Encrypt your Data

After completing the keystore configuration, encrypt the data. You can encrypt individual columns in a table or entire tablespaces. OFSAA recommends encrypting entire tablespaces and the description in this section covers encrypting entire tablespaces.

Note:

The following restrictions on using Transparent Data Encryption when you encrypt a tablespace:

• Transparent Data Encryption (TDE) tablespace encryption encrypts or decrypts data during read and write operations, as compared to TDE column encryption, which encrypts and decrypts data at the SQL layer. This means that most restrictions that apply to TDE column encryption, such as data type restrictions and index type restrictions, do not apply to TDE tablespace encryption.
• To perform import and export operations, use Oracle Data Pump.

Encrypting data involves the following steps:

• Set the COMPATIBLE Initialization Parameter for Tablespace Encryption
• Set the Tablespace TDE Master Encryption Key
• Create the Encrypted Tablespace

Set the COMPATIBLE Initialization Parameter for Tablespace Encryption

Prerequisite: You must set the COMPATIBLE initialization parameter for the database to 12.2.0.0 or later. Once you set this parameter to 12.2.0.0, the change is irreversible.

To set the COMPATIBLE initialization parameter, follow these steps:

1. Log in to the database instance. In a multitenant environment, log into the PDB.
2. Check the current setting of the COMPATIBLE parameter.

   For example:

   SHOW PARAMETER COMPATIBLE
   NAME				TYPE			VALUE
   ------------------		-----------		-------------------
   compatible			string		12.0.0.0
   noncdbcompatible		BOOLEAN		FALSE

3. If you want to change the COMPATIBLE parameter, perform the following steps:
   • Locate the initialization parameter file for the database instance.

     UNIX systems: This file is in the ORACLE_HOME/dbs directory and is named initORACLE_SID.ora (for example, initmydb.ora).

   • In SQL*Plus, connect as a user who has the SYSDBA administrative privilege, and then shut down the database.

     For example:

     CONNECT /AS SYSDBA
     SHUTDOWN

   • Edit the initialization parameter file to use the correct COMPATIBLE setting.

     For example:

     COMPATIBLE = 12.2.0.0
   • In SQL*Plus, ensure that you are connected as a user who has the SYSDBA administrative privilege, and then start the database.
     For example:

     CONNECT /AS SYSDBA
     STARTUP

   • If tablespace encryption is in use, then open the keystore at the database mount. The keystore must be open before you can access data in an encrypted tablespace.

     STARTUP MOUNT;
     ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY password;
     ALTER DATABASE OPEN;

Set the Tablespace TDE Master Encryption Key

Make sure that you have configured the TDE master encryption key as shown in the Set the Software TDE Master Encryption Key .

Create the Encrypted Tablespace

After you have set the COMPATIBLE initialization parameter, you are ready to create the encrypted tablespace.