1. Deploy a hybrid DR topology for an on-premises database
  2. Encrypt the Data in the Source Database

Encrypt the Data in the Source Database

Transparent Data Encryption (TDE) transparently encrypts data at rest in an Oracle Database. It stops unauthorized attempts from the operating system to access database data stored in files, without impacting how applications access the data using SQL. TDE is fully integrated with Oracle Database and can encrypt entire database backups (RMAN), Data Pump exports, entire application tablespaces, or specific sensitive columns. Encrypted data remains encrypted in the database, whether it is in tablespace storage files, temporary tablespaces, undo tablespaces, or other files such as redo logs.

Determine if TDE is Enabled on the Source Database

When Transparent Data Encryption (TDE) isn't enabled on your source database, data is not encrypted when you migrate the database to Oracle Cloud Infrastructure (OCI) or during disaster recovery. You'll need to manually encrypt the unencrypted data. Once in OCI, any new data is automatically encrypted.

  1. Determine if the tablespace is encrypted.
    SQL> select tablespace_name, encrypted from dba_tablespaces;

    When the tablespace is not encrypted, the output will look similar to the following:

    TABLESPACE_NAME 	       		ENC
------------------------------ ---
SYSTEM                          NO
SYSAUX                          NO
UNDOTBS1                        NO
TEMP                            NO
USERS			      NO
  2. Find the associated database data files (.dbf ) on the filesystem.
    SQL> select TABLESPACE_NAME, FILE_NAME from dba_data_files;

    The output will look similar to the following:

    TABLESPACE_NAME
------------------------------
FILE_NAME

SYSTEM
/opt/oracle/oradata/ORCLCDB/system01.dbf

SYSAUX
/opt/oracle/oradata/ORCLCDB/sysaux01.dbf

UNDOTBS1
/opt/oracle/oradata/ORCLCDB/undotbs01.dbf

USERS
/opt/oracle/oradata/ORCLCDB/users01.dbf

Enable TDE Encryption on the Source Database

Transparent Data Encryption (TDE) enables you to encrypt sensitive data that's stored in tables and tablespaces. Encrypted data is transparently decrypted for a database user or application that has access to data.

  1. Go to the $ORACLE_BASE directory in your source database.
    bash-4.2$ pwd
/opt/oracle/admin/ORCLCDB
  2. Create a directory called wallet.
    $ mkdir wallet
  3. Create the wallet, along with a secure password that uses a mix of alphanumeric characters.
    This step creates and opens the wallet. After the database is opened, the wallet remains open until either the wallet is explicitly closed or the database is shut down, at which time the wallet automatically closes. 
    SQL> alter system set encryption key identified by "wallet_password";
  4. Reopen a closed wallet after the database is restarted.
    SQL> alter system set wallet open identified by "wallet_password";
  5. Encrypt the tablespace.
    The following code uses AES-128 encryption.
    alter tablespace system encryption online using 'aes128' encrypt file_name_convert=('/opt/oracle/oradata/ORCLCDB/system01.dbf','/opt/oracle/oradata/ORCLCDB/system01_enc.dbf');

alter tablespace sysaux encryption online using 'aes128' encrypt file_name_convert=('/opt/oracle/oradata/ORCLCDB/sysaux01.dbf','/opt/oracle/oradata/ORCLCDB/sysaux01_enc.dbf');

alter tablespace undotbs1 encryption online using 'aes128' encrypt file_name_convert=('/opt/oracle/oradata/ORCLCDB/undotbs01.dbf','/opt/oracle/oradata/ORCLCDB/undotbs01_enc.dbf');

alter tablespace users encryption online using 'aes128' encrypt file_name_convert=('/opt/oracle/oradata/ORCLCDB/users01.dbf','/opt/oracle/oradata/ORCLCDB/users01_enc.dbf');
  6. Verify that the tablespace is encrypted.
    SQL> select tablespace_name, encrypted from dba_tablespaces;

    The output will look similar to the following:

    TABLESPACE_NAME 	       ENC
------------------------------ ---
SYSTEM			    YES
SYSAUX			    YES
UNDOTBS1                       YES
TEMP			      NO
USERS			     YES
  7. Verify that the associated database data files (.dbf ) on the filesystem are encrypted.
    SQL> select TABLESPACE_NAME, FILE_NAME from dba_data_files;

    The output will look similar to the following:

    TABLESPACE_NAME
------------------------------
FILE_NAME

SYSTEM
/opt/oracle/oradata/ORCLCDB/system01_enc.dbf

SYSAUX
/opt/oracle/oradata/ORCLCDB/sysaux01_enc.dbf

UNDOTBS1
/opt/oracle/oradata/ORCLCDB/undotbs01_enc.dbf

USERS
/opt/oracle/oradata/ORCLCDB/users01_enc.dbf