TDE INSTALL AND CONFIGURATION

TRANSPARENT DATA
ENCRYPTION

Shashi Kallae
Table of Contents
Purpose ...................................................................................................................................................................................................... 3
Scope .......................................................................................................................................................................................................... 3
Who can use this document? ................................................................................................................................................................... 3
What is TDE (Transparent Data Encryption)? ......................................................................................................................................... 3
Transparent Data Encryption (TDE) ........................................................................................................................................................................3
What does TDE protect against? .............................................................................................................................................................................5
How does TDE work? ...............................................................................................................................................................................................5
What else does TDE encrypt? ..................................................................................................................................................................................6
What does Oracle recommend? ..............................................................................................................................................................................6

Install and Configure TDE (Transparent Data Encryption) .................................................................................................................... 7

Check TDE Install Pre-Requisites ...........................................................................................................................................................................8
Generate a Master Key ...........................................................................................................................................................................................11

Supported Data Types (TDE) .................................................................................................................................................................. 13

Oracle Transparent Data Encryption Installation and Configuration................................................................................................. 18
Oracle TDE Configuration (Set the Keystore).......................................................................................................................................................18
Set the Keystore Parameters ..................................................................................................................................................................................................... 20

A Brief Overview of TDE_CONFIGURATION .........................................................................................................................................................24

TDE Configuration Parameters................................................................................................................................................................................................... 24
United Mode and Isolation Mode ............................................................................................................................................................................................... 25
TDE_CONFIGURATION Syntax ................................................................................................................................................................................................. 26
What happens when the correct values are not displayed in the output? ................................................................................................................................. 28
TDE_CONFIGURATION Parameters in Detail! ........................................................................................................................................................................... 29
KEYSTORE_CONFIGURATION.................................................................................................................................................................................................. 31
Before Oracle Database 18.1 ..................................................................................................................................................................................................... 32
CONTAINER attribute................................................................................................................................................................................................................. 33
 Oracle TDE Configuration (create, open, master, activate master key) ............................................................................................................35
Understanding the Backup TDE SQL ....................................................................................................................................................................41
Explanation: ................................................................................................................................................................................................................................ 42

How to Manage the Keystores? ............................................................................................................................................................................43

How to Encrypt a Column or an Entire Tablespace ............................................................................................................................. 45

Encrypt and Decrypt the existing Tablespaces in 12.2, 18.0.0, 19.0.0, 23.0.0 .................................................................................... 51
Online Tablespace Encryption ...............................................................................................................................................................................52
Offline tablespace Encryption................................................................................................................................................................................55
Online Tablespace decryption ...............................................................................................................................................................................58
Offline Tablespace decryption ...............................................................................................................................................................................60

Important TDE SQLs ............................................................................................................................................................................... 65

References ............................................................................................................................................................................................... 66
Purpose
This technical document aims to understand the importance of Oracle TDE (Transparent Data Encryption), Install,
Configure, and administer it.

Scope
This Technical document is meant to be used as a guide.

Who can use this document?

Anyone with at least one year of experience Installing, Configuring, and administering the Oracle Database
versions 11g/12c/18c/19c or higher.

What is TDE (Transparent Data Encryption)?

TRANSPARENT DATA ENCRYPTION (TDE)

TDE is a security feature in Oracle Database that encrypts data at rest. This means the data stored on the disk is
encrypted, making it unreadable to anyone without a decryption key.
WHAT DOES TDE PROTECT AGAINST?

TDE protects against unauthorized access to the database and data files even if someone gains access to the physical storage
data files. They would require the TDE master encryption key to decrypt the data from the data files.

HOW DOES TDE WORK?

1. TDE encrypts entire Tablespaces or specific sensitive columns within the Tables.
2. TDE is transparent to the applications, meaning application teams can continue to access and use the data without any
changes to their code.
3. The encryption and decryption happen in the background without impacting the application’s performance, accessing
the data using SQL (neither inbound SQL statements nor outbound SQL query results).
4. Encryption and decryption occur at the database storage level.
5. Data encrypted with TDE is decrypted when the data is read from database files. If this data goes over the network, it
will be in clear text. However, the data can be encrypted in transit using TLS or Oracle’s Native encryption method
over the network. This ensures that the data traveling over the network from SQL*plus to the database and vice versa
is encrypted.
6. Use the Oracle Database Security Assessment Tool to determine what sensitive data is stored in your databases.
WHAT ELSE DOES TDE ENCRYPT?

