From: <>
Date: Mon, 5 Jan 2009 07:18:14 -0800 (PST)
Message-ID: <>

Yes, TDE only encrypts the data at rest, i.e. in storage. The data is decrypted in memory and over the wire. The primary reason to use TDE is to protect the data on the disk and on backups. If security over the wire is a concern, Oracle offers additional security packages to solve this problem.

When you encrypt using TDE, I would recommend tablespace encryption because it doesn't cause a performance drain and has no foreign key limitations. Other forms of DB encryption, such as table or column encryption, cause your server to lose performance and limit some operations so they're not very easy to retrofit into existing infrastructures.

I agree with Tim that you need to ensure that you handle the keys properly. A hard-coded key is very bad practice. If you encrypt, I would also urge you not to use the Oracle e-wallet because it contains the key on the hard disk, so the key would also end up in the backup, which defeats the purpose of encryption.

To solve this problem, I would recommend using a hardware security module (HSM) which securely stores the encryption key in hardware and makes it available to Oracle databases for TDE. This way, the key can never end up on the hard disk or the backup. It also enables you to share keys across servers for better key management.

My employer (Thales, formerly known as nCipher), produces HSMs that are compatible with Oracle 11g TDE. You will find additional information here:


Chris Kirsch, Thales Received on Mon Jan 05 2009 - 09:18:14 CST

Original text of this message