Oracle Transparent Data Encryption
Amazon RDS supports Oracle Transparent Data Encryption (TDE), a feature of the Oracle Advanced Security option available in Oracle Enterprise Edition. This feature automatically encrypts data before it is written to storage and automatically decrypts data when the data is read from storage. This option is only supported for the Bring Your Own License (BYOL) model.
TDE is useful in scenarios where you need to encrypt sensitive data in case data files and backups are obtained by a third party. TDE is also useful when you need to comply with security-related regulations.
A detailed explanation about TDE in Oracle Database is beyond the scope of this guide. For information, see the following Oracle Database resources:
-
Introduction to Transparent Data Encryption
in the Oracle Database documentation -
Oracle advanced security
in the Oracle Database documentation -
Oracle advanced security Transparent Data Encryption best practices
, which is an Oracle whitepaper
For more information about using TDE with RDS for Oracle, see the following blogs:
TDE encryption modes
Oracle Transparent Data Encryption supports two encryption modes: TDE tablespace encryption and TDE column encryption. TDE tablespace encryption is used to encrypt entire application tables. TDE column encryption is used to encrypt individual data elements that contain sensitive data. You can also apply a hybrid encryption solution that uses both TDE tablespace and column encryption.
Note
Amazon RDS manages the Oracle Wallet and TDE master key for the DB instance. You do not need
to set the encryption key using the command ALTER SYSTEM set encryption
key
.
After you enable the TDE
option, you can check the status of the Oracle
Wallet by using the following command:
SELECT * FROM v$encryption_wallet;
To create an encrypted tablespace, use the following command:
CREATE TABLESPACE encrypt_ts ENCRYPTION DEFAULT STORAGE (ENCRYPT);
To specify the encryption algorithm, use the following command:
CREATE TABLESPACE encrypt_ts ENCRYPTION USING 'AES256' DEFAULT STORAGE (ENCRYPT);
The previous statements for encrypting a tablespace are the same as you would use on an on-premises Oracle database.
Restrictions for the TDE option
The TDE option is permanent and persistent. After you associate your DB instance with an option group that has the TDE option enabled, you can't do the following actions:
-
Disable the
TDE
option in the currently associated option group. -
Associate your DB instance with a different option group that doesn't include the
TDE
option. -
Share a DB snapshot that uses the
TDE
option. For more information about sharing DB snapshots, see Sharing a DB snapshot for Amazon RDS.
For more information about persistent and permanent options, see Persistent and permanent options.
Determining whether your DB instance is using TDE
You might want to determine whether your DB instance is associated with an option group that
has the TDE
option enabled. To view the option group that a DB instance is
associated with, use the RDS console, the describe-db-instance AWS CLI
command, or the API operation DescribeDBInstances.
Adding the TDE option
To add the TDE
option to your DB instance, complete the following steps:
-
(Recommended) Take a snapshot of your DB instance.
-
Do one of the following tasks:
-
Create a new option group from scratch. For more information, see Creating an option group.
-
Copy an existing option group using the AWS CLI or API. For more information, see Copying an option group.
-
Reuse an existing non-default option group. A best practice is to use an option group that isn't currently associated with any DB instances or snapshots.
-
-
Add the new option to the option group from the preceding step.
-
If the option group that is currently associated with your DB instance has options enabled, add these options to your new option group. This strategy prevents the existing options from being uninstalled while enabling the new option.
-
Add the new option group to your DB instance.
To add the TDE option to an option group and associate it with your DB instance
-
In the RDS console, choose Option groups.
-
Choose the name of the option group to which you want to add the option.
-
Choose Add option.
-
For Option name, choose TDE, and then configure the option settings.
-
Choose Add option.
Important
If you add the TDE option to an option group that is currently attached to one or more DB instances, a brief outage occurs while all the DB instances are automatically restarted.
For more information about adding options, see Adding an option to an option group.
-
Associate the option group with a new or existing DB instance:
-
For a new DB instance, apply the option group when you launch the instance. For more information, see Creating an Amazon RDS DB instance.
-
For an existing DB instance, apply the option group by modifying the instance and attaching the new option group. The DB instance doesn't restart as part of this operation. For more information, see Modifying an Amazon RDS DB instance.
-
In the following example, you use the AWS CLI add-option-to-option-group command to add the TDE
option to an option group called myoptiongroup
. For more
information, see Getting
started: Flink 1.13.2 .
For Linux, macOS, or Unix:
aws rds add-option-to-option-group \ --option-group-name "
myoptiongroup
" \ --options "OptionName=TDE
" \ --apply-immediately
For Windows:
aws rds add-option-to-option-group ^ --option-group-name "
myoptiongroup
" ^ --options "OptionName=TDE
" ^ --apply-immediately
Copying your data to a DB instance that doesn't include the TDE option
You can't remove the TDE option from a DB instance or associate it with an option group that doesn't include the TDE option. To migrate your data to an instance that doesn't include the TDE option, do the following:
-
Decrypt the data on your DB instance.
-
Copy the data to a new DB instance that is not associated with an option group that has
TDE
enabled. -
Delete your original DB instance.
You can use the same name for the new instance as the previous DB instance.
Considerations when using TDE with Oracle Data Pump
You can use Oracle Data Pump to import or export encrypted dump files. Amazon RDS supports
the password encryption mode (ENCRYPTION_MODE=PASSWORD)
for Oracle Data
Pump. Amazon RDS does not support transparent encryption mode
(ENCRYPTION_MODE=TRANSPARENT)
for Oracle Data Pump. For more
information, see Importing using Oracle Data Pump.