Re: Oracle 11g Advanced Security Option

From: Stefan Knecht <>
Date: Thu, 4 Dec 2008 23:10:49 +0100
Message-ID: <>

AFAIK ASO has always been an option to the enterprise edition - and therefore subject to additional license cost.

There's several ways of doing encryption inside the database:

  • Application-level encryption You leave the encryption (and key management) to the application
  • DBMS_CRYPTO (formerly DBMS_OBFUSCATION_TOOLKIT) Sort of an intermediate solution. The database does the encryption for you, but you need to manage the keys
  • ASO IMHO the easiest solution, and probably also the most reliable one (from a security point of view), and with encryptable tablespaces (new in 11g) also the one that will have the least impact to your performance.

You should check with your application folks what is possible for you. ASO works good, and it's used by several clients of mine (the 10gr2 version of it, encrypting columns, not tablespaces) -- but you need to make sure you can take the performance implications of this feature in your environment.


Stefan P Knecht
Senior Consultant
Systems Engineering

Seestrasse 97
CH-8800 Thalwil

Mobile +41-79-571 36 27


On Thu, Dec 4, 2008 at 10:17 PM, Peter Barnett <> wrote:

> Is anyone using this product? We have a need to encrypt one column in a
> table for compliance reasons. It looks like 9i or 10g TDE would do the job
> for us but we build applications at the highest release available which is
> 11g. The quandry is that in 11g this appears to now be a separately
> licensed product.
> If anyone has any real world experience with ASO I would appreciate hearing
> about it. It sure seems like a lot of money to encrypt one column. On the
> other hand, one of our competitors had a laptop with unencrypted PII stolen
> and it ended up costing them millions so, it may actually be pretty cheap.
> Thanks in advance.
> Pete Barnett
> Database Technologies Lead
> Regence
> --

Received on Thu Dec 04 2008 - 16:10:49 CST

Original text of this message