TDE (TRANSPARENT DATA ENCRYPTION)

CONTENTS:-

1.INTRODUCTION:-

2.PREREQUSITES

3.HIGH LEVEL STEPS

4.PLAN OF ACTION

5.ADVANTAGES AND DISADVANTAGES

6.EXTRAS

1.INTRODUCTION:-

Transparent Data Encryption (TDE) is an advanced security feature in Oracle Database to encrypt the
data.This encryption mechanism protects the data within database files (DBF) by ensuring that even
if the files are stolen or compromised, the information remains secure.

TDE also provides encryption for data stored in operating system (OS) data files, safeguarding it
against tampering or unauthorized access outside the database environment.

To utilize TDE, an Oracle encryption wallet must be created and opened each time the database
starts, enabling seamless encryption and decryption of data at the storage level.

TDE supports two levels of encryption:

I.Column-Level Encryption :- Encrypts specific data within table columns.

II.Tablespace-Level Encryption:- Encrypts all data contained within a tablespace.( (This is the
configuration we will be using in our exercise)

2.PREREQUISTES:-
• Take full DB backup
• Check for extra space available on mount point/ASM
• Check supported compatible for TDE
• Cutoff dr (in case for backup plan)
• Oracle database edition (TDE does not support standard edition)
• Supported versions
• Identify tablespaces to encrypt
• Test in lower environment first (UAT,PREPROD)

(Note:- Make sure you have an Advanced Security Option license which is an extra-cost license before
proceeding.)
3.HIGH LEVEL STEPS :-
1. Check Prerequisites: Ensure the Oracle database is Enterprise Edition and that Oracle Wallet
is configured for encryption key storage.
2. Configure Oracle Wallet: Set up the wallet location and create the wallet to securely store
encryption keys.
3. Set Master Encryption Key: Establish the master encryption key, which will be used to
encrypt and decrypt sensitive data.
4. Encrypt Data: Apply encryption at the tablespace level (for the entire tablespace) or at the
column level (for specific sensitive columns).
5. Verify Encryption: Confirm that encryption has been applied successfully to the desired
tablespaces or columns.
6. Backup and Manage Wallet: Regularly backup the wallet, as it is essential for accessing
encrypted data.
7. Rotate Encryption Keys: Periodically rotate encryption keys to enhance security.

4.PLAN OF ACTION

STEP1 :- Create a wallet/keystore location.

mkdir -p /u01/app/oracle/wallet

STEP2:-

SQL> alter system set wallet_root='//u01/app/oracle/wallet' scope=spfile;

SQL> shutdown immediate

SQL> startup

SQL> alter system set tde_configuration='keystore_configuration=file' scope=both;

SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY walletpa#123;

or

SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/u01/app/oracle/wallet' IDENTIFIED BY

walletpa#123;

Note:-(If you set wallet_root no need to specify path otherwise you will get error . it will take path default from
wallet_root).

Now open the keystore:

SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY walletpa#123;

SQL> SET LINESIZE 200

SQL> COLUMN wrl_parameter FORMAT A50

SQL> SELECT * FROM v$encryption_wallet;

NOTE:- Check if wallet_type is password. to make autologin fire below command and take restart.

STEP 3:- To make autologin and Set the TDE MASTER ENCRYPTION KEY

SQL> administer key management create auto_login keystore from keystore identified by walletpa#123;

SQL> SET LINESIZE 100

SQL> SELECT con_id, key_id FROM v$encryption_keys;

SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY walletpa#123 WITH BACKUP;
SQL> SET LINESIZE 200

SQL> COLUMN wrl_parameter FORMAT A50

SQL> SELECT * FROM v$encryption_wallet;

NOTE:- check earlier status was OPEN_NO_MASTER_KEY ..after setting master key status is open.

STEP 4:-

select tablespace_name,encrypted from dba_tablespaces;

SQL> alter tablespace SYSTEM encryption online encrypt;

SQL> alter tablespace SYSAUX encryption online encrypt;

SQL> alter tablespace UNDOTBS1 encryption online encrypt ;

SQL> alter tablespace USERS encryption online encrypt;

STEP5:-

TEMP tablespaces can be encrypted but they cannot be converted. To have an encrypted

TEMP tablespace, create an encrypted TEMP tablespace in Database ,make it the

default temporary tablespace, and then drop the original TEMP tablespace.

