This content has been marked as final. Show 4 replies
Hi,1 person found this helpful
I found that the TDE master encryption key is stored in memory after first useCorrect.
Once the wallet has been opened, it remains open until you shut down the database instance, or close it explicitly by issuing the following command:
SQL> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "password"
I highly recommend not using TDE but rather using the DBMS_CRYPTO package.1 person found this helpful
It would be inappropriate to discuss my reasons here but suffice it to say that if you need encrypted ... there is no value in its transparent decryption.
There are some occasions that would still merit TDE. For example, a third-party application that does not offer encryption could still have its data protected at rest by TDE. In order to use DBMS_CRYPTO, it would require programmatic changes.1 person found this helpful
The main benefit of TDE, as I understand it, is that it can be implemented without any knowledge needed by the application.
Yes, it is clear that the TDE master encryption key is stored in memory after first use. So, if you want that every time you must get the master key from the store then I would recommend you to use HSM. In this case, for decryption every time you must need to access your HSM and the master key key will remain inside (HSM) that only.1 person found this helpful
When we are using the Oracle Wallet at that time the TDE master encryption key get loaded into database memory to decrypt the table/ tablespace keys.
And, when are using HSM then the table and tablespace keys are sent to the HSM and returned decrypted over a secure connection so they can be used to decrypt or encrypt data in the database.