Quick TDE Setup and FAQ
(Doc ID 1251597.1)
Last updated on SEPTEMBER 13, 2024
Applies to:
Advanced Networking Option - Version 11.2.0.4 and laterInformation in this document applies to any platform.
Goal
This note tries to answer some of common TDE questions. It provides a "fast track" to setting up TDE, however, this is not meant as an exhaustive replacement of the official documentation.
Primary Note For Transparent Data Encryption ( TDE ) <Note 1228046.1>
Ask Questions, Get Help, And Share Your Experiences With This Article
Would you like to explore this topic further with other Oracle Customers, Oracle Employees, and Industry Experts?
Click here to join the discussion where you can ask questions, get help from others, and share your experiences with this specific article.
Discover discussions about other articles and helpful subjects by clicking here to access the main My Oracle Support Community page for Database Security Products.
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Goal |
| Ask Questions, Get Help, And Share Your Experiences With This Article |
| Solution |
| 12c TDE FAQ documentation |
| Is it possible to Remove / Disable/ Rollback TDE? |
| Is it possible to implement TDE on Standard Edition DB ? |
| Does TDE support for Virtual account installations on Windows? |
| To implement TDE what are the license requirements? |
| How to check if TDE is enabled or not ? |
| Quick TDE setup |
| How to configure TDE in pluggable database in 12c for standalone and RAC environment? |
| Are "alter system set encryption key....." commands to perform fresh TDE configuration in a fresh 12c database supported? |
| Should the wallet be created with other tools (owm, orapki or mkstore)? |
| Are orapki commands to manage TDE keystores (change password, create auto-login wallet) still supported in 12c? |
| How to list the contents of the keystore when the keystore resides on ASM? "mkstore" command fails if executed on the ASM keystore. |
| How to revert tde_configuration to None ? |
| Should the TDE wallet be used for other purposes than TDE? |
| How to make the wallet auto-login in 12c and above? |
| How to convert a Local Auto-login Keystore to Auto-login based Keystore? |
| How to backup the wallet? |
| How often should be the wallet backed up? |
| Can the auto-login wallet be made server specific? |
| Creating an auto login and local auto login keystore in 12c and above ? |
| Should the cwallet.sso file (responsible for auto-login) be moved from one server to another? |
| When is the wallet opened? |
| What are the wallet password restrictions? |
| How to change the wallet password? |
| Can the wallets be recovered, if lost? |
| If password for TDE wallet is lost /missing/ forgotten, how to fix this ? |
| What can be done if the wallet password is lost but in auto-login mode? |
| How to check the password used is the correct one for the TDE wallet ? |
| What to do if the 11g wallet password is provided without quotes in the alter system set encryption key identified by "wallet password" statement? |
| When using AKM should be provide the password in quotes ? |
| When the wallet password is rotated, does tablespace need to re-encrypted? |
| Should the wallets be shared among databases? |
| Can we recreate TDE wallet ? |
| How to synchronize the wallet on the RAC nodes after creating it or changing the master key? |
| How is the wallet opened on RAC? |
| How to permanently "close" the auto-login wallet in 12c? |
| Are orapki commands to manage TDE keystores still supported? |
| What to do if wallet is corrupted but we have backup of wallet? |
| Is it recommended to use a PKI master key instead of the standard TDE master key? |
| Steps to backup TDE wallet when in ASM ? |
| How to copy the wallet file from the primary to the standby server if the wallet is present on ASM? |
| How to copy wallet from Windows to Linux ( different OS) ? |
| If we need to change the wallet directory path to different directory, then: |
| How to change the TDE wallet mode from United to Isolated mode ? |
| Would like to know what is store in MASTERKEYID and ENCRYPTEDKEY columns? |
| Does the Ewallet.p12 file content get zeroed if the associated cwallet.sso is set to read only in 11.2.0.4 ? |
| How to fix ORA-46638 during the merge of two wallets ? |
| How to fix "ORA-46630: keystore cannot be created at the specified location"? |
| Can the encryption key of a table be rekeyed? |
| How to verify if the master encryption key has been changed? |
| How often should the TDE master key be changed? Is this limited in any way? |
| How to Rekey/Rotate the TDE Master Key? |
| Can the tablespace master encryption key be changed? |
