Implementing Transparent Data Encryption (TDE) Using Standby-First Offline Encryption
(Doc ID 2979979.1)
Last updated on JULY 20, 2024
Applies to:
Oracle Database - Enterprise Edition - Version 19.1.0.0.0 and laterInformation in this document applies to any platform.
Goal
Implement Transparent Data Encryption (TDE) using a standby-first methodology in Oracle Database 18c and later.
For Oracle Database releases 11g and 12c refer to Converting to Transparent Data Encryption with Oracle Data Guard using Fast Offline Conversion
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Goal |
Solution |
Pre-process Information Gathering |
Use Case 1: If TDE has not been activated for the database |
Step 1.1: Set the default encryption algorithm for the database |
Step 1.2: Configure the Keystore on the Primary Database |
Step 1.3: Configure Standby Access to Keystore |
Execute the Core Steps for Offline Encryption |
Use Case 2: If TDE has been activated for the database, but with 19c default AES128 |
Step 2.1: Set the default encryption algorithm for the database |
Step 2.2: REKEY the SYSTEM, SYSAUX and UNDO tablespaces for each PDB |
Step 2.3: Copy the keystores/wallets to the standby (if needed) |
Execute the Core Steps for Offline Encryption |
Core Steps for Offline Encryption Using the Standby Database |
Step Core.1: Generate a Script to Offline Encrypt Datafiles |
Step Core.2: Divide the Script (IF NEEDED) |
Step Core.3: Prepare the Standby Database for OFFLINE Encryption |
Step Core.4: Execute the Scripts |
Step Core.5: Validation |
List Encrypted Tablespaces with Algorithm Used |
List Unencrypted Tablespaces |
DBVerify |
Step Core.6: Restart Recovery |
Step Core.7: Create New Temporary Tablespaces |
Step Core.8: Switchover |
Step Core.9: Encrypt the New Standby |
Step Core.10: Switchover (Optional) |