Oracle19C数据库版本TDE加密新特性

参考Oracle19C官方文档
Advanced Security Guide
3 Configuring Transparent Data Encryption
Encryption Conversions for Tablespaces and Databases

表空间和数据库的加密转换
创建一个新的加密表空间
加密未来的加密表空间
现有脱机表空间的加密转换
现有在线表空间的加密转换
现有数据库的加密转换

直接把普通表转换成加密表
Prepare the CDB to Use TDE
Log in to ORCL as SYS with the SYSDBA administrative privilege.
sqlplus / AS SYSDBA
Create the keystore for the CDB in /u02/app/oracle/admin/ORCL/tde_wallet.
mkdir -p /u02/app/oracle/admin/ORCL/tde_wallet
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE ‘/u02/app/oracle/admin/ORCL/tde_wallet/’ IDENTIFIED BY password;
Open the keystore.
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY password CONTAINER=ALL;
Set the TDE master encryption key.
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY password WITH BACKUP CONTAINER=ALL;
Create a user-managed tablespace.
CREATE TABLESPACE omtbs DATAFILE ‘/u02/app/oracle/oradata/ORCL/omts01.dbf’ SIZE 10M;
Check that the tablespaces are not encrypted.
SELECT tablespace_name, encrypted FROM dba_tablespaces;

TABLESPACE_NAME ENC

SYSTEM NO
SYSAUX NO
UNDOTBS1 NO
TEMP NO
USERS NO
OMTBS NO
section 2Encrypt Oracle-managed and User-managed Tablespaces
In this section, you close the keystore and see which operations on Oracle-managed tablespaces and user-managed tablespaces can be handled on the metadata and data.

Close the keystore.
ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY password CONTAINER = ALL;
Switch one of the Oracle-managed tablespaces to encryption.
ALTER TABLESPACE system ENCRYPTION USING ‘AES192’ ENCRYPT;
ALTER TABLESPACE system ENCRYPTION USING ‘AES192’ ENCRYPT
*
ERROR at line 1:
ORA-28365: wallet is not open
Switch one of the user-managed tablespaces to encryption.
ALTER TABLESPACE omtbs ENCRYPTION USING ‘AES192’ ENCRYPT;
ALTER TABLESPACE omtbs ENCRYPTION USING ‘AES192’ ENCRYPT
*
ERROR at line 1:
ORA-28365: wallet is not open
Open the keystore.
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY password CONTAINER = ALL;
Switch one of the Oracle-managed tablespaces to encryption.
ALTER TABLESPACE system ENCRYPTION USING ‘AES192’ ENCRYPT;
Switch one of the user-managed tablespaces to encryption.
ALTER TABLESPACE omtbs ENCRYPTION USING ‘AES192’ ENCRYPT;
Check that the tablespaces are encrypted.
SELECT tablespace_name, encrypted FROM dba_tablespaces;

TABLESPACE_NAME ENC

SYSTEM YES
SYSAUX NO
UNDOTBS1 NO
TEMP NO
USERS NO
OMTBS YES
section 3Handle Encrypted Data in Oracle-managed and User-managed Tablespaces When Keystore is Closed
Close the keystore.
ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY password CONTAINER = ALL;
Change the encryption algorithm in SYSTEM tablespace.
ALTER TABLESPACE system ENCRYPTION USING ‘AES128’ ENCRYPT;
ALTER TABLESPACE system ENCRYPTION USING ‘AES128’ ENCRYPT
*
ERROR at line 1:
ORA-28365: wallet is not open
Change the encryption algorithm in OMTBS tablespace.
ALTER TABLESPACE omtbs ENCRYPTION USING ‘AES128’ ENCRYPT;
ALTER TABLESPACE omtbs ENCRYPTION USING ‘AES128’ ENCRYPT
*
ERROR at line 1:
ORA-28365: wallet is not open
The operation fails because the operation affects the metadata of the Oracle-managed and user-managed tablespaces.
Create a table and insert data in the tablespace SYSTEM.
CREATE TABLE system.test (c NUMBER, C2 CHAR(4)) TABLESPACE system;
INSERT INTO system.test VALUES (1,‘Test’);
COMMIT;
The operation completes because the operation affects only the data of the Oracle-managed tablespace and because the tablespace is an Oracle-managed tablespace.
Create a table and insert data in the tablespace OMTBS.
CREATE TABLE system.test2 (c NUMBER, C2 CHAR(4)) TABLESPACE omtbs;
CREATE TABLE system.test2
*
ERROR at line 1:
ORA-28365: wallet is not open
Operations on user-managed tablespaces still raise the ORA-28365 “wallet is not open” error when the CDB root keystore is closed.
The behavior is the same in pluggable databases (PDBs).
section 4Clean Up the Environment
Open the keystore.
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY password CONTAINER = ALL;
Drop the SYSTEM.TEST table.
DROP TABLE system.test;
Drop the user-managed tablespace.
DROP TABLESPACE omtbs INCLUDING CONTENTS AND DATAFILES;
Decrypt the Oracle-managed tablespaces.
ALTER TABLESPACE system ENCRYPTION DECRYPT;
Quit the session.
EXIT

Encrypting an Existing Tablespace with Online Conversion
在线加密现有表空间
ALTER TABLESPACE t1 ENCRYPTION ONLINE USING ‘AES256’ ENCRYPT FILE_NAME_CONVERT = (‘t1.dbf’, ‘t1_enc.dbf’);

Decrypting an Existing Tablespace with Online Conversion
在线解密现有已加密表空间
ALTER TABLESPACE t1 ENCRYPTION ONLINE DECRYPT FILE_NAME_CONVERT = (‘t1_enc.dbf’, ‘t1.dbf’);

Finishing an Interrupted Online Encryption Conversion
完成中断的在线加解密转换
For an encryption operation:
ALTER TABLESPACE users ENCRYPTION ONLINE FINISH ENCRYPT FILE_NAME_CONVERT = (‘users.dbf’, ‘users_enc.dbf’);

For a decryption operation:
ALTER TABLESPACE users ENCRYPTION ONLINE FINISH DECRYPT FILE_NAME_CONVERT = (‘users_enc.dbf’, ‘users.dbf’);

For a rekey operation:
修改表空间为加密表空间新特性了解即可
ALTER TABLESPACE users ENCRYPTION ONLINE FINISH REKEY FILE_NAME_CONVERT = (‘users.dbf’, ‘users_enc.dbf’);

select * from v$encryption_keys order by creation_time;