TDE encryption modes Determining whether your DB instance is using TDE Adding the TDE option Copying data to an instance that doesn't use TDE Data pump

Oracle Transparent Data Encryption

Amazon RDS supports Oracle Transparent Data Encryption (TDE), a feature of the Oracle Advanced Security option available in Oracle Enterprise Edition. This feature automatically encrypts data before it is written to storage and automatically decrypts data when the data is read from storage.

TDE is useful in scenarios where you need to encrypt sensitive data in case data files and backups are obtained by a third party. TDE is also useful when you need to comply with security-related regulations.

The TDE option is persistent and permanent. If you associate your RDS for Oracle DB instance with an option group that has the TDE option enabled, you can't disable it. You can change the option group, but the new option group must include the TDE option. For more information about persistent and permanent options, see Persistent and permanent options.

Note

You can't share a DB snapshot that uses the TDE option. For more information about sharing DB snapshots, see Sharing a DB snapshot.

A detailed explanation about TDE in Oracle Database is beyond the scope of this guide. For information, see the following Oracle Database resources:

Securing stored data using Transparent Data Encryption in the Oracle Database documentation
Oracle advanced security in the Oracle Database documentation
Oracle advanced security Transparent Data Encryption best practices, which is an Oracle whitepaper

For more information about using TDE with RDS for Oracle, see the following blogs:

TDE encryption modes

Oracle Transparent Data Encryption supports two encryption modes: TDE tablespace encryption and TDE column encryption. TDE tablespace encryption is used to encrypt entire application tables. TDE column encryption is used to encrypt individual data elements that contain sensitive data. You can also apply a hybrid encryption solution that uses both TDE tablespace and column encryption.

Note

Amazon RDS manages the Oracle Wallet and TDE master key for the DB instance. You do not need to set the encryption key using the command ALTER SYSTEM set encryption key.

After you enable the TDE option, you can check the status of the Oracle Wallet by using the following command:


SELECT * FROM v$encryption_wallet;

To create an encrypted tablespace, use the following command:


CREATE TABLESPACE encrypt_ts ENCRYPTION DEFAULT STORAGE (ENCRYPT);

To specify the encryption algorithm, use the following command:


CREATE TABLESPACE encrypt_ts ENCRYPTION USING 'AES256' DEFAULT STORAGE (ENCRYPT);

The previous statements for encrypting a tablespace are the same as you would use on an on-premises Oracle database.

Determining whether your DB instance is using TDE

You might want to determine whether your DB instance is associated with an option group that has the TDE option enabled. To view the option group that a DB instance is associated with, use the RDS console, the describe-db-instance AWS CLI command, or the API operation DescribeDBInstances.

Adding the TDE option

The process for using Oracle Transparent Data Encryption (TDE) with Amazon RDS is as follows:

If the DB instance is not associated with an option group that has the TDE option enabled, you must either create an option group and add the TDE option or modify the associated option group to add the TDE option. For information about creating or modifying an option group, see Working with option groups. For information about adding an option to an option group, see Adding an option to an option group.
Associate the DB instance with the option group with the TDE option. For information about associating a DB instance with an option group, see Modifying an Amazon RDS DB instance.

Copying your data to a DB instance that doesn't include the TDE option

You can't remove the TDE option from DB instance or associate it with an option group that doesn't include the TDE option. To migrate your data to an instance that doesn't include the TDE option, do the following:

Decrypt the data on your DB instance.
Copy the data to a new DB instance that is not associated with an option group that has TDE enabled.
Delete your original DB instance.

You can name the new instance the same name as the previous DB instance.

Using TDE with Oracle Data Pump

You can use Oracle Data Pump to import or export encrypted dump files. Amazon RDS supports the password encryption mode (ENCRYPTION_MODE=PASSWORD) for Oracle Data Pump. Amazon RDS does not support transparent encryption mode (ENCRYPTION_MODE=TRANSPARENT) for Oracle Data Pump. For more information, see Importing using Oracle Data Pump.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Time zone file autoupgrade

UTL_MAIL