Transparent Data Encryption

Four easy steps

Setup Wallet and Master Key	Identify columns with sensitive data	Review constraints	Encrypt existing and new data

When a database is initially prepared for TDE, the master key is created with this simple command:

  SQL> alter system set encryption key identified by "password";

This command, potentially issued by another person apart from the DBA, creates a master key and either puts the key into an existing wallet, or creates a new wallet, when it doesn't exist. It is issued only once. If the wallet is lost, the command does not re-create the master key (even if the identical password is used), it creates a new, different master key. By default, the Oracle Wallet stores a history of retired master keys, which enables you to change them and still be able to decrypt data which was encrypted under an old master key. The fact that the case sensitive wallet password might be unknown to the DBA provides separation of duty, since the DBA might be able to restart the database, but the wallet is closed and needs to be manually opened by a 'Security DBA', who needs to know the wallet password. The command to open the wallet is:

  SQL> alter system set encryption wallet open identified by "password";