On the Seventh Day of 12.2, my DBA gave to me…

Database Security New Features


With Oracle Database 12c Release 2, encryption of a tablespace can be deployed with zero downtime. The encryption process can be executed in the background, so that the tablespace can be available for DML access. Basically, you can encrypt, decrypt, and rekey a tablespace using Transparent Data Encryption (TDE) in live conversion. However, you cannot encrypt, decrypt or rekey a temporary tablespace online. This process will help with rotation of data encryption keys, with TDE in the background.

Online Encrypt Tablespace

To encrypt an existing tablespace online, you must login to the database with the SYSKM role. To encrypt the SYSTEM or SYSAUX tablespace, you must login with the SYSDBA role. Issue the ALTER TABLESPACE command with the ENCRYTION and ENCRYPT clause, to encrypt a tablespace online: SQL> ALTER TABLESPACE sysaux ENCRYPTION ONLINE USING ‘AES256’ ENCRYPT; Tablespace altered. If you do not specify the USING clause, the default encryption will be set to AES128 bit encryption. For non-OMF files, we must also specify the FILE_NAME_CONVERT clause and list out the filenames with the source filename, to target the encrypted filename. Here is an example for the FILE_NAME_CONVERT clause: FILE_NAME_CONVERT = (‘sysaux01.dbf’ ‘sysaux01_enc.dbf’). The second filename, for the FILE_NAME_CONVERT clause, will become the encrypted version of the file; once the ALTER TABLESPACE command completes execution.

Online Decrypt Tablespace

With Oracle Database 12c Release 2, we can decrypt a tablespace online without any downtime. To decrypt a tablespace, execute the ALTER TABLESPACE with the DECRYPT option: SQL> ALTER TABLESPACE sysaux ENCRYPTION ONLINE DECRYPT; Tablespace altered.

Online Rekey Tablespace

We can also rekey a tablespace encryption. In the example below, we are rekeying a tablespace from AES128 to AES192 bit encryption for a non-OMF managed file: SQL> ALTER TABLESPACE vna_index ENCRYPTION ONLINE USING ‘AES192’ REKEY FILE_NAME_CONVERT = (‘vna_index01_enc.dbf’,’vna_index01_enc192.dbf’); Tablespace altered. In the example above, we will replace the vna_index01_enc.dbf file with vna_index01_enc192.dbf, in the same directory where the vna_index01.dbf file was located, after the encryption rekey process completes.

Complete Database Encryption

The capability to enable TDE encryption for all tablespaces; including SYSTEM, SYSAUX, and UNDO is now available. This provides complete encryption of the databases for regulatory compliance. Oracle extends their encryption and hashing algorithms to include ARIA, GOST, and SEED Encryption Algorithms for International Standards

TDE Tablespace Offline Conversion

Oracle Database 12c Release 2 provides the ability to perform offline conversion of a tablespace, without additional storage overhead. We can leverage compute across RAC, and many instances, with parallel processing on many CPU cores. For Data Guard configuration, encryption can be done on physical standby first and then switchover, while the primary database is being encrypted.

Separation of Duty for Administering RAC Clusters

12.2 RAC introduces an administrative privilege called SYSRAC. The intent of the SYSRAC privileges, is to provide only the minimal set of privileges for the RAC administrator to perform their day to day tasks. This privilege is used by the clusterware agent and removes the need to use SYSDBA privilege for RAC, for…



To receive a full version emailed copy of this document, including more on Application Security in Database, Enhancements to Security Manageability, Administration, and Integration, and Other Improvements, please complete the download form provided.


Full Name (required)

Your Email (required)

Company (required)

Phone number (required)

Job Title (required)