBCA to create the encrypted database in an Oracle Data Guard environment, you must copy the wallet from the primary to the standby database, and then create theWALLET_ROOT
directory. - Best Practice after DBCA Creates an Encrypted Database
After DBCA has created an encrypted stand-alone or Oracle Data Guard primary and standby database, you can implement Transparent Data Encryption (TDE) best practices.
Parent topic: Encryption Conversions for Tablespaces and Databases
6.11.1 Using DBCA to Create an Encrypted Database
Before you run DBCA to create an encrypted database, you must create the WALLET_ROOT
directory.
Related Topics
Parent topic: Creating an Encrypted Database Using DBCA
6.11.2 Using DBCA to Create an Oracle Data Guard Standby Database from an Encrypted Primary Database
Before you run DBCA to create the encrypted database in an Oracle Data Guard environment, you must copy the wallet from the primary to the standby database, and then create the WALLET_ROOT
directory.
Related Topics
Parent topic: Creating an Encrypted Database Using DBCA
6.11.3 Best Practice after DBCA Creates an Encrypted Database
After DBCA has created an encrypted stand-alone or Oracle Data Guard primary and standby database, you can implement Transparent Data Encryption (TDE) best practices.
Parent topic: Creating an Encrypted Database Using DBCA
6.12 Encryption Conversions for Existing Databases
You can encrypt both offline and online databases.
- About Encryption Conversions for Existing Databases
The encryption conversion of an entire database encrypts all tablespaces, including the Oracle-suppliedSYSTEM
,SYSAUX
,UNDO
, andTEMP
tablespaces. - Encrypting an Existing Database with Offline Conversion
When you encrypt an existing database with offline conversion, for the Oracle-managed tablespaces, you do not specify an encryption algorithm. - Encrypting an Existing Database with Online Conversion
When you encrypt an existing database with online conversion, you do not specify an encryption algorithm.
Parent topic: Encryption Conversions for Tablespaces and Databases
6.12.1 About Encryption Conversions for Existing Databases
The encryption conversion of an entire database encrypts all tablespaces, including the Oracle-supplied SYSTEM
, SYSAUX
, UNDO
, and TEMP
tablespaces.
Note the following:
-
If you are using Database Configuration Assistant (DBCA) to create or configure a database, then you can create a TDE wallet in the database as part of the creation or configuration process. When you drop a database by using DBCA, any TDE wallets that are in this database are also removed. Important: Before you drop a database by using DBCA, and if it has any local TDE wallets, then back these wallets up to a secure location. If the database has been migrated to use Oracle Key Vault, then be aware that its TDE encryption keys reside in the Oracle Key Vault server. It is the responsibility of the Oracle Key Vault administrator to back up Oracle Key Vault.
-
To perform the encryption, you can use the offline and online functionality of the tablespace encryption conversions.
-
You can encrypt any or all of the Oracle-supplied tablespaces, and in any order. The encryption of the Oracle-supplied tablespaces has no impact on the encryption of user-created tablespaces.
-
When you encrypt the Oracle-supplied tablespaces, Oracle Database prevents the keystore from being closed.
-
You cannot encrypt an existing temporary tablespace, but you can create an encrypted temporary tablespace, configure the database to use that new encrypted temporary tablespace as the default temporary tablespace, and then drop the old clear-text temporary tablespace.
-
The
UNDO
andTEMP
metadata that is generated from sensitive data in an encrypted tablespace is already automatically encrypted. Therefore, encryptingUNDO
andTEMP
is optional. -
The performance effect of encrypting all the tablespaces in a database depends on the workload and platform. Many modern CPUs provide built-in hardware acceleration, which results in a minimal performance impact.
-
In a multitenant environment, you can encrypt any tablespaces in any pluggable databases (PDBs), including the Oracle-supplied tablespaces. However, the keystore in the CDB root must be open at all times so that a PDB can open its keystore. You can check the status of whether a keystore is open by querying the
STATUS
column of theV$ENCRYPTION_WALLET
view
Parent topic: Encryption Conversions for Existing Databases
6.12.2 Encrypting an Existing Database with Offline Conversion
When you encrypt an existing database with offline conversion, for the Oracle-managed tablespaces, you do not specify an encryption algorithm.
SYSTEM
, SYSAUX
, and UNDO
tablespaces, then you must use online conversion. In addition to AES128
, supported encryption algorithms are AES192
and AES256
, in addition to other algorithms such as ARIA
and GOST
.
Note:
Starting with Oracle Database 23ai, the Transparent Data Encryption (TDE) decryption libraries for the GOST and SEED algorithms are deprecated, and encryption to GOST and SEED are desupported. Starting with Oracle Database 23ai, the Transparent Data Encryption (TDE) encryption libraries for the GOST and SEED algorithms are desupported and removed. The GOST and SEED decryption libraries are deprecated. Both are removed on HP Itanium platforms.GOST 28147-89 has been deprecated by the Russian government, and SEED has been deprecated by the South Korean government. If you need South Korean government-approved TDE cryptography, then use ARIA instead. If you are using GOST 28147-89, then you must decrypt and encrypt with another supported TDE algorithm. The decryption algorithms for GOST 28147-89 and SEED are included with Oracle Database 23ai, but are deprecated, and the GOST encryption algorithm is desupported with Oracle Database 23ai. If you are using GOST or SEED for TDE encryption, then Oracle recommends that you perform an online rekey operation before upgrading to Oracle Database 23ai. However, with the exception of the HP Itanium platform, the GOST and SEED decryption libraries are available with Oracle Database 23ai, so you can also decrypt after upgrading.
6.12.3 Encrypting an Existing Database with Online Conversion
When you encrypt an existing database with online conversion, you do not specify an encryption algorithm.
ALTER TABLESPACE ENCRYPTION REKEY
SQL statement after the initial encryption.