[et_pb_section admin_label=”section”]
[et_pb_row admin_label=”row”]
[et_pb_column type=”4_4″][et_pb_text admin_label=”Text”]

Securing Your Oracle Database with Transparent Data Encryption (TDE) for CDB and PDB

Introduction

In the ever-evolving landscape of database security, Oracle 12c offers robust solutions to safeguard your data. Transparent Data Encryption (TDE) is a crucial feature that ensures your data remains confidential, whether at rest or in transit. In this guide, we will walk through the steps to implement TDE for both Container Database (CDB) and Pluggable Database (PDB), ensuring a comprehensive security approach.

NOTE: Following steps were performed on Oracle 12c environment but they can be used in newer versions.

 

Step 1: Set Keystore Location

To kick off the TDE implementation, the first step is to set the keystore location. Edit the sqlnet.ora file and specify the encryption wallet location.

ENCRYPTION_WALLET_LOCATION =
(SOURCE =(METHOD = FILE)(METHOD_DATA =
(DIRECTORY = /u01/app/oracle/admin/ORCL1/encryption_keystore/)

Next, create the keystore directory using the specified path.

$ mkdir -p /u01/app/oracle/admin/ORCL1/encryption_keystore/

 

Step 2: Create and Open the Keystore

Now, let’s create the keystore and open it for use.

SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE ‘/u01/app/oracle/admin/ORCL1/encryption_keystore/’ IDENTIFIED BY oracle123;

Check the keystore file in the specified location.

$ ls /u01/app/oracle/admin/ORCL1/encryption_keystore/
ewallet.p12

Open and close the keystore as needed.

SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY oracle123 container=all;
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY oracle123 container=all;

 

Step 3: Take Backup of Keystore

Ensure the keystore is open before taking a backup.

SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY oracle123 container=all;
SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY oracle123 WITH BACKUP CONTAINER=ALL;

 

Step 4: View Key and Wallet Information

Query information about the master key using the V$ENCRYPTION_KEYS view and information about the keystore using the V$ENCRYPTION_WALLET view.

SQL> SELECT con_id, key_id FROM v$encryption_keys;
SQL> SELECT * FROM v$encryption_wallet;

 

Step 5: Implement TDE in Pluggable Database (PDB)

Connect to the PDB and create a table with an encrypted column.

SQL> conn username@pdb_name
SQL> CREATE TABLE tde_test (id NUMBER(10), data VARCHAR2(50) ENCRYPT);

 

Step 6: Create Encrypted Tablespaces

Create encrypted tablespaces within the PDB.

SQL> create tablespace tde_tbs datafile ‘+DATA/ORCL1/TDE_TBS/DATAFILE/tde_tbs_01.dbf’ size 10m autoextend on next 100m ENCRYPTION USING ‘AES256’ 4 DEFAULT STORAGE(ENCRYPT);

 

Step 7: Query Encrypted Data

Insert data into the encrypted table and query it to ensure proper encryption.

SQL> INSERT INTO tde_test VALUES (1, ‘Encrypt Data’);
SQL> SELECT * FROM tde_test;

 

Conclusion

Implementing Transparent Data Encryption in Oracle for CDB and PDB adds an extra layer of security to your database. Following these steps ensures your data remains protected, even in the event of a database restart. Stay ahead in data security by leveraging Oracle’s powerful features.

Implementing TDE may seem complex, but the enhanced security it provides is worth the effort. By following this guide, you’ve taken a significant step towards safeguarding your Oracle database.[/et_pb_text][/et_pb_column]
[/et_pb_row]
[/et_pb_section]