“There are two types of encryption: one that will prevent your sister from reading your diary and one that will prevent your government” – Bruce Schneier
What is Hybrid Tablespace Encryption? With the latest release updates of Oracle 19c (19.16 and above as 19.18 is the latest as of February 2023), it is now possible to decrypt redo operations in a hybrid cloud DR configurations where the cloud database is encrypted with TDE (Transparent Data Encryption) and the on-prem database is not.
We start seeing more often Oracle on-prem databases using Data Guard with the standby database being in the cloud, mostly in OCI. When the on-prem database is not using TDE and the cloud one is, it is important to ensure that redo data is encrypted during the transportation process. The Advanced Security Option places a key role here as this new feature is controlled via the (dynamic) TABLESPACE_ENCRYPTION initialization parameter.
V$PARAMETER_VALID_VALUES shows the accepted values of all database init.ora parameters, here is what we have for tablespace encryption (viewable even in ADB):
In a multitenant environment, remember that you need to change the value of TABLESPACE_ENCRYPTION in the root container. You cannot set TABLESPACE_ENCRYPTION in a PDB.
Here is how to set-up the encryption depending on (1) have/not have the Advanced Security Option and (2) how you would like to encrypt:
AUTO_ENABLE is the default for cloud databases. It encrypts all new tablespaces if you have the Oracle Advanced Security license.
If an existing tablespace is not encrypted, then the database writes a warning to the alert log.
Encrypted tablespaces cannot be converted to unencrypted tablespaces.
Because all tablespaces must be encrypted in OCI, setting TABLESPACE_ENCRYPTION to DECRYPT_ONLY or MANUAL_ENABLE will be ignored in the cloud and the database will behave as if the setting is AUTO_ENABLE.
In the primary database, this setting encrypts the new tablespace with an encryption key.
In a standby database, this setting adds a key to the new tablespace and encrypts all blocks.
DECRYPT_ONLY prevents new tablespaces from being encrypted. Use it in your on-prem database in case you do not have the Advanced Security Option.
If an existing tablespace is encrypted, then the database writes a warning to the alert log.
Unencrypted tablespaces cannot be changed to encrypted tablespaces!
MANUAL_ENABLE enables you to selectively encrypt tablespaces if the database is licensed for Oracle Advanced Security. This is the default for both on-prem primary and standby databases.
Note that (1) for RAC, set TABLESPACE_ENCRYPTION to the same value for all instances of the primary database, and for all instances of the standby database and (2) modifying TABLESPACE_ENCRYPTION does not affect the master key rotation operations.
On the second topic, Oracle Cloud Guard is useful when wanting to maintain good security posture by detecting weak security configurations and activities that can indicate cloud security risks. Cloud Guard detects security problems within a customer tenancy by ingesting audit and configuration data about resources in each region, processing it based on detector rules, and correlating the problems at the reporting region. Identified problems will be used to produce dashboards and metrics and may also trigger one or more provided responders to help resolve the problem.
Here are the key features of Oracle Cloud Guard:
Detects misconfigured resources and identifies risky activities.
Delivers out-of-the-box recipes that apply security best practices with a few clicks.
Provides automated responders to trigger corrective actions.
Gives a global view of customer’s overall security posture of their OCI tenancy, including security and risk scores and activity maps.
Enabling Cloud Guard is simple. The first step us to select/define the policies and then select some basis information:
And just click the “Enable” button.
Here is more information on Oracle Cloud Guard which includes now the new Threat Detector!
Read MoreJulian Dontcheff’s Database Blog