Oracle Database uses authentication, authorization, and auditing mechanisms to secure data in the database, but not in the operating system data files where data is stored. To protect these data files, Oracle Database provides Transparent Data Encryption (TDE). TDE encrypts sensitive data stored in data files. To prevent unauthorized decryption, TDE stores the encryption keys in a security module external to the database. This security module can be referred to as follows:
-
TDE wallets are wallets used for TDE. They cannot contain other security artifacts such as certificates. In previous releases, they were called software keystores or just wallets.
-
External keystores refer to Oracle Key Vault or Oracle Cloud Infrastructure (OCI) Key Management Service (KMS).
-
Keystores is a generic term for both TDE wallets and external keystores.
Transparent Data Encryption (TDE) enables you to encrypt sensitive data stored in tables and tablespaces and database backups.
After the data is encrypted, it is transparently decrypted for authorized users or applications when they access it. TDE helps protect data stored on media (also called data at rest) if the storage media or data file is stolen.