1. Temporary Tablespaces are used for processing data.

2. Undo Tablespaces used for rollback.
3. Redo logs used for database recovery.
4. Entire database backups (RMAN).
a. Note: An Oracle Advanced security license is required to encrypt RMAN backups to disk, regardless of whether
the TDE master encryption key or a passphrase is used to encrypt the data file.
5. Data Pump exports.

WHAT DOES ORACLE RECOMMEND?

1. Oracle recommends using TDE Tablespace encryption because TDE Tablespace encryption performs better and more
consistently in most cases.
2. Leverages hardware-based crypto acceleration wherever available, reducing the performance impact to the “near-zero”
range.
Install and Configure TDE (Transparent Data Encryption)
CHECK TDE INSTALL PRE-REQUISITES

1. Oracle Wallet.
2. sqlnet.ora.
3. Read or Write Permissions.
1. Oracle Wallet.
ENCRYPTION_WALLET_LOCATION =
(SOURCE = (METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = “$ORACLE_BASE/admin/<global_db_name>/wallet”)
)
)

2. sqlnet.ora.
a. If you want to go with the default location of the wallet, then you don’t have to update the
“ENCRYPTION_WALLET_LOCATION” above in the sqlnet.ora file.
b. The default location of the Oracle Wallet is “$ORACLE_BASE/admin/<global_db_name>/wallet.”
c. In Oracle 18c or higher versions, it is recommended to use “WALLET_ROOT” and
“TDE_CONFIGURATION” to locate the TDE Wallet instead of “ENCRYPTION_WALLET_LOCATION.”
d. Ensure to make sure that the above default location exists or the custom location that’s defined in the
sqlnet.ora exist before TDE installation and configuration.
e. Note: Starting from 11gR2, the wallet can be shared by all the instances from a RAC database.

3. Read or Write Permissions.

$ ls -l "$ORACLE_BASE/admin/<global_db_name>/wallet"

-rw-r--r-- 1 oracle oinstall 4096 Feb 16 10:23

$ORACLE_BASE/admin/<global_db_name>/wallet
GENERATE A MASTER KEY

To generate a master key, first, you must meet some requirements, as follows,

1. Ensure you have the correct edition of Oracle software. You must have Oracle Enterprise Edition to use TDE.
2. Ensure you have an Oracle Advanced security license purchased.
3. To get more details on the OAS license, contact your TAM or open a service request with Oracle.
4. There are several ways to achieve the Master Key generation. For more information contact Oracle support
or view the Oracle documentation.
Supported Data Types (TDE)

• TDE Encryption can be implemented at the Column Level, Tablespace Level, and Table Level.
• Before using TDE, it's necessary to understand the limitations, Pros and Cons. The below shows supported
Data Types and Unsupported Database Features when using TDE Encryption.
• There are several Data Types that TDE encryption has limitations if the Oracle Database has the features
mentioned in the below illustration.
• Also, TDE supports several Data Types as mentioned in the below illustration.
What are the Data types encrypted with TDE Column Encryption?

Oracle Database supports encrypting Data Columns that support several data types.
DATA 1. BINARY_DOUBLE
TYPES 2. BINARY_FLOAT
3. CHAR
4. DATE
5. INTERVAL DAY TO SECOND
6. INTERVAL YEAR TO MONTH
7. NCHAR
8. NUMBER
9. NVARCHAR2
10. RAW (legacy or extended)
11. TIMESTAMP (includes TIMESTAMP WITH TIME ZONE and
TIMESTAMP WITH LOCAL TIME ZONE)
12. VARCHAR2 (legacy or extended)
Limitations of TDE Column Encryption with some database features!

1. If the encrypted column size is greater than the size allowed by the column's data type, then you cannot
encrypt the column using TDE.
2. If you want to encrypt Large Binary Objects (LOBs), use Oracle Secure files to encrypt rather than TDE.
3. Oracle Secure Files enables you to store LOB data securely.
4. Use CREATE TABLE or ALTER TABLE statements to encrypt a LOB using Oracle Secure Files.
Oracle Transparent Data Encryption Installation and Configuration
Note: Oracle TDE is available by default in Oracle Enterprise Edition. To use this feature, you must purchase an
Oracle Advanced Security License.

