How to Create a New PDB with TDE Enabled and Encrypted Tablespace in Oracle 19cIntroduction
In modern Oracle database environments, securing sensitive data at rest is a critical requirement. Transparent Data Encryption (TDE) ensures that data stored in tablespaces is automatically encrypted without requiring application changes.
This blog provides a practical, step-by-step guide to:
· Create a new Pluggable Database (PDB)
· Enable TDE inside the PDB
· Create and activate a master encryption key
· Verify wallet status
· Create an encrypted tablespace
This guide is useful for DBAs working in Oracle 19c multitenant environments.
Environment
· Oracle Version: 19c
· Architecture: Multitenant (CDB/PDB)
· Encryption: TDE
1. Connect as SYSDBA
SQL> sqlplus / as sysdba
Verify container:
SQL> SHOW CON_NAME;
Expected:
CDB$ROOT
Ensure you are in the root container.
2. Create a New PDB
SQL> CREATE PLUGGABLE DATABASE DFMS
ADMIN USER admin IDENTIFIED BY "SU5d4e2VG#Q";
Open the PDB:
SQL> ALTER PLUGGABLE DATABASE DFMS OPEN READ WRITE;
Save state:
SQL> ALTER PLUGGABLE DATABASE DFMS SAVE STATE;
Switch to PDB:
SQL> ALTER SESSION SET CONTAINER = DFMS;
3. Check TDE Wallet Status
SQL> SELECT * FROM v$encryption_wallet;
Expected status:
OPEN_NO_MASTER_KEY
Wallet is open but no master key exists.
4. Create TDE Master Encryption Key
SQL> ADMINISTER KEY MANAGEMENT CREATE ENCRYPTION KEY
USING TAG 'DFMS_REKEY'
FORCE KEYSTORE IDENTIFIED BY "SU5d4e2V-G_Q"
WITH BACKUP USING 'DFMS_REKEY';
Verify:
SQL> SELECT key_id FROM v$encryption_keys WHERE tag='DFMS_REKEY';
Valid key_id confirms creation.
5. Activate the Encryption Key
SQL> ADMINISTER KEY MANAGEMENT USE ENCRYPTION KEY
'Ad+0E2RijU+iv9Xur6AYQWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
FORCE KEYSTORE IDENTIFIED BY "SU5d4e2V-G_Q"
WITH BACKUP;
Key is now active in the PDB.
6. Verify Wallet Again
SQL> SELECT * FROM v$encryption_wallet;
Wallet remains OPEN/AUTOLOGIN and key is active.
7. Create Encrypted Tablespace
SQL> CREATE TABLESPACE FMS
DATAFILE '+DATA' SIZE 1G
AUTOEXTEND ON NEXT 128M MAXSIZE 30G;
Tablespace created successfully with encryption enabled.
Important Notes
· TDE must be configured at CDB level
· Always backup keystore after key creation
· Ensure wallet is open before operations
· Use strong passwords
Common Issues
Wallet Not Open
· Check sqlnet.ora
· Verify wallet location
Key Not Found
· Verify tag name
· Ensure correct PDB
Best Practices
· Backup wallet regularly
· Use AUTOLOGIN wallet
· Monitor encryption status
· Avoid hardcoding passwords
· Follow key rotation policy
Key Takeaways
· TDE secures data at rest
· Each PDB needs its own key
· Wallet validation is critical
· Encrypted tablespaces ensure data protection
Conclusion
Implementing TDE in a multitenant Oracle environment ensures strong data security with minimal impact on applications. By following this approach, DBAs can securely deploy encrypted PDBs and protect sensitive data effectively.
No comments:
Post a Comment