Provisioning an Oracle database in Oracle Cloud Infrastructure (OCI) is quick and easy .... it takes not more than a few mouse clicks and your database is ready within minutes. Once you've provisioned a 12.2 database (that includes all the 18c releases) in OCI, you'll notice that ...:
Because the 'encrypt_new_tablespaces' system parameter is set to CLOUD_ONLY by default, all new application tablespaces will be automatically encrypted with AES128, even if the "encryption" syntax is omitted from the 'create tablespace' commands.
Databases in OCI are created with an auto-open wallet, but for further wallet operations, the wallet password needs to be known regardless; the default wallet password is the administrator password that you provided when completing the Web-Form to initially provision the database.
In order to make the configuration of TDE complete, set the ORACLE_UNQNAME environment variable on the OS level (set in .bash_profile), and in server control (because even single instance databases in OCI run on Oracle Grid Infrastructure). In a single instance database, ORACLE_UNQNAME is usually the same as the ORACLE_SID; in RAC databases, the ORACLE_UNQNAME is equal to ORACLE_SID minus the number, for example: A 2-node RAC has FINRAC1 and FINRAC2 as ORACLE_SIDs, the ORACLE_UNQNAME should be FINRAC.
SYS:CDB$ROOT> show pdbs;
CON_ID CON_NAME OPEN MODE RESTRICTED
------ --------- ---------- -----------
2 PDB$SEED READ ONLY NO
3 FINPDB READ WRITE NO
If the source database is opened READ WRITE, then the next command will create a "hot" clone, which requires local UNDO tablespaces and archive logging to be turned on. If this is not feasible, stop and restart the source PDB as READ ONLY while it is being cloned.
SYS:CDB$ROOT> create pluggable database TESTPDB from FINPDB keystore identified by "wallet-pwd";
This guarantees that your source database (which might contain sensitive data) can only be cloned by an administrator who knows the wallet password.
SYS:CDB$ROOT> alter pluggable database TESTPDB open;
Now the new pluggable database needs its own encryption key. Connect to TESTPDB and execute:
SYS:TESTPDB> administer key management set key force keystore identified by "wallet-pwd" with backup [container = current];
To test, select data from a table that is stored in an encrypted tablespace, or create a new tablespace which will be encrypted by default; in both cases, the cloned database will use its own master encryption key that was created in the previous step.
SYS:TESTPDB> create tablespace PROTECTED datafile size 50m;
If you are interested learning more about other use cases, please let me know through the comment section below. To learn more about Oracle Database Security and Oracle Cloud Infrastructure, please visit our webpages.