Changes in This Release for Oracle AI Database Transparent Data Encryption Guide
This preface contains:
Changes in Oracle AI Database Transparent Data Encryption 26ai
Oracle AI Database Transparent Data Encryption Guide for Oracle AI Database 26ai has new security features.
- Changes for Encryption Algorithms and Modes
Starting with Oracle AI Database 26ai, the default encryption algorithms and the encryption modes have changed. - AES-XTS Encryption Mode Support for TDE Tablespace Encryption
Starting with Oracle AI Database 26ai, Transparent Database Encryption (TDE) tablespace encryption supports Advanced Encryption Standard (AES) XTS (XEX-based mode with ciphertext stealing mode) in theCREATE TABLESPACEandALTER TABLESPACEstatements. - Oracle Data Guard Redo Decryption for Hybrid Disaster Recovery Configurations
Available with Oracle AI Database 26ai, Oracle Data Guard enables you to decrypt redo operations in hybrid cloud disaster recovery configurations where the Cloud database is encrypted with TDE and the on-premises database is not.
Changes for Encryption Algorithms and Modes
Starting with Oracle AI Database 26ai, the default encryption algorithms and the encryption modes have changed.
Encryption algorithm changes:
- Encryption algorithm changes:
- The default encryption algorithm for both TDE column encryption and TDE tablespace encryption is now AES256. The previous default for TDE column encryption was
AES192. For TDE tablespace encryption, the default wasAES128. - The decryption libraries for the
GOSTandSEEDalgorithms are deprecated. The GOST decryption libraries are desupported on HP Itanium platforms.The encryption libraries for both of these libraries are desupported. New keys cannot use these algorithms.
- The default encryption algorithm for both TDE column encryption and TDE tablespace encryption is now AES256. The previous default for TDE column encryption was
- The column encryption mode is now Galois/Counter mode (GCM) instead of cipher block chaining (CBC), and in tablespace encryption, you can choose between the new "tweakable block ciphertext stealing (XTS)" operating mode or cipher feedback (CFB). XTS is the default.
- The Oracle Recovery Manager (Oracle RMAN) integrity check for column encryption keys now uses
SHA512instead ofSHA1. - The keys for Oracle RMAN and column keys are now derived from
SHA512/AES for key generation. In previous releases, they usedSHA-1/3DES as a pseudo-random function.
These enhancements enable your Oracle AI Database environment to use the latest, most secure algorithms and encryption modes.
Related Topics
AES-XTS Encryption Mode Support for TDE Tablespace Encryption
Starting with Oracle AI Database
26ai, Transparent Database Encryption (TDE)
tablespace encryption supports Advanced Encryption Standard (AES) XTS (XEX-based mode with
ciphertext stealing mode) in the CREATE TABLESPACE and ALTER
TABLESPACE statements.
AES-XTS provides improved security and better performance, especially on platforms where TDE can take advantage of parallel processing and specialized instructions built into processor hardware.
Related Topics
Oracle Data Guard Redo Decryption for Hybrid Disaster Recovery Configurations
Available with Oracle AI Database 26ai, Oracle Data Guard enables you to decrypt redo operations in hybrid cloud disaster recovery configurations where the Cloud database is encrypted with TDE and the on-premises database is not.
To enable this feature, Oracle AI Database introduces the TABLESPACE_ENCRYPTION initialization parameter, which
enables you to control the automatic encryption of tablespaces in both the primary and
standby databases, for on-premises and Oracle Cloud Infrastructure (OCI) environments.
For example, an on-premises database can be unencrypted and an OCI database can be
encrypted.
Hybrid disaster recovery is often considered a quick-stepping stone to cloud adoption. By enabling the ability to quickly configure disaster recovery even in cases where on-premises databases might not already be encrypted with TDE, the steps required to configure hybrid disaster recovery environments are reduced while still ensuring that redo data is still encrypted during the transportation process.
Updates to Oracle AI Database Transparent Data Encryption 26ai
Oracle AI Database Transparent Data Encryption Guide for Oracle AI Database 26ai as the following update.
- New Parameter to Control the TDE Rekey Operations for Oracle Data Guard
You now can use theDB_RECOVERY_AUTO_REKEYinitialization parameter for Oracle Data Guard environments..
New Parameter to Control the TDE Rekey Operations for Oracle Data Guard
You now can use the DB_RECOVERY_AUTO_REKEY initialization parameter for Oracle Data Guard environments..
DB_RECOVERY_AUTO_REKEY controls whether an Oracle Data Guard standby database recovery operation automatically performs the corresponding tablespace rekey when it encounters a redo that says the primary database has performed a tablespace rekey operation.
This feature is useful for standby deployments with large tablespaces whose users must perform an online TDE conversion.