Changes in This Release for Oracle AI Database Transparent Data Encryption Guide
This preface contains:
Changes in Oracle AI Database Transparent Data Encryption 26ai
Oracle AI Database Transparent Data Encryption Guide for Oracle AI Database 26ai has new security features.
- Preparing for FIPS 140-3 Compliance
Oracle offers support for FIPS 140-3 in Oracle AI Database 26ai, and plans to offer similar support in Oracle Database 19c later in 2026. You may need to change encryption algorithms to be compliant with FIPS 140-3. - Changes for Encryption Algorithms and Modes
Starting with Oracle AI Database 26ai, the default encryption algorithms and the encryption modes have changed. - AES-XTS Encryption Mode Support for TDE Tablespace Encryption
Starting with Oracle AI Database 26ai, Transparent Database Encryption (TDE) tablespace encryption supports Advanced Encryption Standard (AES) XTS (XEX-based mode with ciphertext stealing mode) in theCREATE TABLESPACEandALTER TABLESPACEstatements. - Oracle Data Guard Redo Decryption for Hybrid Disaster Recovery Configurations
Available with Oracle AI Database 26ai, Oracle Data Guard enables you to decrypt redo operations in hybrid cloud disaster recovery configurations where the Cloud database is encrypted with TDE and the on-premises database is not.
Preparing for FIPS 140-3 Compliance
Oracle offers support for FIPS 140-3 in Oracle AI Database 26ai, and plans to offer similar support in Oracle Database 19c later in 2026. You may need to change encryption algorithms to be compliant with FIPS 140-3.
FIPS 140-3 desupports 3DES (Triple Data Encryption Standard) encryption algorithms as it is considered insecure. Current security best practices advise using Advanced Encryption Standard (AES) algorithms as AES offers improved security, performance, and resistance to known attacks. In preparation for FIPS 140-3, you should ensure 3DES algorithms are no longer used and replaced with AES algorithms in your encryption configurations. For more information see Ensuring Encryption Algorithms are FIPS 140-3 Compliant in the Oracle AI Database Security Guide.
Changes for Encryption Algorithms and Modes
Starting with Oracle AI Database 26ai, the default encryption algorithms and the encryption modes have changed.
Encryption algorithm changes:
- Encryption algorithm changes:
- The default encryption algorithm for both TDE column encryption and TDE tablespace encryption is now AES256. The previous default for TDE column encryption was
AES192. For TDE tablespace encryption, the default wasAES128. - The decryption libraries for the
GOSTandSEEDalgorithms are deprecated. The GOST decryption libraries are desupported on HP Itanium platforms.The encryption libraries for both of these libraries are desupported. New keys cannot use these algorithms.
- The default encryption algorithm for both TDE column encryption and TDE tablespace encryption is now AES256. The previous default for TDE column encryption was
- The column encryption mode is now Galois/Counter mode (GCM) instead of cipher block chaining (CBC), and in tablespace encryption, you can choose between the new "tweakable block ciphertext stealing (XTS)" operating mode or cipher feedback (CFB). XTS is the default.
- The Oracle Recovery Manager (Oracle RMAN) integrity check for column encryption keys now uses
SHA512instead ofSHA1. - The keys for Oracle RMAN and column keys are now derived from
SHA512/AES for key generation. In previous releases, they usedSHA-1/3DES as a pseudo-random function.
These enhancements enable your Oracle AI Database environment to use the latest, most secure algorithms and encryption modes.
Related Topics
AES-XTS Encryption Mode Support for TDE Tablespace Encryption
Starting with Oracle AI Database
26ai, Transparent Database Encryption (TDE)
tablespace encryption supports Advanced Encryption Standard (AES) XTS (XEX-based mode with
ciphertext stealing mode) in the CREATE TABLESPACE and ALTER
TABLESPACE statements.
AES-XTS provides improved security and better performance, especially on platforms where TDE can take advantage of parallel processing and specialized instructions built into processor hardware.
Related Topics
Oracle Data Guard Redo Decryption for Hybrid Disaster Recovery Configurations
Available with Oracle AI Database 26ai, Oracle Data Guard enables you to decrypt redo operations in hybrid cloud disaster recovery configurations where the Cloud database is encrypted with TDE and the on-premises database is not.
To enable this feature, Oracle AI Database introduces the TABLESPACE_ENCRYPTION initialization parameter, which
enables you to control the automatic encryption of tablespaces in both the primary and
standby databases, for on-premises and Oracle Cloud Infrastructure (OCI) environments.
For example, an on-premises database can be unencrypted and an OCI database can be
encrypted.
Hybrid disaster recovery is often considered a quick-stepping stone to cloud adoption. By enabling the ability to quickly configure disaster recovery even in cases where on-premises databases might not already be encrypted with TDE, the steps required to configure hybrid disaster recovery environments are reduced while still ensuring that redo data is still encrypted during the transportation process.
Updates to Oracle AI Database Transparent Data Encryption 26ai
Oracle AI Database Transparent Data Encryption Guide for Oracle AI Database 26ai as the following update.
- New Parameter to Control the TDE Rekey Operations for Oracle Data Guard
You now can use theDB_RECOVERY_AUTO_REKEYinitialization parameter for Oracle Data Guard environments..
New Parameter to Control the TDE Rekey Operations for Oracle Data Guard
You now can use the DB_RECOVERY_AUTO_REKEY initialization parameter for Oracle Data Guard environments..
DB_RECOVERY_AUTO_REKEY controls whether an Oracle Data Guard standby database recovery operation automatically performs the corresponding tablespace rekey when it encounters a redo that says the primary database has performed a tablespace rekey operation.
This feature is useful for standby deployments with large tablespaces whose users must perform an online TDE conversion.