Transparent Data Encryption (TDE):
Transparent Data Encryption (TDE) is an Oracle Database feature that encrypts sensitive data stored in table columns or entire tablespaces. It protects data at rest by ensuring that even if database files are accessed, stolen, or tampered with, the information remains unreadable without the correct encryption keys. TDE helps organizations meet security and compliance requirements while keeping encryption operations simple and transparent to applications.
In Oracle multitenant architecture, TDE keystores can be configured at the CDB level or individually for each PDB, offering flexible and secure key management. Oracle 19c enhances TDE with features such as easier online conversion of non-OMF data files and the ability to close the keystore even when SYSTEM, SYSAUX, TEMP, or UNDO tablespaces are encrypted.
Traditional wallet configuration in sqlnet.ora is no longer required. Oracle now recommends setting the WALLET_ROOT and using the KEYSTORE_CONFIGURATION attribute of the TDE_CONFIGURATION parameter for modern and simplified keystore management.
By enabling TDE, DBAs can ensure strong data protection, prevent unauthorized access, and maintain a secure Oracle Database environment.
Step-by-Step Guide to Configuring TDE in Oracle 19c Database
Step 1: Create Directory for Wallet.
This step involves setting up a secure folder where Oracle will store all encryption-related files. It ensures your database has a safe place to keep sensitive security information.
[oracle@dba-simplified ~]$ . oraenv ORACLE_SID = [oracle] ? orcl The Oracle base has been set to /home/app/oracle [oracle@dba-simplified ~]$ [oracle@dba-simplified ~]$ echo $ORACLE_BASE /home/app/oracle [oracle@dba-simplified ~]$ echo $ORACLE_HOME /home/app/oracle/product/19.3.0/db_1 [oracle@dba-simplified ~]$ [oracle@dba-simplified ~]$ mkdir -p $ORACLE_BASE/admin/$ORACLE_SID/wallet [oracle@dba-simplified ~]$ [oracle@dba-simplified ~]$ ls -ld $ORACLE_BASE/admin/$ORACLE_SID/wallet drwxr-xr-x 2 oracle oinstall 6 Oct 21 06:09 /home/app/oracle/admin/orcl/wallet [oracle@dba-simplified ~]$
Step 2: Set WALLET_ROOT and TDE_CONFIGURATION parameter.
Here, you tell Oracle where the wallet is located and enable TDE (Transparent Data Encryption). These settings help the database understand how and where to manage encryption.
SQL> show parameter wallet_root NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ wallet_root string SQL> SQL> alter system set wallet_root='$ORACLE_BASE/admin/$ORACLE_SID/wallet' scope=spfile; System altered. SQL> SQL> show parameter tde_configuration NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ tde_configuration string SQL> SQL> alter system set tde_configuration='KEYSTORE_CONFIGURATION=FILE' scope=spfile; System altered. SQL> shut immediate; Database closed. Database dismounted. ORACLE instance shut down. SQL> SQL> startup ORACLE instance started. Total System Global Area 1543502248 bytes Fixed Size 8939944 bytes Variable Size 1056964608 bytes Database Buffers 469762048 bytes Redo Buffers 7835648 bytes Database mounted. Database opened. SQL> SQL> show parameter wallet_root NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ wallet_root string /home/app/oracle/admin/orcl/wa llet SQL> SQL> show parameter tde_configuration NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ tde_configuration string KEYSTORE_CONFIGURATION=FILE
Step 3: Create Software Keystore.
A software keystore is like a secure digital safe. In this step, you create that safe so
Oracle can store important encryption keys used to protect your database.
SQL> administer key management create keystore identified by simplified123; keystore altered. SQL> select WRL_TYPE, WRL_PARAMETER, STATUS, CON_ID from v$encryption_wallet; WRL_TYPE WRL_PARAMETER STATUS CON_ID ------------ ---------------------------------------- --------------- ---------- FILE /home/app/oracle/admin/orcl/wallet/tde/ CLOSED 0 SQL> SQL> !ls -ltr /home/app/oracle/admin/orcl/wallet/tde/ total 4 -rw------- 1 oracle oinstall 2553 Oct 21 06:31 ewallet.p12
Step 4: Open the Keystore and create TDE Master Encryption Key.
You unlock the keystore and generate the main encryption key.
This master key is essential because it encrypts and protects all other keys used by the database.
SQL> select WRL_TYPE, WRL_PARAMETER, STATUS, CON_ID from v$encryption_wallet; WRL_TYPE WRL_PARAMETER STATUS CON_ID ------------ ---------------------------------------- --------------- ---------- FILE /home/app/oracle/admin/orcl/wallet/tde/ CLOSED 0 SQL> SQL> administer key management set keystore open identified by "simplified123"; keystore altered. SQL> SQL> administer key management set key identified by simplified123 with backup using 'Master_key_bkp_orcl'; keystore altered. SQL> SQL> !ls -ltr /home/app/oracle/admin/orcl/wallet/tde/ total 8 -rw------- 1 oracle oinstall 2553 Oct 21 06:40 ewallet_2025102101102958_Master_key_bkp_orcl.p12 -rw------- 1 oracle oinstall 3993 Oct 21 06:40 ewallet.p12 SQL> SQL> select WRL_TYPE, WRL_PARAMETER, STATUS, CON_ID from v$encryption_wallet; WRL_TYPE WRL_PARAMETER STATUS CON_ID ------------ ---------------------------------------- --------------- ---------- FILE /home/app/oracle/admin/orcl/wallet/tde/ OPEN 0
Step 5: Configure Auto Login Keystore.
