Transparent Data Encryption (TDE) in Oracle Database (Step-by-Step Implementation)

 


1. Introduction

Transparent Data Encryption (TDE) is a core security feature of modern Oracle databases that protects sensitive data at rest by encrypting database storage without requiring application changes. In multi-tenant architectures, securing both the Container Database (CDB) and Pluggable Databases (PDBs) is critical to ensure complete data isolation and compliance.


With the evolution of multi-tenant architecture in Oracle Database 26ai, TDE implementation has become more flexible and powerful, allowing independent encryption keys for each PDB while maintaining centralized keystore management in a RAC environment.

This document provides a complete end-to-end implementation of Transparent Data Encryption (TDE) in an Oracle Database 26ai Real Application Clusters (RAC) environment using ASM-based keystore storage and multi-tenant encryption. The implementation includes:

  • ASM-based shared keystore configuration
  • RAC-wide wallet accessibility
  • CDB master encryption key creation
  • Independent TDE keys for each PDB
  • Tablespace-level encryption across containers
  • Default encryption enforcement for new tablespaces

By implementing multi-tenant TDE, the database environment ensures strong encryption boundaries between pluggable databases while maintaining centralized and scalable key management suitable for enterprise and cloud-ready deployments.



2. TDE Types and Implementation Choice

Transparent Data Encryption (TDE) provides two main encryption methods to secure data at rest.

 

Types of TDE

1. Tablespace-Level TDE

Encrypts the entire tablespace including tables, indexes, and LOB data. Encryption is automatic and transparent to applications.

2. Column-Level TDE

Encrypts specific columns within a table. Used for highly sensitive fields like credit card numbers or national IDs.

 

 

Feature

Tablespace-Level TDE

Column-Level TDE

Encryption Scope

Entire tablespace

Specific columns only

Coverage

Tables, indexes, LOBs

Selected sensitive fields

Application Changes

Not required

May be required

Implementation

Simple

More complex

Performance Impact

Minimal

Higher during DML operations

Management

Easy and centralized

Harder to manage

Scalability

Highly scalable

Limited for large databases

Multi-tenant Support

Fully supported

Less practical

Compliance

Meets most regulations

Used for strict field-level rules

Typical Use Case

Full database encryption

Fine-grained encryption

Recommended For

RAC, Cloud, Enterprise DBs

Specific sensitive columns

 

When tablespace encryption is enabled, all data is already encrypted at rest.
Adding column encryption usually provides minimal additional benefit while increasing complexity.

Column TDE is only used in special cases like regulatory requirements or field-level security needs.


3. Architecture Overview

PARAMETER

VALUE

 

Cluster Nodes

Node1, Node2

 

Database Name

PROD

 

Oracle Version

26ai RAC

 

Storage

Keystore Type

OS User

CDB Name       

PDBs

ASM (+DATA Disk Group)

Software Keystore

Oracle

PROD

PRODPDB1, PRODPDB2

 

4. Objective

The primary objectives of this implementation are:

  • Enable Transparent Data Encryption in Oracle RAC 26ai
  • Configure a shared keystore across RAC nodes
  • Encrypt database tablespaces using TDE
  • Ensure cluster-wide keystore synchronization
  • Validate encryption and database functionality

5. Scope

This document covers:

  • Oracle RAC 26ai environment
  • ASM-based shared storage
  • Software keystore configuration
  • Tablespace-level encryption
  • Cluster-wide validation 

This document does not cover:

  • Hardware Security Module (HSM) integration
  • Oracle Key Vault
  • Cloud-managed encryption services

6. Prerequisites

Before implementing TDE, ensure the following prerequisites are met:

  • Oracle RAC 26ai installed and configured
  • Shared ASM storage available
  • Grid Infrastructure running successfully
  • SYSKM or SYSDBA privileges available
  • Wallet directory accessible across RAC nodes
  • Database open in READ WRITE mode

Optional but recommended:

  • RMAN full backup before enabling TDE
  • ARCHIVELOG mode enabled
  • Adequate disk space for encrypted files

7. Implementation Methodology

The TDE implementation follows a structured approach:

1.    Create shared ASM wallet directory

2.    Configure sqlnet.ora for keystore location

3.    Configure TDE initialization parameters

4.    Create TDE keystore

5.    Open keystore and create master encryption key

6.    Enable auto-login wallet (RAC recommended)

7.    Encrypt tablespaces across CDB and PDBs

8.    Validate multi-tenant encryption across RAC nodes


8. Implementation Steps

This section provides the complete implementation of Transparent Data Encryption (TDE) in an Oracle Database 26ai RAC environment using ASM-based keystore storage.

