SQL> SELECT tablespace_name, encrypted, status FROM dba_tablespaces Notice how the wallet must be opened before the data is accessible. The following text shows the impact of stopping and starting the database on an encrypted tablespace. When you are finished testing the encrypted tablespace, be sure to clean up the tablespace and associated datafile.ĭROP TABLESPACE encrypted_ts INCLUDING CONTENTS AND DATAFILES Database Startup The 'This is a secret!' string is not visible in the table or index data within the encrypted tablespace. When the file is opened using a HEX editor (like UltraEdit) only non-printable characters are present. INSERT INTO ets_test (id, data) VALUES (1, 'This is a secret!') įlush the buffer cache to make sure the data is written to the datafile. The following code creates a table and index in the encrypted tablespace and inserts a single row into the table.ĬREATE INDEX ets_test_idx ON ets_test(data) TABLESPACE encrypted_ts With the tablespace in place, we can create some objects to test the encryption.
Instead, data must be transferred manually using export/import, " ALTER TABLE. Regular tablespaces cannot be converted to encrypted tablespaces. SELECT tablespace_name, encrypted FROM dba_tablespaces The ENCRYPTED column of the DBA_TABLESPACES and USER_TABLESPACES views indicates if the tablespace is encrypted or not. The following statement creates an encrypted tablespace by explicitly naming the 'AES256' encryption algorithm in the USING clause.ĭATAFILE '/u01/app/oracle/oradata/DB11G/encrypted_ts01.dbf' SIZE 128KĪLTER USER test QUOTA UNLIMITED ON encrypted_ts Tablespace encryption does not allow the NO SALT option that is available in TDE. In addition, the default storage clause of ENCRYPT must be specified. If the USING clause is omitted, the encryption algorithm defaults to 'AES128'. Wallets must be reopened after an instance restart and can be closed to prevent access to encrypted data.ĪLTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "myPassword" ĪLTER SYSTEM SET ENCRYPTION WALLET CLOSE Tablespace CreationĮncrypted tablespaces are created by specifying the ENCRYPTION clause with an optional USING clause to specify the encryption algorithm. The following command creates and opens the wallet.ĪLTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "myPassword" This parameter can also be used to identify a Hardware Security Model (HSM) as the location for the wallet. (DIRECTORY=/u01/app/oracle/admin/DB11G/encryption_wallet/))) To accomplish this we add the following entry into the sqlnet.ora file on the server and make sure the specified directory has been created. If the $ORACLE_BASE is set, this is "$ORACLE_BASE/admin/DB_UNIQUE_NAME/wallet", otherwise it is "$ORACLE_HOME/admin/DB_UNIQUE_NAME/wallet", where DB_UNIQUE_NAME comes from the initialization parameter file.Īlthough encrypted tablespaces can share the default database wallet, Oracle recommend you use a separate wallet for transparent data encryption functionality by specifying the ENCRYPTION_WALLET_LOCATION parameter in the sqlnet.ora file. If present, the location specified by the WALLET_LOCATION parameter in the sqlnet.ora file.If present, the location specified by the ENCRYPTION_WALLET_LOCATION parameter in the sqlnet.ora file.The search order for finding the wallet is as follows: Before attempting to create an encrypted tablespace, a wallet must be created to hold the encryption key.
The environment setup for tablespace encryption is the same as that for transparent data encryption.