Oracle's SPARC T4 processor with Encryption Instruction Accelerators greatly improves performance over software implementations. This will greatly expand the use of TDE for many customers.
Oracle's SPARC T4-2 server is over 42% faster than Oracle's Sun Fire X4270 M2 (Intel AES-NI) when running DSS-style queries referencing an encrypted tablespace.
Oracle's Transparent Data Encryption (TDE) feature of the Oracle Database simplifies the encryption of data within datafiles preventing unauthorized access to it from the operating system. Tablespace encryption allows encryption of the entire contents of a tablespace.
TDE tablespace encryption has been certified with Siebel, PeopleSoft, and Oracle E-Business Suite applications
|Total Query Time (time in seconds)|
|SPARC T4-2 server||2.85||588||588||588|
|Sun Fire X4270 M2 (Intel X5690)||3.46||836||841||842|
|SPARC T4-2 Advantage||42%||43%||43%|
To test the performance of TDE, a 1 TB database was created. To demonstrate secure transactions, four 25 GB tables emulating customer private data were created: clear text, encrypted AES-128, encrypted AES-192, and encrypted AES-256. Eight queries of varying complexity that join on the customer table were executed.
The time spent scanning the customer table during each query was measured and query plans analyzed to ensure a fair comparison, e.g. no broken queries. The total query time for all queries is reported.
Oracle Database 11g Release 2 is required for SPARC T4 processor Encryption Instruction Accelerators support with TDE tablespaces.
TDE tablespaces support the SPARC T4 processor Encryption Instruction Accelerators for Advanced Encryption Standard (AES) only.
AES-CFB is the mode used in the Oracle database with TDE
Prior to using TDE tablespaces you must create a wallet and setup an encryption key. Here is one method to do that:
Create a wallet entry in $ORACLE_HOME/network/admin/sqlnet.ora.
ENCRYPTION_WALLET_LOCATION= (SOURCE=(METHOD=FILE)(METHOD_DATA= (DIRECTORY=/oracle/app/oracle/product/11.2.0/dbhome_1/encryption_wallet)))
Set an encryption key. This also opens the wallet.
$ sqlplus / as sysdba SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "tDeDem0";
On subsequent instance startup open the wallet.
$ sqlplus / as sysdba SQL> STARTUP; SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "tDeDem0";
TDE tablespace encryption and decryption occur on physical writes an reads of database blocks, respectively.
For parallel query using direct path reads decryption overhead varies inversely with the complexity of the query.
For a simple full table scan query overhead can be reduced and performance improved by reducing the degree of parallelism (DOP) of the query.