Since the release 1 of Oracle 11g, Oracle provides the ability to encrypt tablespaces in full, to protect sensitive data inside and accessible from the OS. That is, the objective of this new functionality is not to protect sensitive data of users of the database, but to protect the information of the tablespace datafiles.

 

To explain the usefulness of this feature, it is best to explain situations in which our data without this functionality would be vulnerable. For example, in the case file of a physical backup of a database tablespace were to wrong hands, could see some data "clear" without problems. For example, a single edition of tablespace (or a simple "cat") containing the Employees table, we show clear varchar2 fields can extract sensitive data (you do not believe, try it!).

 

For this functionality, Oracle uses the TDE - Transparent Data Encryption, by creating an Oracle Wallet that is stored on disk.By default, the location $ ORACLE_BASE / admin / $ ORACLE_SID / wallet, but you should change your location by using the parameter in the sqlnet.ora ENCRYPTION_WALLET_LOCATION.

 

For the creation of the Wallet: 

ALTER SYSTEM SET ENCRYPTION KEY AUTHENTICATED BY "myPassword";

  

The encrypted tablespace can be created as follows:

CREATE TABLESPACE seguro_tbs 
DATAFILE '/oradata/seguro_ts01.dbf.dbf' SIZE 1M
ENCRYPTION USING 'AES256'
DEFAULT STORAGE(ENCRYPT);

 

Unless stated otherwise, the encryption algorithm used is AES256 (Advanced Encryption Standard), but these algorithms are also allowed:

AES256

AES192

AES128

3DES168

When you restart the database, we open the wallet for consulting data encrypted tablespaces:

 ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY "mypassword"; 

 

We can also close it at any time:

  ALTER SYSTEM SET WALLET CLOSE; 

 

If you don't open a wallet, the result of any query on any table that is the tablespace ORA-28365 error "is not open wallet."

 

Consulting if tablespace is encrypted or not can be made from the same view dba_tablespaces:

 

SQL> SELECT tablespace_name, encrypted FROM dba_tablespaces;
 TABLESPACE_NAME                ENCRYPTED
------------------------------ ---------
SYSTEM                         NO
SYSAUX                         NO
UNDOTBS1                       NO
TEMP                           NO
SEGURO_TBS                     YES

 

I hope you find it useful,

Oscar Paredes