Configure Transparent Database Encryption (TDE) in Oracle CDB

-

 

 Configure Transparent Database Encryption (TDE) in Oracle CDB

Transparent Data Encryption (TDE) is a vital Oracle feature used to secure sensitive data at rest by encrypting database files. In this guide, we'll walk through configuring TDE in a CDB (Container Database) environment and demonstrate its effectiveness with a test tablespace and HR schema.

Prerequisites

  • Oracle Database (12c and above, preferably 19c or later)

  • File system access to create wallets

  • Appropriate privileges to administer TDE and manage tablespaces

Step 1: Create a New Tablespace in PDB

Connect to the PDB and create a new tablespace:

sql
SQL> CREATE TABLESPACE userstab 
     DATAFILE '/opt/oracle/oradata/XE/XEPDB1/userstab01.dbf' SIZE 1G;

Tablespace created.

Step 2:Install the Sample HR Schema

Install the sample HR schema into the newly created userstab tablespace:

sql
SQL> @?/demo/schema/human_resources/hr_main.sql

This will create and populate HR schema objects (such as EMPLOYEES, DEPARTMENTS, etc.).

Step 3:  Verify Data Is Not Yet Encrypted

Before configuring TDE, check that plain text data is visible in the datafile:

bash
$ strings /opt/oracle/oradata/XE/XEPDB1/userstab01.dbf | grep -i 'King'

You may see results like:

objectivec
KING
SKING

This confirms the data is not yet encrypted.

Step 4: Update sqlnet.ora with Wallet Location

Edit or create the sqlnet.ora file and add the wallet directory path:

bash
ENCRYPTION_WALLET_LOCATION =
  (SOURCE = (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = /opt/oracle/wallet)
    )
  )

Make sure the /opt/oracle/wallet directory exists and is writable.

Step 5: Create the Keystore (Wallet)

Connect to the CDB root as SYSDBA and run:

sql
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/opt/oracle/wallet' IDENTIFIED BY oracle12;

This creates the wallet file in the specified location.

Step 6:  Check Wallet Directory

Verify that the keystore was created:

bash
$ ls -ltr /opt/oracle/wallet

Expected output includes ewallet.p12.

Step 7:  Open the Keystore

Now open the wallet:

sql
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY oracle12;

This must be done after every database startup unless auto-login wallet is configured.

Step 8:  Set the Master Encryption Key

Create the master key and back it up:

sql
SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY oracle12 WITH BACKUP;

A backup file like ewallet_backup.p12 should appear in the wallet directory.

Step 9: Check Wallet Contents Again

bash
$ ls -ltr /opt/oracle/wallet

You should now see both ewallet.p12 and the backup file.

Step 10:  Verify Wallet Status

Check if the wallet is open and available at the CDB level:

sql
SQL> SELECT con_id, WRL_TYPE, WALLET_TYPE, STATUS, KEYSTORE_MODE 
     FROM V$ENCRYPTION_WALLET;

Sample output:

pgsql
CON_ID  WRL_TYPE WALLET_TYPE STATUS  KEYSTORE_MODE
------  -------- ----------- ------- --------------
1       FILE     PASSWORD    OPEN    SINGLE

(Optional) Recheck strings Output After TDE Tablespace Encryption

Once you encrypt the tablespace (not shown above), the plain text should no longer appear in the datafile when using the strings command.

 Final Notes

  • Use TDE tablespace encryption to protect sensitive user data at rest.

  • Ensure wallet auto-login is configured if you want to avoid manual keystore opening after restarts.

  • Always backup your keystore and password securely.

Comments

Post a Comment

Popular posts from this blog

Configure Oracle Database Vault Realms

-
Configure Oracle Database Vault Realms to Secure the HR Schema Oracle Database Vault (DV) is a powerful security feature that enables fine-grained access control by enforcing security policies that protect sensitive data. One of the most important components in Database Vault is the Realm , which creates a security boundary around database objects to prevent unauthorized access — even by highly privileged users. In this blog, we’ll walk through the step-by-step process of configuring a Realm to secure the HR schema in an Oracle Database 19c environment. You’ll learn how to: Create a Realm Add objects to it Restrict access Enable auditing for security tracking What is a Realm? A Realm in Oracle Database Vault defines a logical security boundary around one or more database objects. Once a Realm is in place, no one — not even privileged users like DBAs — can access the protected objects without being explicitly authorized. Realms are ideal for: Securing sensitive ap...
Read more

Cloning Oracle E-Business Suite 12.2.11: RMAN + Rapid Clone

-
Cloning Oracle E-Business Suite (EBS) environments is a critical part of managing development, testing, and DR landscapes. In this post, we walk through the process of cloning EBS 12.2.11 from a production environment to a non-production one using RMAN active duplication and Oracle Rapid Clone utilities . Clone Scenario Source Database CDB : PRODCDB Source PDB : prod Target Database CDB : RNDCDB Target PDB : RND Step 1: Prepare the Target Server Create Required Directories mkdir -p /u01/oracle/RNDCDB mkdir -p /u01/oracle/RND mkdir -p /u01/oracle/clone_logs Verify Swap Space (Must be ≥ 16GB) free -h Step 2: Run Pre-Clone on Source Database Tier cd $ORACLE_HOME/appsutil/scripts/prod_PRODCDB perl adpreclone.pl dbTier Application Tier cd $ADMIN_SCRIPTS_HOME perl adpreclone.pl appsTier  Step 3: Clone the CDB with RMAN 3.1: Startup Target CDB in NOMOUNT Mode export ORACLE_SID=RNDCDB sqlplus / as sysdba STARTUP NOMOUNT; 3.2: Run RMAN Active Duplicate rman target sys@PRODCDB auxiliary sy...
Read more