Creating the Oracle Wallet
Tablespace encryption uses Oracle Wallets to store the encryption master keys. Oracle Wallets couldbe either encryption wallets or auto-open wallets. When you start the database, the auto-open wallet opens automatically, but you must open the encryption wallet yourself. Oracle recommends that you use an encryption wallet for tablespace encryption, unless you’re dealing with a Data Guard setup, where it’s better to use the auto-open wallet.
You can create the wallet easily by executing the following command in SQL*Plus:
SQL> alter system set encryption key identified by “password”
The previous command creates an Oracle Wallet if there isn’t one already and adds a master key to that wallet. By default, Oracle stores the Oracle Wallet, which is simply an operating system file namedewallet.pl2, in an operating system–determined location. You can, however, specify a location for the file by setting the parameter encryption_wallet_location in the sqlnet.ora file, as shown here:
ENCRYPTION_WALLET_LOCATION= (SOURCE=(METHOD=file)(METHOD_DATA=(DIRECTORY=/apps/oracle/general/wallet) ) )
You must first create a directory named wallet under the $ORACLE_BASE/admin/$ORACLE_SIDdirectory. Otherwise, you’ll get an error when creating the wallet:ORA-28368: cannot auto-create wallet. Once you create the directory named wallet, issue the following command to create the Oracle Wallet:
SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY “secure”;
The ALTER SYSTEM command shown here will create a new Oracle Wallet if you don’t have one. It also opens the wallet and creates a master encryption key. If you have an Oracle Wallet, the command opens the wallet and re-creates the master encryption key. Once you’ve created the Oracle Wallet, you can encrypt your tablespaces
Creating an Encrypted Tablespace
The following example shows how to encrypt a tablespace:
SQL> CREATE TABLESPACE tbsp1DATAFILE ‘/u01/app/oracle/test/tbsp1_01.dbf’ SIZE 500mENCRYPTIONDEFAULT STORAGE (ENCRYPT);
The storage clause ENCRYPT tells the database to encrypt the new tablespace. The clause ENCRYPTION tells the database to use the default encryption algorithm, DES128. You can specify an alternate algorithm such as 3DES168, AES128, or AES256 through the clause USING, which you specify right after the ENCRYPTION clause. Since I choose the default encryption algorithm, I didn’t use the USING clause here.
The following example shows how to specify the optional USING clause, to define a non default encryption algorithm.
SQL> CREATE TABLESPACE mytbsp2DATAFILE ‘/u01/app/oracle/test/mytbsp2_01.dbf’ size 500mENCRYPTION USING ‘3DES168’DEFAULT STORAGE (ENCRYPT);
The example shown here creates an encrypted tablespace, MYTBSP2, that uses the 3DES168encryption algorithm instead of the default algorithm.
Note: You can check whether a table space is encrypted by querying the DBA_TABLE SPACES view
The database automatically encrypts data during the writes and decrypts it during reads. Since both encryption and decryption aren’t performed in memory, there’s no additional memory requirement. There is, however, a small additional I/O overhead. The data in the undo segments and there do log will keep the encrypted data in the encrypted form. When you perform operations such as a sort or a join operation that use the temporary table space, the encrypted data remains encrypted in the temporary table space.