What is TDE?
Oracle Transparent Data Encryption (TDE) enables to encrypt sensitive application data on storage .
As the name suggest ,the data is completely transparent to the application.
TDE column encryption was introduced in Oracle Database 10g Release 2.
TDE tablespace encryption and the support for hardware security modules (HSM) were introduced in Oracle Database 11gR1.
TDE is protecting the data at rest.
It is encrypting the data in the datafiles so that in case the storage media are stolen or accessed unauthorized way , will not be possible to access the clear text data.
TDE uses a two tier encryption key architecture .Those consists of:
Master Encryption key :This encryption key is used to encrypt secondary keys used for column encryption and tablespace encryption .
2. Table(column) and/or tablespace keys : These keys are used to encrypt one or more specific columns in a table or to encrypt tablespaces.
The table and tablespace keys are encrypted using the master key stored in an external security module (ESM) .
The ESM can be
- an Oracle Wallet : a secure container outside of the database protected with password
- Hardware Security Module (HSM) :a device used to secure keys and perform cryptographic operations.
Note: Starting from 12.1 ,we can migrate the TDE master keys from the Oracle wallet to a HSM and vice verse .