How to Avoid Performance Overhead Associated With Certificate Based TDE Encryption (Doc ID 416526.1)

Last updated on JANUARY 27, 2010

Applies to:

Advanced Networking Option - Version: 10.2.0.1 to 11.2.0.1 - Release: 10.2 to 11.2

Goal

This document explains how to avoid the overhead associated with using TDE with a Certificate based Wallet. Currently TDE can be setup to either have a database generated Wallet and  master encryption key or it can also be an existing key pair from a PKI Certificate designated for encryption in an existing Wallet.

This note is to especially target at the latter since the overhead with PKI can be significant.

As the Security Administrator's Guide explains - encryption using current PKI algorithms requires significantly more system resources than symmetric key encryption. Using a PKI key pair as a master key may result in greater performance degradation when accessing encrypted columns in the database.

The reason is that when an operation which requires encryption/decryption of a column is performed the server first needs to get the column key - this is stored in encrypted form in a data dictionary table. This column key needs to be decrypted using the database master key stored in the Wallet, if you're using PKI for the master key this will require considerable resources since the associated algorithms are computationally intensive. We do not cache decrypted column keys in memory for security reasons, because of this we will have to decrypt the column key for each SQL statement which involves an encrypted column.

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms