Skip to Main Content
  • Questions

  • TDE Encription is supported parallel encryption?

Breadcrumb

Question and Answer

Chris Saxon

Thanks for the question, Gustavo.

Asked: March 30, 2012 - 7:36 am UTC

Last updated: May 21, 2021 - 12:24 pm UTC

Version: 10.2.5

Viewed 10K+ times! This question is

You Asked

It is possible to encrypt a column in Parallel?
How is it done?
try:
ALTER SESSION FORCE PARALLEL DDL 4;
ALTER TABLE TEST PARALLEL (DEGREE 4);
ALTER / * + parallel (TEST 4.1) * / TABLE TEST MODIFY COLUMN encrypt using 'AES256' NO SALT;

I did not work.

and Tom said...

http://docs.oracle.com/cd/E11882_01/server.112/e25523/parallel003.htm#i1006520


The DDL statements that can be parallelized are there.


You might consider using a parallel CTAS (create table as select) or parallel INSERT /*+ append */ into a new table in another tablespace (and then indexing/constraining/etc and dropping old/renaming new)

You could do this online with dbms_redefinition as well.

The reasons you might want a rebuild into a new structure are two fold.

a) the column you are encrypting will be going from a varying length field (assuming number/varchar2) to a fixed width field that will be much larger than your existing column. For example, if you take a varchar2(30) and encrypt it - and the average length was 15 characters - it will now be a raw field under the covers with a fixed length of 32 bytes. That would likely cause a lot of row migrations if you just did the alter - the create/insert /*+ append */ would avoid that (and you can do that without any redo/undo generation as well if you like)

b) you want to try to get rid of the tablespace that contained this information anyway - because there will be remnants of this column in that tablespace (we do not zero things out necessarily). When encrypting data - you want to think about getting rid of the files that had unencrypted data in them (remember your backups, exports and archives too!)


Rating

  (2 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

THANKS

Gustavo Uval, March 30, 2012 - 10:36 am UTC

I going to tray dbms_redefinition y think is better.

Thanks!!!

Can we decrypt column using online redefinition?

Prabhudas, May 20, 2021 - 1:29 pm UTC

Can we decrypt column using online redefinition?
Like main table columns are encrypted and I create Interim table without encryption and redefine online?
Chris Saxon
May 21, 2021 - 12:24 pm UTC

Are you talking about Transparent Data Encryption (TDE) or manual encryption? And by online redefinition you mean dbms_redefinition?

For TDE there's no transformation for you to do; the database handles this for you. To remove it, move the table to an unencrypted tablespace.

If you've manually encrypted the data (e.g. with dbms_crypto), then yes you can use dbms_redefinition to decrypt it - provided you can do the decryption in SQL or PL/SQL (i.e. it's NOT encrypted in the mid-tier language).
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's channel and Chris's channel from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

Hints

Need more information on hints? Check out the complete hint descriptions