ORACLE TDE CONFIGURATION (SET THE KEYSTORE)

NOTE:

Starting in Oracle 19C, Oracle recommends that you use the WALLET_ROOT and
TDE_CONFIGURATION parameters to configure the keystore location.
Alternatively, you can configure the keystore using the
$ORACLE_HOME/network/admin/sqlnet.ora file.

In a multitenant environment Oracle recommends using the initialization

parameters. United mode is only supported if the
$ORACLE_HOME/network/admin/sqlnet.ora file is used for TDE configuration in the
multitenant environment. Isolated mode is only supported if the WALLET_ROOT
and TDE_CONFIGURATION parameters are used for a TDE configuration.
How do you set the Keystore Parameters?
Set the Keystore Parameters

The following steps should be performed to set up the software or Hardware keystore.

1. Login to the Oracle Database Linux Server using the Oracle root user’s credentials.
2. Sudo to the Oracle user.
3. Navigate to the directory “$ORACLE_BASE/admin/” and create a directory unique to your situation,
something like “dbname_tde_fqdn.”

$ cd $ORACLE_BASE/admin/

$ mkdir dbname_tde_fqdn
$ ls -lthr dbname_tde_fqdn
drwxr-xr-x 2 user group 4096 Feb 16 15:30 dbname_tde_fqdn

4. Log in to the Oracle database as a user with the SYSDBA grants.

Connect / as sysdba
 SQL> connect / as sysdba
Connected.
SQL>

5. Set the Wallet parameter. The below command sets the location of the Oracle wallet directory in the server
parameter file (SPFILE).
Model:
alter system set wallet_root='<Full Oracle wallet directory>' scope=spfile;
Example: alter system set wallet_root='/u01/app/oracle/wallets' scope=spfile;

6. Once the above is done, then shut down and start the database.

SQL> shutdown immediate;

Database closed.

Database dismounted.

ORACLE instance shut down.

 --------------------

SQL> startup;
ORACLE instance started.

Total System Global Area 629145600 bytes

Fixed Size 890944 bytes
Variable Size 461373440 bytes
Database Buffers 163577856 bytes
Redo Buffers 786432 bytes
Database mounted.
Database opened.

7. Set the TDE_CONFIGURATION parameter.

alter system set TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE"
SCOPE=both; (Software Keystore).

alter system set TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM"

SCOPE=both; (Hardware Keystore).
 Explanation of parameters:

• TDE_CONFIGURATION: Specifies the TDE configuration parameter.

• "KEYSTORE_CONFIGURATION=FILE": Indicates that the keystore
configuration will be file-based, meaning that encryption keys are stored in a
file.
• SCOPE=both: Specifies that the change should apply to both the current
instance (memory) and the server parameter file (SPFILE) for persistent
changes.

A BRIEF OVERVIEW OF TDE_CONFIGURATION

1. TDE_CONFIGURATION is a configuration parameter setting that defines the Type of Keystore for
Transparent Data Encryption (TDE).
2. The WALLET_ROOT initialization parameter must be set for TDE_CONFIGURATION to take effect.
3. United PDBs inherit the TDE_CONFIGURATION value from the root container. They essentially use the
same keystore for the TDE as the root container.
4. Isolated PDB’s TDE_CONFIGURATION can be set individually.

TDE Configuration Parameters

 Keystore: A Keystore is a secure location where cryptographic keys are stored.

Root Container: The Root Container refers to the main container database in a
multitenant architecture.

United PDBs: United PDBs likely refers to non-isolated PDBs, which are closely tied
to the root container.

United Mode and Isolation Mode

Before Oracle Database 18c, each pluggable database (PDB) stored its encryption
keys alongside the container database (CDB)'s keys in a shared keystore, known
as "united mode."

However, starting with Oracle Database 18c in cloud environments, PDBs have the
option to use "isolated mode," where each PDB can have its own separate
keystore and password for enhanced security, a feature extended to all Oracle
database deployments with version 19.14 of Oracle Database 19c, including on-
premises, legacy, and engineered systems.
TDE_CONFIGURATION Syntax

Property Description

Parameter type String

Syntax TDE_CONFIGURATION = "{ KEYSTORE_CONFIGURATION = value [; CONTAINER = pdb-name] }"

Syntax value ::=

FILE |

OKV |

HSM |

FILE|OKV |

FILE|HSM |
Property Description

OKV|FILE |

HSM|FILE

Notes:

The KEYSTORE_CONFIGURATION value is case-insensitive. For example, you can

specify FILE or file.

