Simple Transparent Data Encryption (TDE) Questions

From: Chris Taylor <>
Date: Tue, 16 Dec 2014 13:25:09 -0600
Message-ID: <>

I'm hoping you guys can help me out here as I'm dipping my toes in the Data Encryption pool. What I'm looking for is a high level answer to the questions below *while* I read through the Advanced Security documentation.

I understand that TDE has 2 potential components - Tablespace Encryption and Table/Column Encryption.

I understand (I think) that Tablespace Encryption is invisible to applications & users - the data in encrypted as it is written to database files and unencrypted when the database engine reads that data back into the database as part of a query.

Now my questions are related to TABLE/COLUMN encryption and I'm a looking for a 10,000 foot view answer right now (not a highly detailed answer):

1.) With TDE on Tables/Columns, and using a wallet that is setup, how does a SPECIFIC user/application interface with the data that is encrypted and authenticate to see the unecrypted data? Example:
UNauthorized UserA looks up a Credit Card Number in TableA and sees data that is encrypted and cannot read the number.

AUthorized UserB/Application looks up a CC# in TableA and sees the unecrypted data and can continue processing it in a meaningful way.

What I'm trying to figure out is if AUTHORIZED users/applications have to unlock the data (or re-authorize) each time they login to the database, or what? How do they "unlock" the data - an automated wallet setup, or do they have to execute a pl/sql block to authenticate?

2.) Can you use both Tablespace Encryption and Table/Column encryption? I'm curious how they work together if both are in use - is the data double encrypted when it gets written to disk?

Thanks for any help!!!

Chris Taylor

Received on Tue Dec 16 2014 - 20:25:09 CET

Original text of this message