Cyber Security: Introduction to Oracle Transparent Data Encryption (TDE)
Using Tablespace Encryption
Since Oracle database release 11g, Oracle provides for data encryption at the tablespace level. This feature allows the entire tablespace data to be encrypted, including all tables and indexes.
Table encryption is a good alternative compared to TDE column encryption. Keep in mind that this feature does not encrypt data that is outside of the tablespace.
A big advantage of TDE is that only an authorized user can view or modify the data.
To enable TDE tablespace encryption, the Oracle database version must be 11g release 1 or higher. Here are the high level steps to configure:
- Create Oracle Wallet and set a master TDE key.
- Create an encrypted tablespace using clause, "encryption default storage(encrypt)”.
- Create tables, specifying the TDE tablespace.
- Oracle Wallet should be opened to query the table inside the encrypted tablespace.
You can view the newly created tablespace by joining the v$tablespace and v$encrypted_tablespace views.
Building the Oracle Wallet
Create a physical directory on the database server to contain the wallet. Then, modify file sqlnet.ora to specify the location of the wallet. Use the parameter, ENCRYPTION_WALLET_LOCATION to specify the Wallet location. For example:
Create the Master key inside the Oracle Wallet. Connect as sysdba to the database, then execute:
ALTER SYSTEM SET ENCRYPTION KEY ["certificate_ID"] IDENTIFIED BY "password"
The above command creates the wallet along with the password. This also establishes the master key, which is mandatory for tablespace encryption.
The encryption algorithm can have one of the following values: 3DES168, AES128, AES192, AES256. For example:
CREATE TABLESPACE securespace
ENCRYPTION USING '3DES168'
Transparent Data Encryption is a simple way to protect your Oracle data via bulk encryption. Using this method, all objects and data in the encrypted tablespace are automatically encrypted.
Perhaps best of all, no modification is required at the application level.