Data Encryption in Autonomous Database on Dedicated Exadata Infrastructure

Autonomous Database on Dedicated Exadata Infrastructure uses always-on encryption that protects data at rest and in transit. All data stored in and network communication with Oracle Cloud is encrypted by default. Encryption cannot be turned off.

Encryption of Data at Rest

Data at rest is encrypted using TDE (Transparent Data Encryption), a cryptographic solution that protects the processing, transmission, and storage of data. Each Autonomous Database on Dedicated Exadata Infrastructure has its own encryption key, and its backups have their own different encryption key.

By default, Oracle Autonomous Database on Dedicated Exadata Infrastructure creates and manages all the master encryption keys used to protect your data, storing them in a secure PKCS 12 keystore on the same Exadata systems where the databases reside. If your company security policies require, Oracle Autonomous Database on Dedicated Exadata Infrastructure can instead use keys you create and manage in the Oracle Cloud Infrastructure Vault service or Oracle Key Vault, depending on whether you are deploying Oracle Autonomous Database on Dedicated Exadata Infrastructure on Oracle Cloud or on Exadata Cloud@Customer. For more information, see Manage Master Encryption Keys.

Additionally, regardless of whether you use Oracle-managed or customer-managed keys, you can rotate the keys used in existing databases when needed in order to meet your company security policies.

Note

When you clone a database, the new database gets its own new set of encryption keys.

Encryption of Data in Transit

Clients (applications and tools) connect to an Autonomous Database using Oracle Net Services (also known as SQL*Net) and predefined database connection services. Oracle Autonomous Database on Dedicated Exadata Infrastructure provides two types of database connection services, each with its own technique for encrypting data in transit between the database and the client:

  • TCPS (Secure TCP) database connection services use the industry-standard TLS 1.2 (Transport Layer Security) protocol for connections and so use symmetric-key data encryption.

    When you create an autonomous database, a connection wallet is generated, containing all necessary files for a client to connect using TCPS. You distribute this wallet only to those clients you want to give database access to, and the client-side configuration uses information in the wallet to perform symmetric-key data encryption.

  • TCP database connection services use the Native Network Encryption cryptosystem built into Oracle Net Services to negotiate and encrypt data during transmission. For this negotiation, Autonomous Databases are configured to require encryption using AES256, AES192 or AES128 cryptography.

    Because the encryption is negotiated when the connection is made, TCP connections do not need the connection wallet required for TCPS connections. However, the client does need information about the database connection services. This information available by clicking DB Connection on the database's Autonomous Database Details page in the Oracle Cloud Infrastructure console and in the tnsnames.ora file that is included in the same downloadable zip file containing the files necessary to connect using TCPS.

You can encrypt table data while exporting to Object Storage using DBMS_CRYPTO encryption algorithms or a user-defined encryption function. The encrypted data in Object Storage can also be decrypted for use in an external table or while importing from Object Storage using the DBMS_CRYPTO encryption algorithms or a user-defined encryption function. See Encrypt Data While Exporting to Object Storage and Decrypt Data While Importing from Object Storage for instructions.