This content has been marked as final. Show 4 replies
I found that the TDE master encryption key is stored in memory after first useCorrect.
Once the wallet has been opened, it remains open until you shut down the database instance, or close it explicitly by issuing the following command:
SQL> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "password"
There are some occasions that would still merit TDE. For example, a third-party application that does not offer encryption could still have its data protected at rest by TDE. In order to use DBMS_CRYPTO, it would require programmatic changes.
The main benefit of TDE, as I understand it, is that it can be implemented without any knowledge needed by the application.
Yes, it is clear that the TDE master encryption key is stored in memory after first use. So, if you want that every time you must get the master key from the store then I would recommend you to use HSM. In this case, for decryption every time you must need to access your HSM and the master key key will remain inside (HSM) that only.
When we are using the Oracle Wallet at that time the TDE master encryption key get loaded into database memory to decrypt the table/ tablespace keys.
And, when are using HSM then the table and tablespace keys are sent to the HSM and returned decrypted over a secure connection so they can be used to decrypt or encrypt data in the database.