Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> Re: 11g Tablespace Encryption

Re: 11g Tablespace Encryption

From: Tim Gorman <>
Date: Fri, 14 Sep 2007 09:40:44 -0600
Message-ID: <>


I can't even spell "Oracle11g" yet, but chances are good that
decryption takes place when a block is read into the Buffer Cache, and
encrypted when written to disk by LGWR, DBWR, or a direct-path load.

Sorts and hashes are performed in "private" process memory and flushed to disk in a "direct path write" operation, so presumably encryption happens then.  When sort/hash information read back into private process memory during a "direct path read", presumably decryption occurs.  This is important because otherwise encryption would affect both sorting and hash results.

Ditto for I/O to/from undo and "permanent" objects -- flushes by DBWn processes perform encryption, reads back up into Buffer Cache perform decryption.  Ditto for LGWR -- flushes to online redo logfiles perform encryption, and ARCn processes don't know anything about encryption -- not their job.

This is all speculation, but it would be my operating hypothesis going forward until disproven...
Tim Gorman
consultant - Evergreen Database Technologies, Inc.
P.O. Box 1802, Evergreen CO  80437-1802
website =
email   =
mobile  = +1-303-885-4526
fax     = +1-303-484-3608

Andrew Kerber wrote:
I wonder how that affects a database clone or restore to another location?

On 9/14/07, Ted Coyle < > wrote:
I attended a Tom Kyte Oracle presentation yesterday where he discussed 11g
Tablespace encryption among other features. A  question came up in one of
the technical sessions concerning when the decryption took place and does
any of the encrypted data ever wind up unencrypted in any of Undo/Redo/Temp
control structures.  The presenter didn't have an answer and Tom had zoomed
out of there after the keynote so no chance to "Ask Tom Live" so to speak.

Here's what I found in the 11g docs:
"Transparent encryption/decryption takes place during disk input/output
(I/O) and not for every logical access to the data. This leads to improved
"The encrypted data is protected during operations like JOIN and SORT. This
means that the data is safe when it is moved to temporary tablespaces. Data
in undo and redo logs is also protected."

I'm interested in more info on this, so any links or comments are

Also, has anyone tested this feature for performance?  Tom noted possible
performance issues during the presentation.



Andrew W. Kerber

'If at first you dont succeed, dont take up skydiving.'
-- Received on Fri Sep 14 2007 - 10:40:44 CDT

Original text of this message