While TDE Column encryption is available from 10g R2, TDE tablespace encryption is an exclusive 11g feature and was introduced in Oracle R1 (11.1.0.5). Using this option ensures that all tables and indexes contained within a tablespace will be encrypted transparently.
In this recipe, we will create an encrypted tablespace called ENCRYPTED_TBS using TDE.
For this chapter we will reuse the encryption wallet defined in the previous recipe Using column Transparent Data Encryption:
- To create encrypted objects using TDE, the encryption wallet must have the status as
OPEN. To check the availability of the encryption wallet, issue the following statement:SQL> select wrl_parameter,status from v$encryption_wallet; WRL_PARAMETER - STATUS ------------------------- -------------------------- /security/wallets/tde OPEN
- The wallet is open and can be used for encryption. Create encrypted tablespace
CRYPTEDTBSas follows:SQL> SQL> CREATE TABLESPACE ENCRYPTED_TBS DATAFILE 'D:APPORADATAHACKDBencryptedtbs01.DBF' size 100m autoextend on next 100m maxsize unlimited default storage (en crypt) encryption; Tablespace created. SQL>
- More information about existing encrypted tablespaces can be found in the
v$encrypted_tablespacessystem view:
Tablespaces are encrypted using an encryption key stored in the dictionary. Oracle 11g R1 column encryption and tablespace encryption uses separate encryption keys in R2. These keys are unified in one principal key used for encrypting both columns and tablespaces. The algorithms that can be used for tablespace encryption are: 3DES168, AES128, AES192, and AES256, where AES192 is the default if no other algorithm is specified.
Information about encrypted tablespaces can be found in the V$ENCRYPTED_TABLESPACE dictionary view.
You may find the encrypted tablespaces in your database by querying the DBA_TABLESPACES and USER_TABLEPACES dictionary views.
The ENCRYPTED column indicates whether a tablespace is encrypted.
Unlike column-based encryption, there is no additional storage for the encrypted tablespaces.
As a restriction, current tablespaces cannot be encrypted. The data can be moved by using alter table move, create table as select, or using data pump.
TDE will not perform any encryption or decryption operation unless the encryption wallet is opened.
If you reboot or shutdown the database the encryption wallet will be closed too. To open the encryption wallet:
ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "UYio71+^ZaPO"
To close manualy the encryption wallet issue the following:
ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "UYio71+^ZaPO"