FILE|OKV, FILE|HSM, OKV|FILE,

and HSM|FILE are values. The vertical bars they contain are
not separators in the syntax shown above.

Default value None

Modifiable ALTER SYSTEMFoot 1

Modifiable in a PDB Yes

Basic No
 Property Description

Oracle RAC The same value must be specified on all instances using the ALTER SYSTEM SET
TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=value" SCOPE=BOTH SID='*'; statement.

What happens when the correct values are not displayed in the output?

In some cases, when this parameter is set using ALTER SYSTEM SCOPE=SPFILE,
the SHOW PARAMETER TDE_CONFIGURATION statement does not show the
correct value. However, the value set for TDE_CONFIGURATION can be derived
from information shown in the V$ENCRYPTION_WALLET view.
TDE_CONFIGURATION Parameters in Detail!

KEYSTORE_CONFIGURATION: This is a required attribute. The value specified

with this attribute configures the keystore type for the specified PDB.

The following values can be specified for this attribute:

FILE: This value configures a wallet keystore.

OKV: This value configures the database to use Oracle Key Vault (OKV)
for TDE key management.

This value is also used to disable an auto-login OKV configuration and

cause any existing cwallet.sso files, containing the credentials to the
OKV server as the OKV_PASSWORD client secret, to be ignored.
HSM: This value configures a hardware security module (HSM).

FILE|OKV: This value configures a reverse migration from OKV to a

wallet keystore.

FILE|HSM: This value configures a reverse migration from a HSM to a

wallet keystore.

OKV|FILE: This value configures a migration from a wallet to OKV.

This value is also used in an auto-login OKV configuration, because in

this configuration a cwallet.sso file, containing the OKV_PASSWORD
client secret, must be used by the Oracle server to obtain the credentials
to log in to the OKV server.

HSM|FILE: This value configures a migration from a wallet to a HSM.

 Oracle does not support the use of HSMs for TDE key management. For more
information, look at Oracle Support note 2310066.1 "Oracle TDE Support With
3rd Party HSM Vendors" at the following URL:
https://support.oracle.com/rs?type=doc&id=2310066.1

KEYSTORE_CONFIGURATION

Some of the KEYSTORE_CONFIGURATION attribute values consist of a single

word, for example, the FILE, OKV, and HSM values. The other
KEYSTORE_CONFIGURATION attribute values consist of two words separated by
the "|" character that is a required part of the value’s syntax.

For example, the FILE|OKV, FILE|HSM, OKV|FILE, and HSM|FILE values.

Before Oracle Database 18.1

In Oracle Database releases prior to Oracle Database 18.1, keystore types were
configured in sqlnet.ora using the METHOD attribute of the
SQLNET.ENCRYPTION_WALLET_LOCATION parameter.
CONTAINER attribute
CONTAINER attribute: This optional attribute can be used only when setting the
parameter in the CDB$ROOT of a CDB. The CONTAINER attribute can be specified
only when the CDB$ROOT is in MOUNTED state.

With this attribute, you must specify the name of the PDB for which you are setting
the parameter. When you specify the CONTAINER attribute, you must use a
semicolon ";" as the separation character between the
KEYSTORE_CONFIGURATION and CONTAINER attributes.
ORACLE TDE CONFIGURATION (CREATE, OPEN, MASTER, ACTIVATE MASTER KEY)
1. Create the Wallet Keystore.
SQL> select * from v$encryption_wallet;

WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR

FULLY_BAC CON_ID
-------------------- ------------------------- ------------------------------ ----------------
---- --------- --------- ----------
FILE /home/oracle/tde19c/ NOT_AVAILABLE UNKNOWN SINGLE UNDEFINED 0

SQL> administer key management create keystore '/home/oracle/tde19c/' identified by

"Pa$$w0rd";

keystore altered.

SQL>

2. Open the Keystore.

SQL> select * from v$encryption_wallet;

WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR

FULLY_BAC CON_ID
-------------------- ------------------------- ------------------------------ -----------------
--- --------- --------- ----------
 FILE /home/oracle/tde19c/ CLOSED UNKNOWN SINGLE UNDEFINED 0

SQL> administer key management set keystore open identified by "Pa$$w0rd";

keystore altered.

SQL>

3. Check the Master Key Status. If the “STATUS = OPEN_NO_MASTER_KEY” it means that the Master Key has
not been created yet.