An auto-login keystore (also called cwallet.sso) allows Oracle to open the wallet automatically at database startup without requiring the password, improving convenience and ensuring smooth operation.
SQL> administer key management create auto_login keystore from keystore identified by simplified123; keystore altered. SQL> SQL> !ls -ltr /home/app/oracle/admin/orcl/wallet/tde/ total 12 -rw------- 1 oracle oinstall 2553 Oct 21 06:40 ewallet_2025102101102958_Master_key_bkp_orcl.p12 -rw------- 1 oracle oinstall 3993 Oct 21 06:40 ewallet.p12 -rw------- 1 oracle oinstall 4038 Oct 21 06:49 cwallet.sso SQL> SQL> select WRL_TYPE, WRL_PARAMETER, STATUS, CON_ID from v$encryption_wallet; WRL_TYPE WRL_PARAMETER STATUS CON_ID ------------ ---------------------------------------- --------------- ---------- FILE /home/app/oracle/admin/orcl/wallet/tde/ OPEN 0
ewallet_2025102101102958_Master_key_bkp_orcl.p12→ Backup of your master keyewallet.p12→ Your password-based keystorecwallet.sso→ Auto-login keystore
TDE is now successfully configured and your Oracle 19c database is fully enabled for encryption.
Now, let’s see how to enable TDE on an existing tablespace.
SQL> select a.FILE_ID, a.TABLESPACE_NAME, a.FILE_NAME, b.ENCRYPTED from dba_data_files a, dba_tablespaces b where a.TABLESPACE_NAME=b.TABLESPACE_NAME; FILE_ID TABLESPACE FILE_NAME ENCRYPTED ------- ---------- --------------------------------------------- ---------- 1 SYSTEM /home/app/oracle/oradata/ORCL/system01.dbf NO 3 SYSAUX /home/app/oracle/oradata/ORCL/sysaux01.dbf NO 4 UNDOTBS1 /home/app/oracle/oradata/ORCL/undotbs01.dbf NO 7 USERS /home/app/oracle/oradata/ORCL/users01.dbf NO 5 USERS02 /home/app/oracle/oradata/ORCL/users02.dbf NO SQL> SQL> alter tablespace USERS02 encryption online using 'AES256' encrypt; Tablespace altered. SQL> SQL> select a.FILE_ID, a.TABLESPACE_NAME, a.FILE_NAME, b.ENCRYPTED from dba_data_files a, dba_tablespaces b where a.TABLESPACE_NAME=b.TABLESPACE_NAME; FILE_ID TABLESPACE FILE_NAME ENCRYPTED ------- ---------- --------------------------------------------- ---------- 1 SYSTEM /home/app/oracle/oradata/ORCL/system01.dbf NO 3 SYSAUX /home/app/oracle/oradata/ORCL/sysaux01.dbf NO 4 UNDOTBS1 /home/app/oracle/oradata/ORCL/undotbs01.dbf NO 7 USERS /home/app/oracle/oradata/ORCL/users01.dbf NO 5 USERS02 /home/app/oracle/oradata/ORCL/users02.dbf YES
In this example, I used the AES256 algorithm to encrypt the tablespace.
AES256 provides the highest level of security among the available AES algorithms.
Other Supported Algorithms:
Oracle Database 19c TDE also supports other encryption algorithms, giving DBAs flexibility based on security and performance needs:
- AES128 – Fastest and lowest CPU usage
- AES192 – Medium-level security and performance
- AES256 – Strongest encryption (used in this demo)
- 3DES – Older and slower, not recommended
So while this guide demonstrates AES256, you can choose any supported algorithm depending on your performance and compliance requirements.
Now, let’s see how to create a new tablespace with encryption enabled.
SQL> CREATE TABLESPACE USERS03 DATAFILE '/home/app/oracle/oradata/ORCL/users03.dbf' SIZE 100M ENCRYPTION USING 'AES256' DEFAULT STORAGE(ENCRYPT); 2 3 Tablespace created. SQL> SQL> select a.FILE_ID, a.TABLESPACE_NAME, a.FILE_NAME, b.ENCRYPTED from dba_data_files a, dba_tablespaces b where a.TABLESPACE_NAME=b.TABLESPACE_NAME; FILE_ID TABLESPACE FILE_NAME ENCRYPTED ------- ---------- --------------------------------------------- ---------- 1 SYSTEM /home/app/oracle/oradata/ORCL/system01.dbf NO 3 SYSAUX /home/app/oracle/oradata/ORCL/sysaux01.dbf NO 4 UNDOTBS1 /home/app/oracle/oradata/ORCL/undotbs01.dbf NO 7 USERS /home/app/oracle/oradata/ORCL/users01.dbf NO 5 USERS02 /home/app/oracle/oradata/ORCL/users02.dbf YES 2 USERS03 /home/app/oracle/oradata/ORCL/users03.dbf YES 6 rows selected.
Conclusion: Configuring TDE in Oracle 19c ensures strong protection for sensitive data stored in your database. With the keystore, master key, and auto-login wallet properly configured, Oracle securely encrypts data at rest while keeping operations transparent and efficient. TDE is a simple yet powerful feature that helps DBAs enhance security and meet compliance requirements in any Oracle environment.