Oracle Cloud Infrastructure Documentation

Configure Oracle Database Features for Oracle Exadata Database Service on Exascale Infrastructure

Learn how to configure Oracle Multitenant, tablespace encryption, and other options for your Oracle Exadata Database Service on Exascale Infrastructure instance.

Parent topic: How-to Guides

Using Oracle Multitenant on an Oracle Exadata Database Service on Exascale Infrastructure Instance

Learn about requirements for different features when using Multitenant environments in Oracle Exadata Database Service on Exascale Infrastructure.

When you create an Oracle Exadata Database Service on Exascale Infrastructure Instance, an Oracle Multitenant environment is created.

The multitenant architecture enables Oracle Database to function as a multitenant container database (CDB) that includes zero, one, or many pluggable databases (PDBs). A PDB is a portable collection of schemas, schema objects, and non-schema objects that appears to an Oracle Net Services client as a non-CDB.

To use Oracle Transparent Data Encryption (TDE) in a pluggable database (PDB), you must create and activate a master encryption key for the PDB.

In a multitenant environment, each PDB has its own master encryption key which is stored in a single keystore used by all containers.

You must export and import the master encryption key for any encrypted PDBs you plug into your Oracle Exadata Database Service on Exascale Infrastructure Instance CDB.

If your source PDB is encrypted, you must export the master encryption key and then import it.

You can export and import all of the TDE master encryption keys that belong to the PDB by exporting and importing the TDE master encryption keys from within a PDB. Export and import of TDE master encryption keys support the PDB unplug and plug operations. During a PDB unplug and plug, all of the TDE master encryption keys that belong to a PDB, as well as the metadata, are involved.

See "Using Transparent Data Encryption with Other Oracle Features" in Oracle Database Advanced Security Guide.

See "ADMINISTER KEY MANAGEMENT" in Oracle Database SQL Language Reference..

To determine if you need to create and activate an encryption key for the PDB

  1. Invoke SQL*Plus and log in to the database as the SYS user with SYSDBA privileges.

  2. Set the container to the PDB:

    SQL> ALTER SESSION SET CONTAINER = pdb;

  3. Query V$ENCRYPTION_WALLET as follows: 

    SQL> SELECT wrl_parameter, status, wallet_type FROM v$encryption_wallet;

    If the STATUS column contains a value of OPEN_NO_MASTER_KEY, you need to create and activate the master encryption key.

To create and activate the master encryption key in a PDB

  1. Set the container to the PDB:

    SQL> ALTER SESSION SET CONTAINER = pdb;

  2. Create and activate a master encryption key in the PDB by executing the following command:

    SQL> ADMINISTER KEY MANAGEMENT SET KEY USING TAG 'tag' FORCE KEYSTORE IDENTIFIED BY keystore-password WITH BACKUP USING 'backup_identifier';

    In the previous command:

    • keystore-password is the keystore password. By default, the keystore password is set to the value of the administration password that is specified when the database is created.
    • The optional USING TAG 'tag' clause can be used to associate a tag with the new master encryption key.
    • The WITH BACKUP clause, and the optional USING 'backup_identifier' clause, can be used to create a backup of the keystore before the new master encryption key is created.

    See also ADMINISTER KEY MANAGEMENT in Oracle Database SQL Language Reference for Release19, 18 or 12.2.

    Note

    To enable key management operations while the keystore is in use, Oracle Database 12c Release 2, and later, includes the FORCE KEYSTORE option to the ADMINISTER KEY MANAGEMENT command. This option is also available for Oracle Database 12c Release 1 with the October 2017, or later, bundle patch.

    If your Oracle Database 12c Release 1 database does not have the October 2017, or later, bundle patch installed, you can perform the following alternative steps:

    1. Close the keystore.
    2. Open the password-based keystore.
    3. Create and activate a master encryption key in the PDB by using ADMINISTER KEY MANAGEMENT without the FORCE KEYSTORE option.
    4. Update the auto-login keystore by using ADMINISTER KEY MANAGEMENT with the CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE option.

  3. Query V$ENCRYPTION_WALLET again to verify that the STATUS column is set to OPEN: 

    SQL> SELECT wrl_parameter, status, wallet_type FROM v$encryption_wallet;

  4. Query V$INSTANCE and take note of the value in the HOST_NAME column, which identifies the database server that contains the newly updated keystore files: 

    SQL> SELECT host_name FROM v$instance;

  5. Copy the updated keystore files to all of the other database servers.

    To distribute the updated keystore, you must perform the following actions on each database server that does not contain the updated keystore files:

    1. Connect to the root container and query V$ENCRYPTION_WALLET. Take note of the keystore location contained in the WRL_PARAMETER column: 

      SQL> SELECT wrl_parameter, status FROM v$encryption_wallet;

    2. Copy the updated keystore files.

      You must copy all of the updated keystore files from a database server that is already updated. Use the keystore location observed in the WRL_PARAMETER column of V$ENCRYPTION_WALLET.

