Oracle Advanced Security includes features such as Transparent Data Encryption (TDE), which encrypts data at rest transparently. TDE is used to protect sensitive data from attacks that bypass the database and attempt to read the underlying database files directly. Examples of this type of attack include ransomware (most ransomware collects data from the disk and infiltrates it for use in extortion attempts), lost or stolen backup files, or direct access to stored data using operating system tools. You can encrypt specific columns in tables or you can encrypt the entire tablespace. In almost all cases, encrypting the tablespace should be your first choice. To use TDE, you do not need to modify your applications. TDE allows your applications to continue to operate smoothly as before. It automatically encrypts data when it is stored on the disk and then automatically decrypts the data when your applications access it. The key management process is integrated, eliminating the complex task of managing and securing encryption keys. TDE allows you to encrypt sensitive data stored in tables, Tablespaces, and database backups.

After encrypting the data, this data is decrypted transparently for authorized users or applications when they access this data.

TDE helps protect data stored on media (also called data at rest) in case the storage media or data file is stolen.

Oracle databases use authentication, authorization, and auditing mechanisms to secure data in the database, but not in the operating system data files where the data is stored. To protect these Datafiles, the database provides TDE, where TDE encrypts sensitive data stored in the Datafiles.

To prevent unauthorized decryption, TDE stores encryption keys in a security unit external to the database, which are as follows:

• TDE Wallets

• External Keystores

To configure TDE, you need the ADMINISTER KEY MANAGEMENT privilege.

If you need to open the Keystore, you need the SYSKM administrative privilege, which contains the ADMINISTER KEY MANAGEMENT privilege and some other necessary privileges.

To use TDE, you do not need the SYSKM or ADMINISTER KEY MANAGEMENT privileges, you need some other privileges to encrypt columns and tablespaces:

• CREATE TABLE

• ALTER TABLE

• CREATE TABLESPACE

• ALTER TABLESPACE

• ALTER DATABASE

Both TDE Column Encryption and TDE Tablespace Encryption use a two-level key-based structure, unauthorized users, such as hackers trying to launch security attacks, cannot read data from storage and backup media unless they have the TDE Master Encryption Key to decrypt it.

All objects created in the Encrypted Tablespace are encrypted, and Tablespace encryption is useful if your tables contain sensitive data in multiple columns.

TDE Tablespace Encryption encrypts all data stored in the Tablespace up to the Redo Data. However, TDE Tablespace Encryption does not encrypt data outside the Tablespace, for example BFILE Data is not encrypted because it is stored outside the Tablespace, so if you create a table with a BFILE column in the Encrypted Tablespace, this column will not be encrypted.

All data in the Encrypted Tablespace is stored in an encrypted format on disk, the data is decrypted transparently to an authorized user with the necessary privileges to view or modify the data, and the database or application user does not need to know whether the data in a particular table is encrypted on disk or on backup media.

Data is encrypted during Join or Sort operations, which means that the data is safe when transferred to the Temporary Tablespace, and the data in the Undo and Redo Logs is also protected.

The master encryption key is stored in an external security unit outside the database and can only be accessed by a user who has been granted the appropriate privileges.

The database provides a key management framework for TDE to store and manage keys and credentials.

To configure TDE, you must make one-time settings before creating the KeyStore and encrypting data.

Before you start encrypting data, you must configure two variables: the static variable WALLET_ROOT and the dynamic variable TDE_CONFIGURATION to specify the location and type of Keystore you plan to use.

WALLET_ROOT: This variable specifies the path where the Software Keystores are stored.

TDE_CONFIGURATION: This variable specifies the type of Keystore (Software KeyStore or Oracle Key Vault). After configuring this variable and when creating the Keystore, Oracle database creates a directory within the location WALLET_ROOT for the Keystore Type. For example, if you set the TDE_CONFIGURATION variable to FILE, the database creates a TDE Wallet in WALLET_ROOT/tde.

software keystore is a place to store the TDE Master Encryption Key so before you start configuring the TDE Wallet you must first initialize the WALLET_ROOT variable then restart the database and then initialize the TDE_CONFIGURATION variable to direct the database to retrieve the Master Encryption Key from the TDE Wallet.

The database determines the location of the TDE Wallet by first checking the WALLET_ROOT setting. If this variable is not set the database will check the sqlnet.ora file.

You can create other TDE Wallets such as Wallet clones and files containing the keys depending on your needs, if you need to remove or