| When multiple encryption keys are in a wallet, how do we find which keys are used by tablespaces'/tables for encryption? |
| Is there a v$/dba/x view or table that shows the date of the encryption key ? |
| Will exporting the encryption key from a keystore delete the encryption key(s) from it? |
| Is it supported to create encrypted objects and then drop them, then manually remove the wallet? |
| Where to find information about objects encrypted with TDE? |
| Why the select query on encrypted table returns clear text in unencrypted form? |
| Does changing the TDE master encryption key also change the encryption keys for tables and tablespaces? |
| Is it possible to remove the PDB master key from the TDE wallet file ? |
| Can the tablespace encryption key of the tablespace be rekeyed? |
| Step by Step process to implement tablespace encryption in 19c |
| How to decrypt data in an encrypted tablespace? |
| Can an encrypted tablespace be decrypted (or vice versa)? |
| Why Does the TDE Wallet's Tablespace (TS) Encryption Key Look Different Than The Tablespace Master Key In 12c Database Queries? |
| Is it recommended to convert the SYSTEM / SYSAUX / UNDO / TEMP to TDE on Oracle 19c ? |
| What is the default encryption algorithm of column encryption key, tablespace encryption key and master encryption key? |
| Is it possible to change the encryption algorithm from AES128 to AES256 for already-encrypted tablespaces? |
| Online or Offline TDE encryption ? |
| What needs to be done if offline encryption failed in the middle ? |
| Is there is an option to encrypt BLOB Column in Oracle Database ? |
| How to decrypt the encrypted tablespaces? |
| What are the Benefits and Drawbacks of Tablespace Decrypt? |
| How to compress the data and then encrypt ? |
| How to backup a TDE wallet ? |
| Are there any pre-requisites for patching TDE enabled database? |
| What pre-requisites for upgrading a TDE enabled database? |
| How to back up the TDE wallet when in ASM ? |
| Why does the v$encryption_keys show multiple entries for new pluggable created? |
| How to change encryption algorithm for column ? |
| Is encryption on column level available in DB version 19C with XML data type or not ? |
| Are there any restrictions to enable TDE on LOB cols in oracle 19C ? |
| TDE Performance Impact ? |
| What is the storage overhead of TDE encryption? |
| What are the steps for column encryption ? |
| How to migrate a non pluggable database that uses TDE to pluggable database? |
| Export / Import with TDE involved? |
| How to use the same keys on both source and target server? |
| Instance recovery and TDE: |
| If TDE is implemented in Primary database, what steps need to be done on standby database ? |
| Need information implementing TDE on Primary and Standby ? |
| Is it possible to implement TDE on the physical standby database only, without implementing TDE on primary database? |
| Steps to clone a pdb from remote database. The remote database is TDE enabled.? |
| How to implement the TDE tablespaces for 19C container database with Dataguard and GoldenGate ? |
| Does TDE impact the backup procedure? |
| How about the impact on the restore procedure? |
| Can database recovery or flashback database be used to restore lost TDE wallets? |
| What to expect in the redo logs when encrypted and non-encrypted tables are updated in the same transaction? |
| Questions regarding 3rd party HSM label ? |
| Is "Reverse migration from HSM" is supported in 19c ? |
| How is the TDE master key accessed on HSM? (related to caching mechanisms) |
| What are the HSM vendors certified with Oracle Database TDE? |
| Is the auto-login feature available for HSM? |
| Is it supported to migrate from HSM to a wallet stored in file? |
| Why use OKV ? |
| How to migrate TDE wallet from OKV to local keystore and vice versa? |
| Is there an import utility Oracle offers to allow 3rd party key generation tools to generate keys for TDE encryption and then import them ? |
| What is the impact for xdb_wallet on TDE wallet ? |
| TDE vs Redaction |
| Autologin in 23ai ? |
| How to enable encryption using AWS KMS ? |
| Is Guaranteed Restore Point (GRP) a valid rollback/backup method for TDE tablespace encryption operations? |
| Does oracle TDE supports Azure Key Vault |
| Can TDE be used as a method of obfuscating data from users? |
| Is Oracle Key Manager certified as Management and can store Master Key from Transparent Data Encryption? |
| Can TDE be implemented on SParse Test Master on Exadata? How will be the snapclone/thin clone of it? |
| How to store TDE wallet on a shared location in an Exadata system? |
| Notes expanding the above information: |
| References |