Tuesday, 5 August 2025

Configure Transparent Database Encryption (TDE) in a Pluggable Database (PDB)

Configure Transparent Database Encryption (TDE) in a Pluggable Database (PDB)

Transparent Data Encryption (TDE) is a powerful Oracle feature that helps protect sensitive data at rest by encrypting the physical files of the database. This post walks through the steps to configure TDE within a Pluggable Database (PDB), create encrypted tablespaces, and verify encryption.

Prerequisites

  • Oracle 19c or later with Multitenant architecture (CDB/PDB)

  • Wallet/Keystore must be properly configured at the CDB level

  • Sufficient file system access for wallet and datafiles

 Step-by-Step Guide

🔹 1. Switch to the Target PDB

sql
ALTER SESSION SET CONTAINER = xepdb1;

🔹 2. Open the Keystore in the PDB & Create Master Encryption Key

sql
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY oracle12;

ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY oracle12 WITH BACKUP;

The WITH BACKUP clause creates a backup of the master key for recovery scenarios.

🔹 3. Verify Wallet Status

Run this query to confirm that the wallet is open and operational for the PDB:

sql
SELECT con_id, WRL_TYPE, WALLET_TYPE, STATUS, KEYSTORE_MODE 
FROM V$ENCRYPTION_WALLET;

Look for:

  • STATUS = OPEN

  • KEYSTORE_MODE = SINGLE or UNITED

🔹 4. Create Encrypted Tablespace

Here, we create a new encrypted tablespace userstab_enc using AES256 encryption.

sql
CREATE TABLESPACE userstab_enc 
DATAFILE '/opt/oracle/oradata/XE/XEPDB1/userstab_enc_01.dbf' SIZE 1G 
ENCRYPTION USING 'AES256' 
DEFAULT STORAGE (ENCRYPT);

This ensures all segments in this tablespace are transparently encrypted.

🔹 5. Install HR Schema into the Encrypted Tablespace (Optional)

sql
@?/demo/schema/human_resources/hr_main.sql

You can modify the script to assign objects to the encrypted tablespace.

🔹 6. Test Encryption Using strings Command

Flush the buffer cache to ensure data is written to disk:

sql
ALTER SYSTEM FLUSH BUFFER_CACHE;

Now use the Linux strings utility to check if data is stored encrypted:

bash
strings /u01/app/oracle/oradata/TESTDB/pdb_stats/userstab_enc_01.dbf

Encrypted files will not show clear text data with strings.

 7. Create Another Encrypted Tablespace

sql
CREATE TABLESPACE testpdb2 
DATAFILE SIZE 1G 
ENCRYPTION USING 'AES256' 
DEFAULT STORAGE (ENCRYPT);

🔹 8. List Databases via DBCLI (for DB Systems in OCI or Exadata)

bash
dbcli list-databases

🔹 9. Update the TDE Master Key Using DBCLI

If managing Oracle Database Appliance (ODA) or OCI DBCS, you can update the key via:

bash
dbcli update-tdekey -i dbbc28ad-c235-476b-9da5-37498911b118 -n PDB2 -p Oracle1234##

  • -i: Database ID

  • -n: PDB Name

  • -p: Keystore password

 Conclusion

By following these steps, you've:

  • Opened and configured the wallet in your PDB

  • Created and backed up the master key

  • Created encrypted tablespaces using AES256

  • Verified encryption through OS-level checks

TDE ensures that your sensitive application data remains secure even if physical files are stolen or compromised.

By -
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)
  • Configure Oracle Database Vault Realms
    Configure Oracle Database Vault Realms to Secure the HR Schema Oracle Database Vault (DV) is a powerful security feature that enables fine-...
  • Oracle Database 19c Installation
      Oracle Database 19c Installation On Oracle Linux 7 (OL7) Download Software delivery: Oracle Database 19c (19.3) Software (64-bit) Hosts Fi...