Quick TDE Setup and FAQ
(Doc ID 1251597.1)
Last updated on JULY 07, 2024
Applies to:
Advanced Networking Option - Version 10.2.0.1 and laterInformation in this document applies to any platform.
Goal
This note tries to answer some of common TDE questions. It provides a "fast track" to setting up TDE, however, this is not meant as an exhaustive replacement of the official documentation.
Primary Note For Transparent Data Encryption ( TDE ) <Note 1228046.1>
Ask Questions, Get Help, And Share Your Experiences With This Article
Would you like to explore this topic further with other Oracle Customers, Oracle Employees, and Industry Experts?
Click here to join the discussion where you can ask questions, get help from others, and share your experiences with this specific article.
Discover discussions about other articles and helpful subjects by clicking here to access the main My Oracle Support Community page for Database Security Products.
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Goal |
| Ask Questions, Get Help, And Share Your Experiences With This Article |
| Solution |
| 12c TDE FAQ documentation |
| Quick TDE setup |
| Where to find information about objects encrypted with TDE? |
| Why the select query on encrypted table returns clear text in unencrypted form? |
| Should the wallet be created with other tools (owm, orapki or mkstore)? |
| Should the TDE wallet be used for other purposes than TDE? |
| How to make the wallet auto-login in 11g? |
| How to backup the wallet? |
| How often should be the wallet backed up? |
| Can the auto-login wallet be made server specific? |
| Should the cwallet.sso file (responsible for auto-login) be moved from one server to another? |
| When is the wallet opened? |
| How to change the wallet password? |
| What are the wallet password restrictions? |
| Is the auto-login feature available for HSM? |
| Should the wallets be shared among databases? |
| Can the wallets be recovered, if lost or if the password is lost? |
| What can be done if the wallet password is lost but in auto-login mode? |
| How to synchronize the wallet on the RAC nodes after creating it or changing the master key? |
| How is the wallet opened on RAC? |
| What to do if the wallet password is provided without quotes in the alter system set encryption key identified by "wallet password" statement? |
| How to change the wallet password? |
| Can an encrypted tablespace be decrypted (or vice versa)? |
| Can the encryption key of the tablespace be rekeyed? |
| How to decrypt data in an encrypted tablespace? |
| Is it possible to Remove / Disable TDE? |
| Can the encryption key of a table be rekeyed? |
| Why Does the TDE Wallet's Tablespace (TS) Encryption Key Look Different Than The Tablespace Master Key In 12c Database Queries? |
| What is the performance overhead of TDE encryption? |
| What is the storage overhead of TDE encryption? |
| Does changing the TDE master encryption key also change the encryption keys for tables and tablespaces? |
| Can TDE be used as a method of obfuscating data from users? |
| How to verify if the master encryption key has been changed? |
| How often should the TDE master key be changed? Is this limited in any way? |
| Does TDE impact the backup procedure? |
| How about the impact on the restore procedure? |
| Can database recovery or flashback database be used to restore lost TDE wallets? |
| What to expect in the redo logs when encrypted and non-encrypted tables are updated in the same transaction? |
| Is it supported to create encrypted objects and then drop them, then manually remove the wallet? |
| Is it supported to migrate from HSM to a wallet stored in file? |
| How is the TDE master key accessed on HSM? (related to caching mechanisms) |
| What are the HSM vendors certified with Oracle Database TDE? |
| Is Oracle Key Manager certified as Management and can store Master Key from Transparent Data Encryption? |
| Can the tablespace master encryption key be changed? |
| How to store TDE wallet on a shared location in an Exadata system? |
| Instance recovery and TDE: |
| Is it possible to remove the PDB master key from the TDE wallet file ? |
| Are orapki commands to manage TDE keystores (change password, create auto-login wallet) still supported in 12c? |
| How to make the wallet auto login in 12c? |
| How to convert a Local Auto-login Keystore to Auto-login based Keystore? |
| How to permanently "close" the auto-login wallet in 12c? |
| Is it possible to change the encryption algorithm from AES128 to AES256 for already-encrypted tablespaces? |
| Can TDE be implemented on SParse Test Master on Exadata? How will be the snapclone/thin clone of it? |
| How to copy wallet from Windows to Linux ( different OS) ? |
| Is it possible to implement TDE on the physical standby database only, without implementing TDE on primary database? |
| Is Guaranteed Restore Point (GRP) a valid rollback/backup method for TDE tablespace encryption operations? |
| Does TDE support for Virtual account installations on Windows? |
| References |