My Oracle Support Banner

Quick TDE Setup and FAQ (Doc ID 1251597.1)

Last updated on MAY 17, 2019

Applies to:

Oracle Security Service - Version 10.2.0.1 and later
Advanced Networking Option - Version 10.2.0.1 and later
Information in this document applies to any platform.

Goal

This note tries to answer some of common TDE questions.  It provides a "fast track" to setting up TDE, however, this is not meant as an exhaustive replacement of the official documentation.

 

Ask Questions, Get Help, And Share Your Experiences With This Article

Would you like to explore this topic further with other Oracle Customers, Oracle Employees, and Industry Experts?

Click here to join the discussion where you can ask questions, get help from others, and share your experiences with this specific article.
Discover discussions about other articles and helpful subjects by clicking here to access the main My Oracle Support Community page for Database Security Products.

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
 Ask Questions, Get Help, And Share Your Experiences With This Article
Solution
 Quick TDE setup
 Where to find information about objects encrypted with TDE?
 Should the wallet be created with other tools (owm, orapki or mkstore)?
 Should the TDE wallet be used for other purposes than TDE?
 How to make the wallet auto-login in 11g?
 How to backup the wallet?
 How often should be the wallet backed up?
 Can the auto-login wallet be made server specific?
 Should the cwallet.sso file (responsible for auto-login) be moved from one server to another?
 When is the wallet opened?
 How to change the wallet password?
 Use either OWM or orapki, using the statement:
 What are the wallet password restrictions?
 Is the auto-login feature available for HSM?
 Should the wallets be shared among databases?
 Can the wallets be recovered, if lost or if the password is lost?
 What can be done if the wallet password is lost but in auto-login mode?
 How to synchronize the wallet on the RAC nodes after creating it or changing the master key?
 How is the wallet opened on RAC?
 What to do if the wallet password is provided without quotes in the alter system set encryption key identified by "wallet password" statement?
 How to change the wallet password?
 Can an encrypted tablespace be decrypted (or vice versa)?
 Can the encryption key of the tablespace be rekeyed?
 How to decrypt data in an encrypted tablespace?
 Can the encryption key of a table be rekeyed?
 What is the performance overhead of TDE encryption?
 What is the storage overhead of TDE encryption?
 Does changing the TDE master encryption key also change the encryption keys for tables and tablespaces?
 Can TDE be used as a method of obfuscating data from users?
 How to verify if the master encryption key has been changed?
 How often should the TDE master key be changed? Is this limited in any way?
 Does TDE impact the backup procedure?
 How about the impact on the restore procedure?
 Can database recovery or flashback database be used to restore lost TDE wallets?
 What to expect in the redo logs when encrypted and non-encrypted tables are updated in the same transaction?
 Is it supported to create encrypted objects and then drop them, then manually remove the wallet?
 Is it supported to migrate from HSM to a wallet stored in file?
 How is the TDE master key accessed on HSM? (related to caching mechanisms)
 What are the HSM vendors certified with Oracle Database TDE?
 Is Oracle Key Manager certified as Management and can store Master Key from Transparent Data Encryption?
 
 Can the tablespace master encryption key be changed?
 How to store TDE wallet on a shared location in an Exadata system?
 Instance recovery and TDE:
 Is it possible to remove the PDB master key from the TDE wallet file ?
 Are orapki commands to manage TDE keystores (change password, create auto-login wallet) still supported in 12c?
 
 How to make the wallet auto login in 12c?
 How to convert a local auto-login or (non-local) auto-login keystore to a password-based keystore?
 How to permanently "close" the auto-login wallet in 12c?
 Is it possible to change the encryption algorithm from AES128 to AES256 for already-encrypted tablespaces?
 Can TDE be implemented on SParse Test Master on Exadata? How will be the snapclone/thin clone of it?
 How to copy wallet from Windows to Linux ( different OS) ?
 Is it possible to implement TDE on the physical standby database only, without implementing TDE on primary database?
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.