On the Seventh Day of 12.2, my DBA gave to me…
Database Security New Features
With Oracle Database 12c Release 2, encryption of a tablespace can be deployed with zero downtime. The encryption process can be executed in the background, so that the tablespace can be available for DML access. Basically, you can encrypt, decrypt, and rekey a tablespace using Transparent Data Encryption (TDE) in live conversion. However, you cannot encrypt, decrypt or rekey a temporary tablespace online. This process will help with rotation of data encryption keys, with TDE in the background.
Online Encrypt Tablespace
To encrypt an existing tablespace online, you must login to the database with the SYSKM role. To encrypt the SYSTEM or SYSAUX tablespace, you must login with the SYSDBA role. Issue the ALTER TABLESPACE command with the ENCRYTION and ENCRYPT clause, to encrypt a tablespace online: SQL> ALTER TABLESPACE sysaux ENCRYPTION ONLINE USING ‘AES256’ ENCRYPT; Tablespace altered. If you do not specify the USING clause, the default encryption will be set to AES128 bit encryption. For non-OMF files, we must also specify the FILE_NAME_CONVERT clause and list out the filenames with the source filename, to target the encrypted filename. Here is an example for the FILE_NAME_CONVERT clause: FILE_NAME_CONVERT = (‘sysaux01.dbf’ ‘sysaux01_enc.dbf’). The second filename, for the FILE_NAME_CONVERT clause, will become the encrypted version of the file; once the ALTER TABLESPACE command completes execution.
Online Decrypt Tablespace
With Oracle Database 12c Release 2, we can decrypt a tablespace online without any downtime. To decrypt a tablespace, execute the ALTER TABLESPACE with the DECRYPT option: SQL> ALTER TABLESPACE sysaux ENCRYPTION ONLINE DECRYPT; Tablespace altered.
Online Rekey Tablespace
We can also rekey a tablespace encryption. In the example below, we are rekeying a tablespace from AES128 to AES192 bit encryption for a non-OMF managed file: SQL> ALTER TABLESPACE vna_index ENCRYPTION ONLINE USING ‘AES192’ REKEY FILE_NAME_CONVERT = (‘vna_index01_enc.dbf’,’vna_index01_enc192.dbf’); Tablespace altered. In the example above, we will replace the vna_index01_enc.dbf file with vna_index01_enc192.dbf, in the same directory where the vna_index01.dbf file was located, after the encryption rekey process completes.
Complete Database Encryption
The capability to enable TDE encryption for all tablespaces; including SYSTEM, SYSAUX, and UNDO is now available. This provides complete encryption of the databases for regulatory compliance. Oracle extends their encryption and hashing algorithms to include ARIA, GOST, and SEED Encryption Algorithms for International Standards
TDE Tablespace Offline Conversion
Oracle Database 12c Release 2 provides the ability to perform offline conversion of a tablespace, without additional storage overhead. We can leverage compute across RAC, and many instances, with parallel processing on many CPU cores. For Data Guard configuration, encryption can be done on physical standby first and then switchover, while the primary database is being encrypted.
Separation of Duty for Administering RAC Clusters
12.2 RAC introduces an administrative privilege called SYSRAC. The intent of the SYSRAC privileges, is to provide only the minimal set of privileges for the RAC administrator to perform their day to day tasks. This privilege is used by the clusterware agent and removes the need to use SYSDBA privilege for RAC, for…