SQL> select * from v$encryption_wallet;

WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR FULLY_BAC

CON_ID

-------------------- ------------------------- ------------------------------ -------------------- --

------- --------- ----------

FILE /home/oracle/tde19c/ OPEN_NO_MASTER_KEY PASSWORD SINGLE

UNDEFINED 0

SQL>
Note: To create keys, the wallet keystore must be opened explicitly. If the Keystore is accessible because of the
auto_login feature, then adding keys to the wallet is not possible.

4. Create the Master Key.

SQL> administer key management create key identified by "Pa$$w0rd" with backup;

keystore altered.

5. Activate the Master Key. The Master Key should be activated in order to create an encrypted
Table/Tablespace.

SQL> administer key management create key identified by "Pa$$w0rd" with backup;

keystore altered.

SQL> select key_id from v$encryption_keys;

KEY_ID

------------------------------------------------------------------------------

j0+xSyzU9mvwKP2JevKFBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
 SQL> administer key management use key
j0+xSyzU9mvwKP2JevKFBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB'
identified by "<password>" with backup;

keystore altered.

SQL> select key_id,activation_time from v$encryption_keys;

KEY_ID ACTIVATION_TIME

------------------------------------------------------------------------------ ------------------------
---------------------------------------------------

j0+xSyzU9mvwKP2JevKFBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB 24-FEB-
24 10.15.16.766510 AM +00:00

SQL>

6. Check the status of the Wallet.

SQL> select * from v$encryption_wallet;

WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR FULLY_BAC

CON_ID
 -------------------- ------------------------------ ---------- -------------------- --------- ---------
----------

FILE /home/oracle/tde19c/ OPEN PASSWORD SINGLE YES 0

SQL>

SQL> select * from v$encryption_wallet;

WRL_TYPE

--------------------

WRL_PARAMETER

--------------------------------------------------------------------------------

STATUS

------------------

file

<wallet directory path>

OPEN

This should enable the TDE in the database.

UNDERSTANDING THE BACKUP TDE SQL

SQL> ADMINISTER KEY MANAGEMENT SET KEY

2 IDENTIFIED BY “Pa$$w0rd”

3 WITH BACKUP USING 'database1_key_backup';

keystore altered.

Check the status of the keystore -

SQL> SELECT STATUS FROM V$ENCRYPTION_WALLET;

STATUS

------------------------------

OPEN

Now that we set the master encryption key, the status is now OPEN.
Explanation:

ADMINISTER KEY MANAGEMENT SET KEY: This initiates the process of setting an
encryption key using the ADMINISTER KEY MANAGEMENT command specifically for key
management.

IDENTIFIED BY “Pa$$w0rd”: This clause specifies the password (Pa$$w0rd) required to

access the keystore where the encryption key resides.

WITH BACKUP USING 'database1_key_backup': This clause instructs the operation to

perform a backup of the keystore before setting the key. The backup identifier is named
database_key_backup.
HOW TO MANAGE THE KEYSTORES?

1. Re-key the Master Key.

SQL> administer key management set key identified by "<password>" with backup;

keystore altered.

SQL> select key_id,activation_time from v$encryption_keys;

KEY_ID ACTIVATION_TIME
 ------------------------------------------------------------------------------ ---------------------------
------------------------------------------------

j0+xSyzU9mvwKP2JevKFBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB 24-FEB-24
10.15.16.766510 AM +00:00

vwmU+2P0SjKx9FJKyzvAeBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB 24-FEB-
23 10.15.16.766510 PM +00:00

SQL>

2. Change the keystore password.

SQL> administer key management alter keystore password identified by "OLDpa$$word"

set "newpa$$word" with backup using 'change';

keystore altered.

3. Back up the keystore.

SQL> ADMINISTER KEY MANAGEMENT BACKUP KEYSTORE USING 'tde19c'

IDENTIFIED BY "newpa$$word" to '/home/oracle';

keystore altered.
 4. Create the auto_login keystore.

SQL> administer key management create auto_login keystore from keystore

'/home/oracle/wallet/tde19c/' identified by "newpa$$word";

keystore altered.

5. Close the keystore.

SQL> administer key management set keystore close identified by "newpa$$word";

keystore altered.

6. Merge the two key stores.

SQL> administer key management merge keystore '/home/oracle/tde19c' identified by

pa$$word into existing keystore '/home/oracle/wallet/tde19c1/' identified by
newpa$$word with backup;

keystore altered.

