Simplified TDE configuration in Oracle Database 23ai Free

Oracle recently released Database 23ai, taking over from Database 19c as the current Long Term Support Release. As part of the release the Database Free RPM, VM, and container image were updated to 23.4.0.24.05. This might be a good time to update lab VMs!

Installing the oracle-database-free-23ai RPM

If you are installing the database software on a VM using the RPM you may be pleasantly surprised to see a new-ish option in /etc/sysconfig/oracle-free-23ai.conf:

#This is a configuration file to setup the Oracle Database.
#It is used when running '/etc/init.d/oracle-free-23ai configure'.

# LISTENER PORT used Database listener, Leave empty for automatic port assignment
LISTENER_PORT=1521

# Character set of the database
CHARSET=AL32UTF8

# Database file directory
# If not specified, database files are stored under Oracle base/oradata
DBFILE_DEST=

# DB Domain name
DB_DOMAIN=

# Configure TDE
CONFIGURE_TDE=false

# Encrypt Tablespaces list, Leave empty for user tablespace alone or provide ALL for encrypting all tablespaces
# For specific tablespaces use SYSTEM:true,SYSAUX:false
ENCRYPT_TABLESPACES=

# SKIP Validations, memory, space
SKIP_VALIDATIONS=false

Have a look at line 18: CONFIGURE_TDE – how nice 🙂 Flipping that switch to true you will get a database with TDE enabled after executing sudo /etc/init.d/oracle-free-23ai configure. Here is the output of the database creation:

Specify a password to be used for database accounts. Oracle recommends that the password entered 
should be at least 8 characters in length, contain at least 1 uppercase character, 1 lower case character
and 1 digit [0-9]. Note that the same password will be used for SYS, SYSTEM and PDBADMIN accounts:
Confirm the password:
Configuring Oracle Listener.
Listener configuration succeeded.
Configuring Oracle Database FREE.
Enter SYS user password: 
*******
Enter SYSTEM user password: 
*********
Enter PDBADMIN User Password: 
******
Enter password for the TDE wallet: 
*******
Prepare for db operation
7% complete
Copying database files
8% complete
29% complete
Creating and starting Oracle instance
30% complete
33% complete
36% complete
39% complete
43% complete
Completing Database Creation
47% complete
49% complete
50% complete
Creating Pluggable Databases
54% complete
71% complete
Executing Post Configuration Actions
93% complete
Running Custom Scripts
100% complete
Database creation complete. For details check the logfiles at:
 /opt/oracle/cfgtoollogs/dbca/FREE.
Database Information:
Global Database Name:FREE
System Identifier(SID):FREE
Look at the log file "/opt/oracle/cfgtoollogs/dbca/FREE/FREE.log" for further details.

Connect to Oracle Database using one of the connect strings:
     Pluggable database: oracle23aifree/FREEPDB1
     Multitenant container database: oracle23aifree

The database was indeed created with Transparent Data Encryption enabled as a quick check revealed:

SQLcl: Release 23.4 Production on Mon May 13 10:28:51 2024

Copyright (c) 1982, 2024, Oracle.  All rights reserved.

Connected to:
Oracle Database 23ai Free Release 23.0.0.0.0 - Develop, Learn, and Run for Free
Version 23.4.0.24.05

SQL> select wrl_parameter, status, wallet_type, keystore_mode, con_id from v$encryption_wallet;

WRL_PARAMETER                              STATUS    WALLET_TYPE    KEYSTORE_MODE       CON_ID 
__________________________________________ _________ ______________ ________________ _________ 
/opt/oracle/admin/FREE/wallet_root/tde/    OPEN      AUTOLOGIN      NONE                     1 
                                           OPEN      AUTOLOGIN      UNITED                   2 
                                           OPEN      AUTOLOGIN      UNITED                   3

If you wondered if the relevant tablespaces were encrypted, this might answer your question:

SQL> SELECT
  2      c.name          AS pdb_name,
  3      t.name          AS tbs_name,
  4      e.encryptionalg AS alg,
  5      e.status
  6  FROM
  7      v$tablespace            t,
  8      v$encrypted_tablespaces e,
  9      v$containers            c
 10  WHERE
 11      e.ts# = t.ts#
 12      AND e.con_id = t.con_id
 13      AND e.con_id = c.con_id
 14  ORDER BY
 15      e.con_id,
 16      t.name
 17* /

PDB_NAME    TBS_NAME    ALG       STATUS    
___________ ___________ _________ _________ 
CDB$ROOT    USERS       AES256    NORMAL    
FREEPDB1    SYSAUX      AES256    NORMAL    
FREEPDB1    SYSTEM      AES256    NORMAL    
FREEPDB1    USERS       AES256    NORMAL

You can tweak which tablespaces to encrypt, too, see ENCRYPT_TABLESPACES in the above configuration file.

Summary

Enabling TDE for Oracle Database Free 23.4.0.24.05 couldn’t be easier. Simply change a configuration parameter and create the database. This option saves a lot of time if you like to create a TDE-enabled database. Using TDE with Oracle Database 23ai Free is a great stepping stone to preparing for a cloud migration of your database.

Simplified TDE configuration in Oracle Database 23ai Free

Installing the oracle-database-free-23ai RPM

Summary

Martin Bach

Creating a GraphQL endpoint … within the database

Navigating Third-Party Library Compatibility in SuiteScript 2.1: A Blog Series

Simplified TDE configuration in Oracle Database 23ai Free

Installing the oracle-database-free-23ai RPM

Summary

Authors

Martin Bach

Creating a GraphQL endpoint … within the database

Navigating Third-Party Library Compatibility in SuiteScript 2.1: A Blog Series