Step by Step implementing TDE encryption in 21c

In today’s digital world, data security is paramount. Organizations handle vast amounts of sensitive information, including financial records, personal data, and proprietary business data. To protect this valuable information from unauthorized access and data breaches, encryption has become a crucial aspect of data security.

Oracle, a leading provider of enterprise-grade database management systems, offers robust encryption solutions to safeguard data at rest and during transmission. Oracle encryption provides a powerful means to protect sensitive data from unauthorized access, ensuring data privacy and compliance with regulatory requirements.

Types of Oracle Encryption:

1. Transparent Data Encryption (TDE): Transparent Data Encryption is a widely used encryption feature that encrypts data at rest in the Oracle Database. It operates at the storage layer, encrypting the data as it is written to disk and decrypting it when read back into memory. TDE helps protect data from unauthorized access, even if the underlying storage media or backups are compromised.
2. Secure Sockets Layer (SSL) and Transport Layer Security (TLS): Oracle provides SSL/TLS encryption for secure network communication between clients and the Oracle Database. SSL/TLS ensures that data transmitted over the network is encrypted and protected from eavesdropping and interception, reducing the risk of data exposure during data transmission.
3. Data Redaction: Data Redaction is a feature that allows sensitive data to be masked or redacted in query results. This dynamic data masking ensures that sensitive information is not visible to users without proper authorization, helping organizations comply with privacy regulations and internal security policies.
4. Oracle Advanced Security (OAS): Oracle Advanced Security is an optional licensed package that extends encryption capabilities with additional features like native network encryption, database links encryption, and secure password authentication. OAS enhances the overall security posture of the Oracle Database.

Benefits of Oracle Encryption:

1. Data Protection: Encryption ensures that sensitive data remains protected from unauthorized access, both at rest and during transit, reducing the risk of data breaches and ensuring data privacy.
2. Regulatory Compliance: Many industries have strict data security regulations, such as GDPR, HIPAA, and PCI DSS. Oracle encryption helps organizations meet compliance requirements and avoid costly penalties.
3. Secure Data Sharing: With encrypted data, organizations can securely share data with trusted partners or external stakeholders, maintaining data confidentiality during data exchanges.
4. Transparent Implementation: Oracle encryption is designed to be transparent to applications and users, requiring minimal changes to existing applications while providing strong data protection.

Now we will see how to implement TDE encryption manually in a database.

1. Start the database and do a check whether TDE is enabled in our database.

$ sqlplus / as sysdba

SQL*Plus: Release 21.0.0.0.0 - Production on Fri July 21 02:09:28 2023
Version 21.3.0.0.0

Copyright (c) 1982, 2023, Oracle.  All rights reserved.

Connected to an idle instance.

SQL> startup
ORACLE instance started.

Total System Global Area 1577057552 bytes
Fixed Size                  9686288 bytes
Variable Size             922746880 bytes
Database Buffers          637534208 bytes
Redo Buffers                7090176 bytes
Database mounted.
Database opened.


SQL> show pdbs

    CON_ID CON_NAME                       OPEN MODE  RESTRICTED
---------- ------------------------------ ---------- ----------
         2 PDB$SEED                       READ ONLY  NO
         3 ORAPDB1                        MOUNTED    NO



SQL> ALTER PLUGGABLE DATABASE ORAPDB1 open;

Pluggable database altered.


SQL> ALTER PLUGGABLE DATABASE ORAPDB1 SAVE STATE;

Pluggable database altered.



SQL> set lines 300
     col name for a15
     col wrl_type for a10
     col status for a30

SQL> select p.con_id, p.name, p.open_mode, ew.wrl_type, ew.wallet_type, ew.status 
     from v$pdbs p join v$encryption_wallet ew on (ew.con_id = p.con_id)
     order by p.con_id;


    CON_ID NAME            OPEN_MODE  WRL_TYPE   WALLET_TYPE          STATUS
---------- --------------- ---------- ---------- -------------------- ------------------------------
         2 PDB$SEED        	READ ONLY  FILE       UNKNOWN              NOT_AVAILABLE
         3 ORAPDB1      	READ WRITE FILE       UNKNOWN              NOT_AVAILABLE

2.Create the keystore directory.

mkdir $ORACLE_HOME/admin/$ORACLE_SID/wallet

3a. Modify the SQLNET.ORA file to manage the encryption wallet in case you are using 18c and below else follow 3.b

ENCRYPTION_WALLET_LOCATION=
 (SOURCE=
  (METHOD=FILE)
   (METHOD_DATA=
    (DIRECTORY=/var/opt/oracle/admin/$ORACLE_SID/wallet/)))

3.b In the previous version, we used to specify the ENCRYPTION_WALLET_LOCATION inside the sqlnet.ora file. However, starting from 18c, the sqlnet parameters have been deprecated. Instead, we will utilize the new parameters WALLET_ROOT and TDE CONFIGURATION to manage encryption settings.

