RE: Oracle TDE Question

From: Powell, Mark <>
Date: Fri, 26 Feb 2016 18:07:18 +0000
Message-ID: <>

Hans, my thinking is that while there may be a lot of lookup tables in the system the total size of the lookup tables is usually small in data terms compared to the whole. You only incur a encryption cost on reading or writing the table block into the buffer so with heavily used blocks since those blocks are likely to remain cached for significant periods of time the overhead will be low. By encrypting every tablespace you eliminate the possibility of someone moving a table with sensitive data from an encrypted tablespace to an unencrypted one. You also eliminate the worry of sensitive data being copied to a new table which is not designated as sensitive from a storage point of view. In simple terms uniformity is easier to manage.

From: [] On Behalf Of Hans Forbrich Sent: Thursday, February 25, 2016 12:45 PM To:
Subject: Re: Oracle TDE Question

Many applications have significant numbers of code/value lookup tables.

Many applications, especially 3-tier applications, do validation using those lookup tables.

In many cases those code tables are not sensitive.

Unless appropriate caching is used (keep cache), bashing against encrypted storage introduce unnecessary overhead.

I totally agree when you talk about 'business-generated' data. But the list of countries, states, cities ...?


On 25/02/2016 10:13 AM, Powell, Mark wrote: I am of the opinion that if you buy TDE you should use probably use it on all tablespaces. When you really consider it most business data is sensitive. Most of the data may not need access within the company restricted, but you would not want your competition or a hacker to have access so encrypting the disk version makes business sense.

Make sure management and developers understand use of TDE in no way excuses lack of control of the object level privileges.

From:<> [] On Behalf Of MJ Mody Sent: Thursday, February 25, 2016 9:58 AM To:<> Cc:<> Subject: Re: Oracle TDE Question

A valid question here is if your organization has previously gone through the exercise of identifying PII. Should this be the case than it is known which objects should utilize the encrypted tablespaces. In interest of time, is it prudent to enable TDE on all tablespaces? That said overall overhead Oracle says is 6%-8% with TDE.

On Feb 25, 2016, at 7:54 AM, Chris Taylor <<>> wrote: I think I know the answer to this question, but want to confirm for completeness.

When you use Oracle TDE (with the appropriate licenses of course), is it supported to have both non-encrypted tablespaces and encrypted tablespaces in the same database, correct?

If it's not I'd be surprised but wanted to confirm.


Chris Taylor

Received on Fri Feb 26 2016 - 19:07:18 CET

Original text of this message