Transparent Data Encryption (TDE) provides mechanism to encrypt the data stored in the OS data files. TDE enables the encryption of data at the storage level to prevent data tempering from outside of the database.

New commands has been introduced in oracle 12c for enabling Transperant data encryption.ADMINISTER KEY MANAGEMENT will replace the previous commands like ALTER SYSTEM SET ENCRYPTION WALLET and Wallet is known as keystore in 12c.



Lets see how to configure TDE.
1. Create a wallet/keystore location.

2. update the wallet/keystore location in sqlnet.ora. It should look like.


Create keystore:



Now open the keystore:

Now activate the key:



 create a encrypted a tablespace 



Create a table with encrypted column:




                  Here the wallet_type is PASSWORD , i.e every time we restart the database, we need to open the key/wallet explicitly. To avoid this, we can enable auto login ,so that next time when db gets restart, it will open the wallet automatically.



we can see the wallet opened automatically and the wallet_type has been changed from PASSWORD TO AUTOLOGIN.


For multi-tenant database:

In a multi-tenant database (CDB), the Keystore has to be be created in the ROOT container (CDB$ROOT).
This single Keystore will be shared by all the associated PDBs as well as the CDB$ROOT container.

So for this we need to use CONTAINER=ALL clause to open and activate the keystore  in all pdbs.


NOTE: To create a keystore user should have either ADMINISTER KEY MANAGEMENT or SYSKM privilege.

Related dictionary tables for TDE: