Transparent Data Encryption (TDE) enables you to encrypt sensitive data stored in tables and tablespaces.

TDE encrypts sensitive data stored in data files. To prevent unauthorized decryption, TDE can be used to create & store the encryption keys inside the Akeyless Platform.

After the data is encrypted, this data is transparently decrypted for authorized users or applications when they access this data. TDE helps protect data at rest.

Akeyless provides a PKCS#11 shared library file, to set TDE for Oracle Database.

Set TDE for Oracle Database

Download the Akeyless PKCS#11 file to your Oracle server:

curl -o libakeyless.so https://akeylessservices.s3.us-east-2.amazonaws.com/services/pkcs11/release/linux/amd64/latest/libakeyless.so

And set the following permissions and folders:

mkdir -p /opt/oracle/extapi/64/hsm/akeyless/0.0.1/ && \
cp libakeyless.so /opt/oracle/extapi/64/hsm/akeyless/0.0.1/. && \
chown -R oracle:dba /opt/oracle && \
mkdir /logs && \
chown -R oracle:dba /logs

With a privilege user permission on your Database server, create the following file:

touch /var/akeyless/conf/pkcs11.conf

Edit the created pkcs11.conf file and set the following:

log_level="info"
log_path="/logs/pkcs11.log"
akeyless_url="https://<yourAkeylessGW>:8081"
default_aes_mechanism="CBC"
base_item_path="/pkcs11"
[auth]
access_type="access_key"
access_id="<your access id>"
access_key="your access key>"

Where:

akeyless_url is your Akeyless Gateway URL.
base_item_path - The destination path, to save all your TDE encryption keys inside the Akeyless Platform. Ensure your Authentication Method has permission to create and manage items under the desired path.
The [auth] section should be set with the relevant Authentication Method type and settings. Using the same structure as the Akeyless CLI profile setting file.
default_aes_mechanism - Set the type of AES encryption keys. Oracle supports only CBC.

Optional:

customer_fragment_id - Relevant Customer Fragment ID for Zero-Knowledge Encryption.
split_level - Defines the requested split level. By default, split level set with 2.
[syslog] Section can be added, to set the destination Syslog server settings:
- network - Either TCP or UDP
- url - Syslog server URL.

Set the relevant permission on the pkcs11.conf file for your oracle user & group :

chown -R oracle:dba /var/akeyless/conf/pkcs11.conf

Edit the sqlnet.ora file under $ORACLE_HOME/network/admin/sqlnet.ora where $ORACLE_HOME is your oracle user home directory.

For docker setup, the file location is /u01/app/oracle/product/12.2.0/dbhome_1/admin/ORCLCDB/sqlnet.ora

Add the following line to set your Oracle wallet:

ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSM))

📘
Note
Starting from Oracle version 18C/19C, before running the commands below, you need to first complete the steps below to set the keystore

Create a directory, called wallet, in the $ORACLE_BASE/admin/db_unique_name directory.
Log in to the database as a user with the SYSDBA administrative privilege.
Set the WALLET_ROOT parameter.

alter system set wallet_root='<path to the oracle wallet directory>' scope=spfile;

Shut down and start up the database.

shutdown immediate;
startup;

Set the TDE_CONFIGURATION parameter as follows:

alter system set TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM" SCOPE=both ;

Encrypting Tablespaces

administer key management set keystore open identified by "akeyless";
administer key management set key identified by "akeyless";

Run the following commands to create an encrypted tablespace:

CREATE TABLESPACE encrypt_ts
  DATAFILE '$ORACLE_HOME/dbs/encrypt_df.dbf' SIZE 1M
  ENCRYPTION USING 'AES128'
  DEFAULT STORAGE (ENCRYPT);

Run the following commands to create an encrypted table:

CREATE TABLE my_table (
    person_id NUMBER GENERATED BY DEFAULT AS IDENTITY,
    first_name VARCHAR2(50) NOT NULL,
    last_name VARCHAR2(50) NOT NULL,
    PRIMARY KEY(person_id)
)  TABLESPACE encrypt_ts;