How to Encrypt a Column or an Entire Tablespace

1. Create an Encrypted Table.
 CREATE TABLE new_table_name(
column_name1 number,
column_name2 varchar2(100) encrypt using 'AES256' NO SALT
);

Explanation:

1. CREATE TABLE: This SQL command is used to create a new table in a database.
2. new_table_name: This is the name for the table being created. You should
replace it with the desired name.
3. column_name1: This is the name for the first column. You should replace it with
the desired name.
4. column_name2: This is the name for the second column. You should replace it
with the desired name, and with a data type of "varchar2(100)", allowing variable-
length character strings up to 100 characters long. Additionally, it specifies that
the data stored in this column should be encrypted using the AES256 encryption
algorithm without using a salt.

2. Encrypt the columns of an existing Table.

alter table table_name modify( column_name1 encrypt SALT);

Explanation:
 The provided SQL statement is an ALTER TABLE command used to modify an existing table's column to
enable encryption with a salt.
ALTER TABLE: This SQL command is used to modify the structure of an existing table in the database.
table_name: This is the name of the table being modified. You should replace it with the actual name of the
table you want to alter.
MODIFY: This keyword specifies that you want to modify the definition of a column in the table.
column_name1: This is the name of the column being modified. You should replace it with the actual name
of the column you want to alter.
encrypt: This keyword specifies that encryption should be applied to the column.
SALT: This keyword specifies that a salt should be used for encryption. A salt is a random value that is
combined with the data before encryption to enhance security.

3. Encrypt a Tablespace.

CREATE TABLESPACE <Tablespace_name>

DATAFILE '<datafile directory with file name>.dbf' SIZE 100M

ENCRYPTION USING 'AES256'

DEFAULT STORAGE(ENCRYPT);
Explanation:

The provided SQL statement is used to create a tablespace in an Oracle database with encryption enabled.

CREATE TABLESPACE: This is the SQL command used to create a new tablespace in the database.

<Tablespace_name>: This is a placeholder for the name of the tablespace you want to create. You should
replace it with the actual name you want to use for your tablespace.

DATAFILE '<datafile directory with file name>.dbf' SIZE 100M: This specifies the datafile associated
with the tablespace. The datafile is the physical file on the disk where the data for the tablespace will be
stored. You need to provide the full directory path and filename for the datafile, and you can also specify its
initial size (in this case, 100 megabytes).

ENCRYPTION USING 'AES256': This clause indicates that encryption should be applied to the data stored
in the tablespace, using the AES256 encryption algorithm. AES256 is a widely used encryption standard
that employs a 256-bit encryption key.

DEFAULT STORAGE(ENCRYPT): This specifies that the default storage attributes for objects (like tables
and indexes) created in this tablespace should also have encryption enabled. Any data stored in objects
within this tablespace will be automatically encrypted.
The above Illustration shows that the unencrypted Tablespaces cannot be encrypted if the version of the
Oracle Database is less than or equal to 12.1. But if the version of the Oracle Database is greater than or
equal to 12.2, 18c, 19c, or above, then you can encrypt the Tablespace. More explanation is given below.
Can you Encrypt an Unencrypted Tablespace? Let's delve into the history and find out if this is possible!

Until Oracle Database version 12.1, you cannot encrypt the unencrypted Tablespaces directly. As per Oracle
experts, you should move the data from an unencrypted Tablespace to an Encrypted Tablespace. However, you
can encrypt the existing Tablespace from Oracle Database version 12.2, 18c, 19c, or above without moving the
data.
Encrypt and Decrypt the existing Tablespaces in 12.2, 18.0.0, 19.0.0, 23.0.0
ONLINE TABLESPACE ENCRYPTION

1. Connect to the United mode CDB root or isolated mode PDB. The user should have been granted
administrative privileges.

