In 10g Release 2, Oracle first introduce TDE, a transparent data encryption-decryption mechanism to secure data stored in datafiles. Here transparent means database users or application need not to do any changes to achieve TDE. Database itself will encrypt data while writing into datafiles and decrypt then while reading. database users and applications not even bother for data encryption-decryption, Oracle database will do these transparently for them. To prevent unauthorized decryption, transparent data encryption stores the encryption keys in a
security module (oracle wallet) external to the database. Data is transparently encrypt/decrypted by the database, user does not require any action on their part.
There are two types of TDE:
- TDE Column Encryption - data encryption-decryption for columns of a table. It encrypts/decrypts data at the SQL layer. This feature introduce in Oracle 10g R2.
- TDE tablespace Encryption - data encryption-decryption for all objects that stored into the encrypted tablespace. It encrypts/decrypts data during read/write operations This feature introduced in Oracle 11g R1.
Restrictions on Using TDE Column Encryption
- Index types other than B-tree
- Range scan search through an index
- External large objects (BFILE)
- Synchronous Change Data Capture
- Transportable Tablespaces
- Original import/export utilities does not support. You need to use Oracle Data Pump.
- TDE encrypted columns can't be use as foreign key constraints.
Restrictions on Using TDE Tablespace Encryption
that apply to TDE tablespace encryption:
- External Large Objects (BFILEs) can not be encrypted using TDE tablespace encryption. This is because these files reside outside the database.
- To perform import and export operations, you need to use Oracle Data Pump.
Things You Need To Consider Before Implementing TDE
- 4-8% performance impact in end-user response time and an increase of 1-5% in CPU usage. Though it ensure below 10% performance impact.
- Existing tablespace can not be converted to encrypted tablespace. You need to use table reorganize/redefinition or datapump Export-Import for Migration.
- Increase disk consumption. Encrypting a single column would require between 32 and 48 bytes of additional storage for each row, on average. Though TDE tablespace encryption has no storage overheads.
- Require Goldengate 188.8.131.52 for replication
- Increase RMAN(backup/restore) & DataPump(export/import) duration.
- Need Separate backup task for Wallet that contains encryption decryption master key.
- Need Oracle Advanced Security Licence (11,500 USD/Core).
- Using a PKI key pair (PKI certificate) as a master encryption key may result in greater performance degradation when accessing encrypted columns in the database.