SQL> alter system set wallet_root='/var/opt/oracle/admin/$ORACLE_SID/wallet' scope=spfile;

System altered.


SQL> shutdown immediate;
SQL> startup;


SQL> alter system set tde_configuration='KEYSTORE_CONFIGURATION=FILE' scope=both;

System altered.

4. Create the password based Keystore

$mkdir /var/opt/oracle/admin/$ORACLE_SID/wallet/tde

SQL> administer key management
 create auto_login keystore '/var/opt/oracle/admin/$ORACLE_SID/wallet/tde' identified by Welcome_123;

keystore altered.

--- The 'Auto_login' parameter is essential as it enables the wallet to automatically open after the instance is rebooted. Without this parameter, the wallet will remain closed, and manual intervention will be required to open it again following a system reboot.

SQL>
 set lines 300
     col name for a15
     col wrl_type for a10
     col status for a30

SQL> select p.con_id, p.name, p.open_mode, ew.wrl_type, ew.wallet_type, ew.status
     from v$pdbs p join v$encryption_wallet ew on (ew.con_id = p.con_id)
     order by p.con_id;

    CON_ID NAME            OPEN_MODE  WRL_TYPE   WALLET_TYPE          STATUS
---------- --------------- ---------- ---------- -------------------- ------------------------------
         2 PDB$SEED        READ ONLY  FILE       UNKNOWN              CLOSED
         3 ORAPDB1         READ WRITE FILE       UNKNOWN              CLOSED

5. Open the password-based keystore.

SQL> administer key management set keystore open identified by Welcome_123 container=ALL;

keystore altered.

-- check the status

SELECT WRL_PARAMETER,STATUS,WALLET_TYPE FROM V$ENCRYPTION_WALLET;
                        OR 
SQL> select p.con_id, p.name, p.open_mode, ew.wrl_type, ew.wallet_type, ew.status
     from v$pdbs p join v$encryption_wallet ew on (ew.con_id = p.con_id)
     order by p.con_id;

    CON_ID NAME            OPEN_MODE  WRL_TYPE   WALLET_TYPE          STATUS
---------- --------------- ---------- ---------- -------------------- ------------------------------
         2 PDB$SEED        READ ONLY  FILE       PASSWORD             OPEN_NO_MASTER_KEY
         3 ORA21CPDB1      READ WRITE FILE       PASSWORD             OPEN_NO_MASTER_KEY

The current status is "OPEN_NO_MASTER_KEY," indicating that the wallet is open but does not yet have a master key. To proceed, we must set the master key for all pluggable databases (PDBs).

6. Create master key for container database (CDB) and all pluggable databases (PDBs).

SQL> administer key management set key identified by Welcome_123 with backup container=ALL;

keystore altered.

SQL> select p.con_id, p.name, p.open_mode, ek.key_id
     from v$pdbs p left outer join v$encryption_keys ek on (ek.con_id = p.con_id)
     order by p.con_id;


    CON_ID NAME       OPEN_MODE  KEY_ID
---------- ---------- ---------- ------------------------------------------------------------
         2 PDB$SEED   READ ONLY
         3 ORA21CPDB1 READ WRITE HDDvad73KKKKKKCJFLSJJJDJJJJJJdnfjrefDFNJEWWDKDKKFKFKKK

7. Create an encrypted tablespace

SQL> alter session set container=ORAPDB1;



SQL> CREATE TABLESPACE TS_ENCRYPTED DATAFILE '<PATH>' SIZE 11M ENCRYPTION USING  'AES256' ENCRYPT;

---Check tablespace status

select tablespace_name , encrypted from dba_tablespaces;

TABLESPACE_NAME                                                   ENCRYPTED
----------------------------------------------------------------- -------
TS_ENCRYPTED                                                          YES 

Now you can create objects inside the tablespace and the data will be encrypted.

Thank you for reading my blog. I hope you found it informative and enjoyable. Your feedback is valuable to me, and I would love to hear your thoughts on it. Happy reading!