CONNECT c##sec_admin AS SYSDBA (or CONNECT sec_admin@pdb_name AS SYSDBA)

Enter password: password

2. Check the current setting of the COMPATIBLE parameter and SET the COMPATIBLE parameter.

SHOW PARAMETER COMPATIBLE

NAME TYPE VALUE

------------------------------------ ----------- ------------------------------

compatible string 12.2.0.0

noncdbcompatible BOOLEAN FALSE

The COMPATIBLE Initialization Parameter

Oracle Database Release Default Value Minimum Value

Oracle Database 23c 23.0.0 19.0.0

Oracle Database 21c 21.0.0 12.2.0

Oracle Database 19c 19.0.0 11.2.0

Oracle Database 18c 18.0.0 11.2.0

 Oracle Database 12c Release 2 12.2.0 11.2.0
(12.2)

3. Encrypt the tablespace using the alter tablespace command.

alter tablespace tablespace_name encryption online encrypt file_name_convert = ('tablespace1.dbf',

'tablespace1_enc.dbf');

Explanation:

• ALTER TABLESPACE: This is the SQL command used to modify an existing tablespace in the
database.
• tablespace_name: This is the name of the tablespace that you want to modify to enable encryption.
You should replace it with the actual name of the tablespace you want to encrypt.
• encryption online: This clause indicates that the encryption operation should be performed online,
meaning that the tablespace remains accessible and operational during the encryption process.
• encrypt: This keyword specifies that encryption should be applied to the data stored in the
tablespace.
• file_name_convert = ('tablespace1.dbf', 'tablespace1_enc.dbf'): This clause specifies the conversion
of datafiles during the encryption process. Here, 'tablespace1.dbf' is the original datafile associated
with the tablespace, and 'tablespace1_enc.dbf' is the name of the new encrypted datafile that will be
created. This clause ensures that the data from the original datafile is encrypted and stored in the
new encrypted datafile. FILE_NAME_CONVERT specifies one or more pairs of data files that are
associated with the tablespace. This clause is not required when using Oracle-managed files.
OFFLINE TABLESPACE ENCRYPTION

Before starting the Offline encryption, please note that AES128 is the default encryption algorithm. No other
algorithm can be used to encrypt Offline.

1. The Tablespace, which needs to be encrypted, should be taken Offline.

SQL> alter tablespace Tablespace_Name offline normal;

Explanation:
 ALTER TABLESPACE: This is the SQL command used to modify an existing tablespace in the Oracle
database.

Tablespace_Name: This is the name of the tablespace that you want to take offline. You should replace it
with the name of the tablespace you want to modify.

OFFLINE: This keyword specifies that the tablespace should be taken offline, meaning that it will not be
accessible for any operations, such as inserting, updating, or deleting data.

NORMAL: This keyword specifies the type of offline mode. In this case, "NORMAL" indicates a regular offline
mode where the tablespace is taken offline gracefully, allowing ongoing transactions to be completed before
the tablespace becomes inaccessible.

2. Backup offline Tablespace (Depends upon your backup strategies). In general, the steps to take a backup of
Tablespaces are as below (FYI Only).
1. Before beginning a backup of a tablespace, identify the tablespace's data files by querying the
DBA_DATA_FILES view. For example, assume that you want to back up the users tablespace. Enter the
following statement in SQL*Plus:
a. SELECT TABLESPACE_NAME, FILE_NAME FROM SYS.DBA_DATA_FILES WHERE
TABLESPACE_NAME = 'USERS';

TABLESPACE_NAME FILE_NAME

------------------------------- --------------------------------

USERS /oracle/oradata/oracledatabase/users01.dbf
 b. In this example, /oracle/oradata/oracledatabase/users01.dbf is a fully specified file name
corresponding to the data file in the users tablespace.
2. As per Step -1, take the Tablespace Offline.
3. Back up the offline data files.
a. cp /oracle/oradata/oracledatabase/users01.dbf /disk1/users01_'date "+%m_%d_%y"'.dbf
4. Bring the Tablespace online:
a. ALTER TABLESPACE users ONLINE;
5. Very Important: If you took the tablespace offline using temporary or immediate priority, then you cannot
bring the tablespace online unless you perform tablespace recovery.
6. Archive the unarchived redo logs so that the redo required to recover the tablespace backup is
archived.
a. For example, use the SQL Statement: ALTER SYSTEM ARCHIVE LOG CURRENT;

3. Encrypt the Tablespace using the ALTER TABLESPACE command.

SQL> alter tablespace Tablespace_Name encryption offline encrypt;

4. You can use the ALTER DATABASE Statement if you would like to encrypt individual data files of the
Tablespace.

SQL>alter database datafile 'sample.dbf' encrypt;

