How to enable Transparent Data Encryption (TDE) in Oracle database

012117_2036_Transparent1 How to enable Transparent Data Encryption (TDE) in Oracle database

TDE is an encryption mechanism present in Oracle database used to encrypt the data stored in a table column or tablespace. It protects the data stored on database files (DBF) by doing an encryption in case the file is stolen or hacked.

TDE supports any of the following encryption algorithms to encrypt the data. 

  • 3DES168, AES128, AES192, AES256

TDE uses an encryption key to encrypt or decrypt the data. The encryption key is saved in a  Keystore which is saved external to the database.For example, the Keystore can be saved in a file. 

TDE supports two levels of encryption

  • Columns Level Encryption: Encrypt the table column data
  • Tablespace Level Encryption: Encrypt all the data in a tablespace

 

TDE supports SALT, a random data added to the value before the encryption happens. It strengthens the encryption.

In this post, I explained how to setup a password-based Transparent Data Encryption (TDE)  in Oracle database. The following are the series of steps required to complete the setup. 

  1. Set a KeyStore local in SQLNET.ORA
  2. Create a Password based KeyStore 
  3. Open the KeyStore 
  4. Set Master Encryption Key 
  5. Encrypt your data 

Let’s begin to set up the Transparent Data Encryption

 

Pre-Requisite

Oracle Database 11.2.0 or greater installed

 

Step 1: Set KEYSTORE location in SQLNET.ORA

1.1) Go to ORACLE_HOME\NETWORK\ADMIN and open the SQLNET.ora in a notepad file

 

1.2) Create a directory anywhere on the database server 

 

1.3) Add the below content in SQLNET.ORA file. Here we are defining a directory location for the KEYSTORE. Replace the directory path in the DIRECTORY parameter with the one you created. 

 

STEP 2: Create a Password-based KeyStore

2.1) Login as SYSDBA or a user who has been granted the ADMINISTER KEY MANAGEMENT or SYSKM privilege

 

2.2) Create a KEYSTORE

  • Replace <‘C:\app\oracledb\product\12.1.0\dbhome_1\wallets’> with the directory mentioned in SQLNET.ORA
  • Replace <password123> with your password

The above query in SQL window:

012117_2036_Transparent2 How to enable Transparent Data Encryption (TDE) in Oracle database

 

Step 3: Open the KEYSTORE

3.1) Login as sysdba and Open the KEYSTORE

The above query in SQL window: 

012117_2036_Transparent3 How to enable Transparent Data Encryption (TDE) in Oracle database

  • Replace ‘Password123’ with the one you set in Step2

Step 4: Set Master Encryption Key

4.1) Set the Master Encryption Key using SET KEY clause

  • Replace ‘Password123’ with the one you set in Step2
  • Replace ”emp_key_backup’ with your own description

The above query in SQL Window: 

012117_2036_Transparent4 How to enable Transparent Data Encryption (TDE) in Oracle database

 

Step5: Encrypt your Data

You can encrypt individual columns in a table or the entire tablespace. The Following algorithms are supported (3DES168, AES128, AES192, AES256)

5.1 Encrypt a Columns in Table

5.1.1) Create a table with an encrypted column. 

Where:

The keyword encrypt tells the database to encrypts data that are stored in column ‘Title’. By default, It uses the encryption algorithm AES192. SAC and MAC are added by default

 

5.1.2) Create a column with an encryption algorithm and NO SALT. The Using keyword is used to set an algorithm. 

 

5.1.3) Encrypt an existing table column

 

(or)

 

5.1.4) Change the Encryption key of an existing column

 

5.2) Encrypt Tablespace

You need to set the COMPATIBLE parameter greater than 11.1.2 before encrypting the tablespace. 

 

5.2.1) Set the COMPATIBLE initialization parameter

First, check the COMPATIBLE value

Output: 

012117_2036_Transparent5 How to enable Transparent Data Encryption (TDE) in Oracle database

 

If the compatible value is less than 11.2.0.0 then change the value greater than 11.2.0. Follow the steps below to change the parameter

 

5.2.2) Create a tablespace with encryption. The syntax will be like this 

Note: Encrypting existing tablespace is not supported.

 

That’s it. The transparent data encryption is completed now. If you have any questions or concerns about the matter above, please post it in the comment below. 

govindan How to enable Transparent Data Encryption (TDE) in Oracle database
Connect me

Govind

Thank you for visiting my personal blog. Myself Govindan, Software Developer by profession since 2006 and hence I started this blog early in 2016 and ever since I've been writing about technologies experienced and learnings of everyday life.

The views expressed on this blog are my personal views and do not necessarily reflect the views of my employer.

Please feeling free to reach me on any comments and feedbacks you have. Would be more than glad to listen and reply šŸ™‚
govindan How to enable Transparent Data Encryption (TDE) in Oracle database
Connect me
By | 2017-01-22T01:11:56+00:00 January 21st, 2017|Categories: Oracle|Tags: , , , |0 Comments
Like us on Facebook.
Connect!