Configuring Encryption at Rest

You can optionally enable encryption at rest and specify the encryption algorithm used to encrypt the data stored in the checkpoint and transaction log files.

Note:

Encryption at rest has a measurable performance impact to XLA and other database operations. See XLA and TimesTen Event Management in Oracle TimesTen In-Memory Database C Developer's Guide.

TimesTen supports these encryption algorithms:

  • AES-128

  • AES-192

  • AES-256

TimesTen provides these data store attributes to set up encryption at rest upon database creation:

  • DbEncrypted: Enables encryption at rest and specifies the encryption algorithm to be used. Valid values are:

    • none (default)

    • AES128

    • AES192

    • AES256

    See DbEncrypted in Oracle TimesTen In-Memory Database Reference.

  • DbKeyWallet: Specifies the path for the Oracle wallet used to store the master key for encryption at rest. Default value is instance_home/info/wallets. The Oracle wallet is an auto-login wallet. See DbKeyWallet in Oracle TimesTen In-Memory Database Reference.

    WARNING:

    If the wallet with the master key for encryption at rest is lost or deleted, the database becomes unreadable and cannot be recovered.

Encryption at rest in TimesTen supports FIPS 140-2 mode. While it is not a requirement to encrypt a database, FIPS mode consists of a set of tests performed on the cryptographic engine to validate that it has not been tampered with or modified. You can enable FIPS mode during the creation of the TimesTen instance or by restarting the instance after enabling FIPS mode (db_fips_140=1) in the TimesTen instance configuration file (timesten.conf). See TimesTen Instance Configuration File in Oracle TimesTen In-Memory Database Reference.

You can switch databases files from non-encrypted to encrypted on an existing database by using a rekey operation (see Re-Keying an Encrypted Database). However, for security, you cannot switch encrypted database files to non-encrypted.

Example 3-1 DSN Specification for an Encrypted Database

This is an example of a DSN specification for a database, database1, configured for encryption at rest. Encryption at rest is enabled and set to use the AES-256 encryption algorithm upon database creation. The wallet for the master key is set to be stored within the /disk1/wallets directory. 

[database1]
DataStore=/disk1/databases/database1
LogDir=/disk1/logs
DatabaseCharacterSet=AL32UTF8
DbEncrypted=AES256
DbKeyWallet=/disk1/wallets