You need to set ENCRYPT_NEW_TABLESPACES database initialization parameter to automatically encrypt

future tablespaces .

SQL> ALTER SYSTEM SET ENCRYPT_NEW_TABLESPACES=ALWAYS;

SQL> create temporary tablespace temp02 tempfile '/u01/app/oracle/temp01.dbf' size 10m;

SQL> alter database default temporary tablespace temp02;

SQL> drop tablespace temp including contents and datafiles;

SQL> select tablespace_name,encrypted from dba_tablespaces;

STEP 6 (Optional)-: Use DBVERIFY to confirm used blocks are encrypted.

$ dbv file=/u01/app/oracle/oradata/TDE/users01.dbf
5. Advantages and disadvantage of Transparent Data Encryption (TDE):-

ADVNATGAES:-

➢ Data Protection :- TDE ensures that data at rest is encrypted, protecting sensitive information even if
the underlying storage media is compromised.

➢ Compliance :- Helps organizations meet regulatory requirements, such as GDPR, HIPAA, and PCI-DSS,
which often mandate encryption of sensitive data.

➢ Ease of Implementation : -TDE is relatively easy to implement, as it does not require changes to
existing applications or databases. The encryption and decryption processes are transparent to users
and applications.

➢ Integration with Oracle Features : - TDE integrates well with other Oracle Database security features,
such as Oracle Wallet, providing a comprehensive security framework.

DISADVNATGAES:-

➢ Limited Scope:- TDE only encrypts data at rest, not data in transit or in use.
➢ Backup Management:- Encrypted data must be backed up carefully, as losing the encryption
keys can result in permanent data loss. This requires rigorous key management practices.
➢ Key Management Complexity:- Effective management of encryption keys, including the
Oracle Wallet, is critical. Poor key management can lead to security risks or operational
challenges.
 ➢ Licensing Costs:- TDE is part of Oracle's Advanced Security option, which may involve
additional licensing costs.
➢ Performance Impact in High-Transaction Environments:- While TDE's performance impact is
generally minimal, it can be more pronounced in high-transaction environments or when
dealing with large volumes of data, potentially affecting response times.

6. EXTRAS:-

i) Convert datafiles in parallel

Each datafile can be encrypted simultaneously in its own session. In this example, the four data files
were convertedat the same time in different windows.

Note: This process uses CPU and I/O resources. In a shared environment, some care should be taken
to monitor resources so that multiple encryption processes do not infringe on other databases’
resource requirements.

Ii ) If datafiles need to be decrypted for any reason, there is also a DECRYPT clause.

SQL> alter tablespace USERS encryption online decrypt;

iii).If you take backup using datapump it will be not encrypted ,You need to use ENCRYPTION and
ENCRYPTION_PASSWORD parameter while EXPDP.

Parameters related to ENCRYPTION in EXPDP :-

• ENCRYPTION = {ALL | DATA_ONLY | ENCRYPTED_COLUMNS_ONLY | METADATA_ONLY |

NONE}
• ENCRYPTION_ALGORITHM = { AES128 | AES192 | AES256 }
• ENCRYPTION_MODE = { DUAL | PASSWORD | TRANSPARENT }
• ENCRYPTION_PASSWORD

iv) . ALTER SYSTEM SET ENCRYPT_NEW_TABLESPACES = value;

ENCRYPT_NEW_TABLESPACES = { CLOUD_ONLY | ALWAYS | DDL }

• CLOUD_ONLY:
When a user tablespace is created in the Oracle Cloud, it will be transparently encrypted if
the ENCRYPTION … ENCRYPT clause for the SQL CREATE TABLESPACE statement is not
specified.

• ALWAYS:
 Whether the user tablespace is created in the Oracle Cloud or in an on-premises database,
the tablespace will be transparently encrypted if the ENCRYPTION … ENCRYPT clause is not
specified in the CREATE TABLESPACE statement.

• DDL:
Whether the user tablespace is created in the Oracle Cloud or in an on-premises database,
the CREATE TABLESPACE statement follows the specified DDL. If no ENCRYPTION clause is
specified, then the tablespace will not be encrypted. If
the ENCRYPTION USING … ENCRYPT clause is specified, then the specified algorithm will be
used to encrypt the tablespace

V) To restore database on another server you need to copy wallet files from source to destination

Server in order to restore the database.

7.References:-

Oracle white paper / Support