My Oracle Support Banner

How to Avoid Performance Overhead Associated With Certificate Based TDE Encryption (Doc ID 416526.1)

Last updated on SEPTEMBER 14, 2021

Applies to:

Advanced Networking Option - Version to [Release 10.2 to 11.2]
Information in this document applies to any platform.


This document explains how to avoid the overhead associated with using TDE with a Certificate based Wallet. Currently TDE can be setup to either have a database generated Wallet and  primary encryption key or it can also be an existing key pair from a PKI Certificate designated for encryption in an existing Wallet.

This note is to especially target at the latter since the overhead with PKI can be significant.

As the Security Administrator's Guide explains - encryption using current PKI algorithms requires significantly more system resources than symmetric key encryption. Using a PKI key pair as a primary key may result in greater performance degradation when accessing encrypted columns in the database.

The reason is that when an operation which requires encryption/decryption of a column is performed the server first needs to get the column key - this is stored in encrypted form in a data dictionary table. This column key needs to be decrypted using the database primary key stored in the Wallet, if you're using PKI for the primary key this will require considerable resources since the associated algorithms are computationally intensive. We do not cache decrypted column keys in memory for security reasons, because of this we will have to decrypt the column key for each SQL statement which involves an encrypted column.


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.