Re: Simple Transparent Data Encryption (TDE) Questions

From: Lyall personal <>
Date: Tue, 16 Dec 2014 16:32:23 -0500
Message-ID: <>

Something that i"m coming to learn but TDE is that it has nothing to do with want happens after you log into the database. TDE encrypts column data in the datafiles so you can't use a HEX editor to look at that data. 
There is no "Authorized UserA" as far as TDE is concerned. That's all taken care of through permissions, fine-grained or otherwise.
After that, auditing might play a part. ‎Oracle Vault. Data Masking when refreshing test system, etc

Not sure about the second question. We only use Column encryption at our company

Sent from my BlackBerry 10 smartphone.
From: Chris Taylor
Sent: Tuesday, December 16, 2014 2:26 PM
Reply To:
Subject: Simple Transparent Data Encryption (TDE) Questions

I'm hoping you guys can help me out here as I'm dipping my toes in the Data Encryption pool.  What I'm looking for is a high level answer to the questions below *while* I read through the Advanced Security documentation.

I understand that TDE has 2 potential components - Tablespace Encryption and Table/Column Encryption.

I understand (I think) that Tablespace Encryption is invisible to applications & users - the data in encrypted as it is written to database files and unencrypted when the database engine reads that data back into the database as part of a query.

Now my questions are related to TABLE/COLUMN encryption and I'm a looking for a 10,000 foot view answer right now (not a highly detailed answer):

1.) With TDE on Tables/Columns, and using a wallet that is setup, how does a SPECIFIC user/application interface with the data that is encrypted and authenticate to see the unecrypted data?
UNauthorized UserA looks up a Credit Card Number in TableA and sees data that is encrypted and cannot read the number.

AUthorized UserB/Application looks up a CC# in TableA and sees the unecrypted data and can continue processing it in a meaningful way.

What I'm trying to figure out is if AUTHORIZED users/applications have to unlock the data (or re-authorize) each time they login to the database, or what?  How do they "unlock" the data - an automated wallet setup, or do they have to execute a pl/sql block to authenticate?

2.) Can you use both Tablespace Encryption and Table/Column encryption?  I'm curious how they work together if both are in use - is the data double encrypted when it gets written to disk?

Thanks for any help!!!

Chris Taylor

-- Received on Tue Dec 16 2014 - 22:32:23 CET

Original text of this message