Databases have an extensive set of security mechanisms to protect information from unauthorized database users. These mechanisms include user authentication (e.g., user name and password), privilege settings, and auditing of user actions. The database, however, still relies upon the operating system to secure the data as it resides within the physical data files to prevent unauthorized access using operating system utilities.
Traditionally, the extensive security capabilities of the operating systems on which a database runs have been sufficient. With advanced technologies, however, more sophisticated methods of obtaining sensitive information render the traditional measures inadequate. In view of this, a database needs to use an additional layer of protection to secure its data.
One such layer that Oracle uses to protect data is based on a technology called Transparent Data Encryption (TDE) and the use of a component known as the Oracle Wallet. TDE provides the ability to encrypt sensitive data found within individual columns or entire tablespaces. Since the database manages the required encryption keys, the feature is considered transparent. This feature was made available in Oracle 10g.
This article discusses how to enable TDE and how to create an encrypted tablespace.
Enabling TDE and Creating an Encrypted Tablespace
Before TDE can be enabled, a container to hold the encryption key must be open. This container is referred to as the Oracle Wallet. Its default location is $ORACLE_BASE\admin\$ORACLE_SID\wallet. Create the directory using your operating system command, e.g.
This directory should be accessible to the owner of the Oracle installation.
Next, assign the encryption key by entering the following SQL command:
This command generates the master key and stores it within the wallet.
If you have just created the encryption key, then the wallet is implicitly opened. Later, however, to open it explicitly, you would issue the following command:
Once the wallet is opened, TDE operations become available.
Finally, create an encrypted tablespace with the following command:
Note that the command above specifies the encryption algorithm. Currently supported algorithms are Triple Data Encryption Standard (DES) and Advanced Encryption Standard (AES).
To check which tablespaces are encrypted, include the column encrypted when querying the data dictionary view dba_tablespaces. For example:
Close a wallet with the following SQL command:
By using the TDE feature, you are enabling an additional security measure in your data.
If you wish to learn more about Oracle tablespace management and other critical database administration tasks, we invite you to please check out our Oracle Database Administration training.