Skip to Main Content

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question, Cuvillier.

Asked: March 01, 2018 - 4:15 pm UTC

Last updated: August 23, 2019 - 6:05 pm UTC

Version: 12.1

Viewed 10K+ times! This question is

You Asked

Hello,
I want to use TDE tablespace encryption on my database.
One part of my study is "how can I manage my Master key" : my security officer ask me to change regularly the key.
I read in oracle documentation ( https://docs.oracle.com/cd/E11882_01/network.112/e40393/asotrans.htm#ASOAG9525 §8.2.2.1)that space into wallet is limited. so I can't change the master key with too small periodicity.
- My first question is how many master key can I put in a wallet before reaching limit ?
And what should I do when this limit is reached ?
Note : is it different if I use an HSM ?

- My second question is around performance and how are encrypted the data into the tablespace.
if I am right there is a mater key into the wallet and a tbs key into the datafile header.
When I modify the master key in the wallet, I guess that a new key is generated into the datafile header.
But what happen for the data : are block of the tbs are encrypted with this new key ?
And is there an increase of CPU usage when the new key are generated ?

Thank you for your answer
Cordially
Rodolphe

and Connor said...

From Mos Doc ID 445147.1

"As of 10.2.0.4 a wallet can grow up to 4GB. Since 100 rekeys generate 26KB if we keep on rekeying every single day we can do it for a very long period( more than 500 years)."

So I think you'll be ok :-)

Changing the master key is how we *protect* the true encryption keys. So changing the master does not change the *true value* of the encryption keys, it just changes the encrypted values of them. So data blocks do not need to be re-visited.

eg Lets say my key was "SecretKey".

With master key of "X", this might encrypt to "XYZ123"
With ( a new) master key of "Y", this might encrypt to "ABC456"

but in both cases, my key is still "SecretKey"


Rating

  (2 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

Thank's a lot

Cuvillier Rodolphe, March 06, 2018 - 8:48 am UTC

Hello,
Thank you for this feed back.
It's perfect.
Cordially
Rodolphe

Separate tablespace encryption keys

A reader, August 21, 2019 - 1:21 pm UTC

Hi,

Is it possible to create two tablespaces with different encryption keys as part of TDE tablespace?

Requirement is to host two customers in two schemas of same database instance, but with different encrypted tablespaces with different keys.


Connor McDonald
August 23, 2019 - 6:05 pm UTC

The only thing I could suggest here would be to use a pluggable database for each customer, and do the TDE at pluggable level.
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's latest video and Chris's latest video from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

Administration

Need more information on Administration? Check out the Administrators guide for the Oracle Database