Using Transparent Data Encryption

Oracle Globally Distributed AI Database supports Transparent Data Encryption (TDE), but to successfully move chunks in a distributed database with TDE enabled, all of the shards must share and use the same encryption key for the encrypted tablespaces.

A distributed database consists of multiple independent databases and a shard catalog database. For TDE to work properly certain restrictions apply, especially when data is moved between shards. For chunk movement between shards to work when data is encrypted, you must ensure that all of the shards use the same encryption key.

There are two ways to accomplish this:

  • Create and export an encryption key from the shard catalog, and then import and activate the key on all of the shards individually.

  • Store the wallet in a shared location and have the shard catalog and all of the shards use the same wallet.

The following TDE statements are automatically propagated to shards when run on the shard catalog with shard DDL enabled:

  • ADMINISTER KEY MANAGEMENT SET KEYSTORE [OPEN|CLOSE] IDENTIFIED BY password

  • ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY password

  • ADMINISTER KEY MANAGEMENT USE KEY IDENTIFIED BY password

  • ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY password

For more information about TDE see Introduction to Transparent Data Encryption

Using Oracle Key Vault with Oracle Globally Distributed AI Database

To significantly increase security and convenience, and to avoid human mistakes while copying wallets and keys across shards, it is highly recommended that you deploy an Oracle Key Vault (OKV) cluster along with your distributed databases.

All TDE master keys that you create in the shard catalog database will be available to all shards immediately, with no copying of keys and wallets, and no unintentional downtime due to a delay of the key's update on a shard. If your distributed database is configured with Oracle RAC, or Oracle Data Guard, or both, the benefits of OKV become even more appealing: all primary and standby Oracle RAC instances will have access to the new key instantaneously.

In case your distributed databases are deployed on-premises across globally distributed regions, and/or in OCI, Azure, AWS, or Google Cloud, Oracle Key Vault can be deployed anywhere, providing local key management where you need it, providing "Hold your own key" and eliminating complicated (or impossible) key exchange between cloud-native key management silos.

Limitations

The following limitations apply to using TDE with Oracle Globally Distributed AI Database.

  • For GDSCTL MOVE CHUNK to work, all of the shard database hosts must be on the same platform.

  • MOVE CHUNK cannot use compression during data transfer, which may impact performance.

  • Only encryption on the tablespace level is supported. Encryption on specific columns is not supported.