5. Bring the Tablespace back online after the encryption.

SQL>alter tablespace Tablespace_Name online;
ONLINE TABLESPACE DECRYPTION

1. Ensure that the COMPATIBLE initialization parameter is set to 23.0.0 or 12.2.0.0. Look into Online
Tablespace Encryption for more details on the COMPATIBLE parameter.
a. SQL> SELECT name, value FROM v$parameter WHERE name = 'compatible';
b. SQL> ALTER SYSTEM SET COMPATIBLE = '23.0.0' SCOPE=SPFILE;
2. Decrypt the tablespace using the alter tablespace command.
a. alter tablespace Tablespace_Name encryption online decrypt file_name_convert =
('tablespace1_enc.dbf', 'tablespace1.dbf');
 3. You can encrypt, decrypt, or rekey existing user tablespaces, and the SYSTEM, SYSAUX, and UNDO
tablespace when they are online. However, you cannot encrypt, decrypt, or rekey a temporary tablespace
online.

Online tablespace conversions (encrypt/decrypt/rekey) requires auxiliary space. Since online conversion happens
on one file at a time within a tablespace, having auxiliary space of largest datafile size in the tablespace should
be enough.

If we are converting multiple tablespaces, then total auxiliary space required is sum of largest datafile size of
each tablespace involved.

One can use v$datafile view (bytes column) to get the size of datafile.If any online conversion process gets
interrupted, it should be completed by re-running the conversion command with FINISH clause.

Offline tablespace conversion does not require auxiliary space.

OFFLINE TABLESPACE DECRYPTION

1. Take the Tablespace Offline.

a. SQL> alter tablespace offline_test offline normal;
2. Decrypt the Tablespace using the ALTER TABLESPACE command.
a. alter tablespace offline_test encryption offline decrypt;
3. Bring the Tablespace back online.
a. SQL>alter tablespace offline_test online;
SQL Syntaxes
1. ALTER Statement (Description of alter_system)
(archive_log_clause::=, checkpoint_clause::=, check_datafiles_clause::=, distributed_recov_clauses::=,
end_session_clauses::=, quiesce_clauses::=, rolling_migration_clauses::=, rolling_patch_clauses::=,
security_clauses::=, shutdown_dispatcher_clause::=, alter_system_set_clause::=,
alter_system_reset_clause::=)

set_encryption_key::=
set_parameter_clause::=
 ALTER SYSTEM
{ archive_log_clause
| checkpoint_clause
| check_datafiles_clause
| distributed_recov_clauses
| FLUSH { SHARED_POOL | GLOBAL CONTEXT | BUFFER_CACHE | FLASH_CACHE
| REDO TO target_db_name [ [ NO ] CONFIRM APPLY ] }
| end_session_clauses
| SWITCH LOGFILE
| { SUSPEND | RESUME }
| quiesce_clauses
| rolling_migration_clauses
| rolling_patch_clauses
| security_clauses
| affinity_clauses
| shutdown_dispatcher_clause
| REGISTER
| SET alter_system_set_clause
[ alter_system_set_clause ]...
| RESET alter_system_reset_clause
[ alter_system_reset_clause ]...
| RELOCATE CLIENT client_id
| cancel_sql_clause
| FLUSH PASSWORDFILE_METADATA_CACHE
};
Important TDE SQLs

S.NO SQL

1. select * from gv$encryption_wallet;

2. select * from DBA_ENCRYPTED_COLUMNS;

3. select TABLESPACE_NAME, status from dba_tablespaces where encrypted = 'YES';

4. select STATUS from v$encryption_wallet;

References
1. My Work Experience.
2. https://docs.oracle.com/en/database/oracle/oracle-database/23/asoag/encrypting-columns-
tables2.html#GUID-E9DFE595-0119-4189-84AD-19FFE5683CC6
3. https://docs.oracle.com/en/database/oracle/oracle-database/19/refrn/TDE_CONFIGURATION.html#GUID-
285A9BCE-22AE-4DE4-A76E-1319B7BB91BC
4. https://docs.oracle.com/en/database/oracle/oracle-database/21/asoag/encryption-conversions-tablespaces-
and-databases1.html#GUID-DE637157-E201-482D-B12D-F5C59FF9618D
5. https://docs.oracle.com/en/database/oracle/oracle-database/23/upgrd/what-is-oracle-database-
compatibility.html#GUID-26CB83FD-F2B3-4BD1-AF39-9C2DC90D698C
6. https://docs.oracle.com/en/database/oracle/oracle-database/19/sqlrf/ALTER-SYSTEM.html#GUID-2C638517-
D73A-41CA-9D8E-A62D1A0B7ADB