Oracle Transparent Data Encryption
Amazon RDS supports Oracle Transparent Data Encryption (TDE), a feature of the Oracle Advanced Security option available in Oracle Enterprise Edition. This feature automatically encrypts data before it is written to storage and automatically decrypts data when the data is read from storage.
TDE is useful in scenarios where you need to encrypt sensitive data in case data files and backups are obtained by a third party. TDE is also useful when you need to comply with security-related regulations.
The TDE
option is persistent and permanent. If you associate your RDS for Oracle
DB instance with an option group that has the TDE
option enabled, you can't
disable it. You can change the option group, but the new option group must include the
TDE
option. For more information about persistent and permanent options,
see Persistent and permanent options.
Note
You can't share a DB snapshot that uses the TDE option. For more information about sharing DB snapshots, see Sharing a DB snapshot.
A detailed explanation about TDE in Oracle Database is beyond the scope of this guide. For information, see the following Oracle Database resources:
-
Securing stored data using Transparent Data Encryption
in the Oracle Database documentation -
Oracle advanced security
in the Oracle Database documentation -
Oracle advanced security Transparent Data Encryption best practices
, which is an Oracle whitepaper
For more information about using TDE with RDS for Oracle, see the following blogs:
TDE encryption modes
Oracle Transparent Data Encryption supports two encryption modes: TDE tablespace encryption and TDE column encryption. TDE tablespace encryption is used to encrypt entire application tables. TDE column encryption is used to encrypt individual data elements that contain sensitive data. You can also apply a hybrid encryption solution that uses both TDE tablespace and column encryption.
Note
Amazon RDS manages the Oracle Wallet and TDE master key for the DB instance. You do not need
to set the encryption key using the command ALTER SYSTEM set encryption
key
.
After you enable the TDE
option, you can check the status of the Oracle
Wallet by using the following command:
SELECT * FROM v$encryption_wallet;
To create an encrypted tablespace, use the following command:
CREATE TABLESPACE encrypt_ts ENCRYPTION DEFAULT STORAGE (ENCRYPT);
To specify the encryption algorithm, use the following command:
CREATE TABLESPACE encrypt_ts ENCRYPTION USING 'AES256' DEFAULT STORAGE (ENCRYPT);
The previous statements for encrypting a tablespace are the same as you would use on an on-premises Oracle database.
Determining whether your DB instance is using TDE
You might want to determine whether your DB instance is associated with an option group that
has the TDE
option enabled. To view the option group that a DB instance is
associated with, use the RDS console, the describe-db-instance Amazon CLI
command, or the API operation DescribeDBInstances.
Adding the TDE option
The process for using Oracle Transparent Data Encryption (TDE) with Amazon RDS is as follows:
-
If the DB instance is not associated with an option group that has the
TDE
option enabled, you must either create an option group and add theTDE
option or modify the associated option group to add theTDE
option. For information about creating or modifying an option group, see Working with option groups. For information about adding an option to an option group, see Adding an option to an option group. -
Associate the DB instance with the option group with the TDE option. For information about associating a DB instance with an option group, see Modifying an Amazon RDS DB instance.
Copying your data to a DB instance that doesn't include the TDE option
You can't remove the TDE option from DB instance or associate it with an option group that doesn't include the TDE option. To migrate your data to an instance that doesn't include the TDE option, do the following:
-
Decrypt the data on your DB instance.
-
Copy the data to a new DB instance that is not associated with an option group that has
TDE
enabled. -
Delete your original DB instance.
You can name the new instance the same name as the previous DB instance.
Using TDE with Oracle Data Pump
You can use Oracle Data Pump to import or export encrypted dump files. Amazon RDS supports
the password encryption mode (ENCRYPTION_MODE=PASSWORD)
for Oracle Data
Pump. Amazon RDS does not support transparent encryption mode
(ENCRYPTION_MODE=TRANSPARENT)
for Oracle Data Pump. For more
information, see Importing using Oracle Data Pump.