Oracle Advanced Security Transparent Data Encryption (TDE) stops would-be attackers from bypassing the database and reading sensitive information from storage by enforcing data-at-rest encryption in the database layer. Applications and users authenticated to the database continue to have access to application data transparently (no application code or configuration changes are required), while attacks from OS users attempting to read sensitive data from tablespace files and attacks from thieves attempting to read information from acquired disks or backups are denied access to the clear text data. <\/p>\n
Out of the box, TDE provides industry standard strong encryption for the database, full key lifecycle management, and integrated support for Oracle Database tools and technologies. TDE enables encryption of database columns or entire application tablespaces. Its high-speed cryptographic operations make performance overhead negligible in most applications. The two-tier encryption key architecture provides easy administration of keys, enforces clear separation of keys from encrypted data, and provides assisted key rotation without having to re-encrypt data. The keystore can be managed using a convenient web console in Oracle Enterprise Manager or using a command-line. In addition, TDE integrates directly with frequently used Oracle Database tools and technologies including Oracle Advanced Compression, Automatic Storage Management (ASM), Recovery Manager (RMAN), Data Pump, GoldenGate, and more. In Oracle engineered systems, TDE gets a performance boost from hardware cryptographic acceleration provided by Intel AES-NI and Oracle SPARC T-series processors. TDE further benefits from Exadata Smart Scans, rapidly decrypting data in parallel on multiple storage cells, and from Exadata Hybrid Columnar Compression (EHCC), reducing the total number of encryption and decryption operations performed. <\/p>\n
Transparent Data Encryption fully supports Oracle Multitenant. When moving a pluggable database (PDB) that contains encrypted data, the TDE master keys for that PDB are transferred separately from the encrypted data to maintain proper security separation during transit. TDE encryption resumes its normal operation after the PDB has been plugged in and configured. <\/p>\n
<\/p>\n