 

7.1 Verify RAC Database Status

Ensure the database is running on all RAC nodes.

 

7.2 Create TDE Directory in ASM

Login using ASM environment and create a dedicated directory for wallet storage.

 

 

 

7.3 Configure sqlnet.ora for ASM Wallet

Edit sqlnet.ora in Grid home & Copy configuration to all RAC nodes:

 

7.4 Configure TDE Initialization Parameters

Check parameters:

 

Set wallet root & Restart RAC database:


 

Set TDE configuration & Restart database again.

Verify:

 

7.5 Create Software Keystore in ASM

Ensure you are in CDB root & Create keystore:

 

 

Verify wallet files in ASM:

 

7.6 Open Keystore and Create Master Key

Open keystore across containers & Create master encryption key:



Verify:



 

7.7 Create Auto-Login Keystore

Enable auto-login wallet for RAC automation:


 

Verify ASM wallet files:



7.8 Encrypt Tablespaces in CDB

Check encryption status:



 

Encrypt USERS tablespace:

 

Create new encrypted tablespace:

 

Enable default encryption:

 

Create test tablespace (auto encrypted):

 

7.9 Enable TDE in PDBs

Switch to PDB1




Create PDB master key & Enable default encryption:

 

Create encrypted tablespace:

 

 

Encrypt USERS tablespace:

 

Switch to PDB2 and repeat the same steps as done for PDB1: encrypt the existing tablespace and create a new encrypted tablespace.

 

Create master key à  Encrypt USERS tablespace  à  Enable default encryption and create encrypted tablespace

 

7.10 Final Validation

Switch back to root container & Verify PDBs:

 

Check encryption keys across containers:

 

Expected output:

  • CON_ID 1 → CDB key
  • CON_ID 3 → PRODPDB1 key
  • CON_ID 4 → PRODPDB2 key

This confirms successful multi-tenant TDE configuration.

 

9. RAC Validation

Perform the following validations on all RAC nodes:

  • Wallet auto-opens after instance restart
  • Encrypted tablespaces accessible from all nodes
  • No ORA-28365 wallet errors
  • Cluster startup without manual intervention



10. Backup Considerations

Important best practices:

  • Backup wallet after key creation
  • Store wallet backup securely offline
  • Include wallet in DR planning

11. Validation Checklist

  • Keystore created successfully
  • Wallet status is OPEN
  • Master key generated
  • Auto-login wallet configured
  • Tablespaces encrypted
  • RAC nodes accessing encrypted data successfully

12. Risks and Mitigation

Risk

Mitigation

Wallet loss

Maintain secure offline backups

Wallet not opening in RAC

Use shared wallet location

Performance overhead

Use AES hardware acceleration

Startup failures

Configure auto-login wallet

13. Conclusion

This implementation successfully demonstrates Transparent Data Encryption (TDE) in an Oracle Database 26ai RAC multi-tenant environment using ASM-based shared keystore storage.

The configuration ensures that encryption is enabled at multiple layers:

  • Cluster-wide keystore accessible across RAC nodes
  • Master encryption key created at the CDB level
  • Independent encryption keys generated for each PDB
  • Tablespace-level encryption enabled across containers
  • Automatic encryption enforcement for new tablespaces

By implementing multi-tenant TDE, the environment now provides:

  • Strong data-at-rest protection across RAC infrastructure
  • Logical isolation of encryption domains between PDBs
  • Centralized yet scalable key management
  • Compliance-ready security architecture
  • Zero application-level impact

This approach aligns with modern enterprise security standards and prepares the database platform for regulatory compliance, secure consolidation of multiple workloads, and cloud-native multi-tenant deployments.

The successful validation of encryption keys across CDB and PDB containers confirms a fully functional and production-ready multi-tenant TDE implementation in Oracle Database 26ai RAC.