    Open the updated keystore:
    SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE open FORCE KEYSTORE IDENTIFIED BY keystore-password CONTAINER=all;
    Note

    To enable key management operations while the keystore is in use, Oracle Database 12c Release 2, and later, includes the FORCE KEYSTORE option to the ADMINISTER KEY MANAGEMENT command. This option is also available for Oracle Database 12c Release 1 with the October 2017, or later, bundle patch.

    If your Oracle Database 12c Release 1 database does not have the October 2017, or later, bundle patch installed, you can perform the following alternative steps:

    1. Close the keystore before copying the updated keystore files.
    2. Copy the updated keystore files.
    3. Open the updated keystore by using ADMINISTER KEY MANAGEMENT without the FORCE KEYSTORE option.

  6. Query GV$ENCRYPTION_WALLET to verify that the STATUS column is set to OPEN across all of the database instances: 

    SQL> SELECT wrl_parameter, status, wallet_type FROM gv$encryption_wallet;

To export and import a master encryption key

  1. Export the master encryption key.
    1. Invoke SQL*Plus and log in to the PDB.

    2. Execute the following command:

      SQL> ADMINISTER KEY MANAGEMENT EXPORT ENCRYPTION KEYS WITH SECRET "secret" TO 'filename' IDENTIFIED BY keystore-password;
  2. Import the master encryption key.
    1. Invoke SQL*Plus and log in to the PDB.

    2. Execute the following command:

      SQL> ADMINISTER KEY MANAGEMENT IMPORT ENCRYPTION KEYS WITH SECRET "secret" FROM 'filename' IDENTIFIED BY keystore-password;

Managing Tablespace Encryption

Learn about how tablespace encryption is implemented in Oracle Exadata Database Service on Exascale Infrastructure

By default, all new tablespaces that you create in an Exadata database are encrypted.

However, the tablespaces that are initially created when the database is created may not be encrypted by default.

  • For databases that use Oracle Database 12c Release 2 or later, only the USERS tablespaces initially created when the database was created are encrypted. No other tablespaces are encrypted including the non-USERS tablespaces in:
    • The root container (CDB$ROOT).
    • The seed pluggable database (PDB$SEED).
    • The first PDB, which is created when the database is created.
  • For databases that use Oracle Database 12c Release 1 or Oracle Database 11g, none of the tablespaces initially created when the database was created are encrypted.

For further information about the implementation of tablespace encryption in Exadata, along with how it impacts various deployment scenarios, see:

Oracle Database Tablespace Encryption Behavior in Oracle Cloud (Doc ID 2359020.1).

Creating Encrypted Tablespaces

User-created tablespaces are encrypted by default.

By default, any new tablespaces created by using the SQL CREATE TABLESPACE command are encrypted with the AES128 encryption algorithm. You do not need to include the USING 'encrypt_algorithm' clause to use the default encryption.

You can specify another supported algorithm by including the USING 'encrypt_algorithm' clause in the CREATE TABLESPACE command. Supported algorithms are AES256, AES192, AES128, and 3DES168.

Managing Tablespace Encryption

You can manage the software keystore (known as an Oracle wallet in Oracle Database 11g), the master encryption key, and control whether encryption is enabled by default.

Managing the Master Encryption Key

Tablespace encryption uses a two-tiered, key-based architecture to transparently encrypt (and decrypt) tablespaces. The master encryption key is stored in an external security module (software keystore). This master encryption key is used to encrypt the tablespace encryption key, which in turn is used to encrypt and decrypt data in the tablespace.

When a database is created on an Exadata Cloud Service instance, a local software keystore is created. The keystore is local to the compute nodes and is protected by the administration password specified during the database creation process. The auto-login software keystore is automatically opened when the database is started.

You can change (rotate) the master encryption key by using the ADMINISTER KEY MANAGEMENT SQL statement. For example: 

SQL> ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY USING TAG 'tag'
IDENTIFIED BY password WITH BACKUP USING 'backup';
keystore altered.

See "Managing the TDE Master Encryption Key" in Oracle Database Advanced Security Guide.

Controlling Default Tablespace Encryption

The ENCRYPT_NEW_TABLESPACES initialization parameter controls the default encryption of new tablespaces. In Exadata databases, this parameter is set to CLOUD_ONLY by default.

Values of this parameter are as follows.

Value Description
ALWAYS During creation, tablespaces are transparently encrypted with the AES128 algorithm unless a different algorithm is specified in the ENCRYPTION clause.
CLOUD_ONLY Tablespaces created in an Exadata database are transparently encrypted with the AES128 algorithm unless a different algorithm is specified in the ENCRYPTION clause. For non-cloud databases, tablespaces are only encrypted if the ENCRYPTION clause is specified. ENCRYPTION is the default value.
DDL During creation, tablespaces are not transparently encrypted by default, and are only encrypted if the ENCRYPTION clause is specified.
Note

With Oracle Database 12c Release 2 (12.2), or later, you can no longer create an unencrypted tablespace in an Exadata database. An error message is returned if you set ENCRYPT_NEW_TABLESPACES to DDL and issue a CREATE TABLESPACE command without specifying an ENCRYPTION clause.