Introduction
This guide explains how to enable Transparent Data Encryption (TDE) in Oracle 19c.
TDE protects sensitive data at rest by encrypting it automatically.
We will set up the wallet, create the master key, and encrypt tablespaces.
The steps are practical for DBAs who need secure database storage.
Step:-1 Configure the Wallet Root
[oracle@localhost ~]$ . .19c.env
[oracle@localhost ~]$ sqlplus / as sysdba
SQL> startup
ORACLE instance started.
Total System Global Area 2936008960 bytes
Fixed Size 8900864 bytes
Variable Size 452984832 bytes
Database Buffers 2466250752 bytes
Redo Buffers 7872512 bytes
Database mounted.
Database opened.
SQL> select banner from v$version;
BANNER
——————————————————————————–
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 – Production
SQL> show parameter tde_configuration
NAME TYPE VALUE
———————————— ———– ——————————
tde_configuration string
SQL> show parameter wallet_root
NAME TYPE VALUE
———————————— ———– ——————————
wallet_root string
Now Going to change this parameter
Backup parameter file:-
SQL> create pfile=’${ORACLE_BASE}/admin/${ORACLE_SID}/pfile/${ORACLE_SID}-`date +%F`.ora’ from spfile;
File created.
[oracle@localhost dbs]$ cd /u02/app/oracle/admin/prod/pfile/
[oracle@localhost pfile]$ ls -lrt
total 8
-rw-r—–. 1 oracle oinstall 2297 Aug 10 23:05 init.ora.5172021231259
SQL> alter system set WALLET_ROOT=”${ORACLE_BASE}/admin/${ORACLE_SID}/wallet” scope=spfile;
System altered.
SQL> shut immediate
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> startup
ORACLE instance started.
Total System Global Area 2936008960 bytes
Fixed Size 8900864 bytes
Variable Size 452984832 bytes
Database Buffers 2466250752 bytes
Redo Buffers 7872512 bytes
Database mounted.
Database opened.
SQL> alter system set TDE_CONFIGURATION=”KEYSTORE_CONFIGURATION=FILE”;
System altered.
SQL> show parameter tde_configuration
NAME TYPE VALUE
———————————— ———– ——————————
tde_configuration string KEYSTORE_CONFIGURATION=FILE
SQL> show parameter wallet_root
NAME TYPE VALUE
———————————— ———– ——————————
wallet_root string /u02/app/oracle/admin/prod/
wallet
Step 2: Create the password protected key store
SQL> administer key management create keystore identified by oracledbwr;
keystore altered.
SQL> administer key management create LOCAL auto_login keystore from keystore ‘/u02/app/oracle/admin/prod/wallet/tde/’ identified by oracledbwr;
keystore altered.
SQL> exit
Disconnected from Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 – Production
Version 19.11.0.0.0
[oracle@localhost tde]$ ls -lrt
total 8
-rw——-. 1 oracle oinstall 2555 Aug 10 23:12 ewallet.p12
-rw——-. 1 oracle oinstall 2600 Aug 10 23:12 cwallet.sso
[oracle@localhost tde]$ pwd
/u02/app/oracle/admin/prod/wallet/tde
Check using the below query:-
select * from v$encryption_wallet;
WRL_TYPE
————————-
WRL_PARAMETER
————————-
STATUS WALLET_TYPE WALLET_OR KEYSTORE FULLY_BAC
CON_ID
————————-
FILE
————————-
/u02/app/oracle/admin/prod/wallet/tde/ OPEN_NO_MASTER_KEY LOCAL_AUTOLOGIN SINGLE NONE UNDEFINED 0
OPEN_NO_MASTER_KEY -> Keystore is already not OPEN use the below command to open
administer key management set keystore open identified by oracledbwr;
Step:-3 Setup the Master Encryption Key
SQL> administer key management set key using tag ‘oracledbwr_Tablespace_TDE’ force keystore identified by oracledbwr with backup using ‘TDE_backup’;
keystore altered.
[oracle@localhost tde]$ ls -lrt
total 20
-rw——-. 1 oracle oinstall 2555 Aug 10 19:12 ewallet_2021062113423541_TDE_backup.p12
-rw——-. 1 oracle oinstall 4187 Aug 10 01:12 ewallet.p12
-rw——-. 1 oracle oinstall 4232 Aug 10 01:12 cwallet.sso
select * from v$encryption_wallet;
select key_id,tag,keystore_type,creation_time from v$encryption_keys;
SQL> select key_id, creation_time, keystore_type, tag from v$encryption_keys;
KEY_ID
——————————-
CREATION_TIME
——————————-
KEYSTORE_TYPE
——————————-
TAG
——————————-
AVa7bjH47k9Sv2hLpvM3dB8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 10-AUG-25 01.42.35.534260 PM +00:00 SOFTWARE KEYSTORE oracledbwr_Tablespace_TDE
Step:-4 Now we go for Testing
create tablespace tde_oracledbwr_tbs datafile ‘/u02/app/oracle/oradata/PROD/tde_tbs1.dbf’ size 50M; -> Without encryption create tablespace
SQL> create tablespace tde_oracledbwr_tbs datafile ‘/u02/app/oracle/oradata/PROD/tde_tbsl.dbf’ size 50M;
Tablespace created.
SQL> select * from v$tablespace;
TS# NAME INC BIG FLA ENC CON_ID
1 SYSAUX YES NO YES YES 0
0 SYSTEM YES NO YES YES 0
2 UNDOTBS1 YES NO YES YES 0
4 USERS YES NO YES YES 0
3 TEMP NO NO YES YES 0
6 TDE_ORACLEDBWR_TBS YES NO YES YES 0
6 rows selected.
SQL> create user hari identified by hari default tablespace tde_oracledbwr_tbs quota unlimited on tde_oracledbwr_tbs;
User created.
SQL> grant connect,resource to hari;
Grant succeeded.
[oracle@localhost ~]$ sqlplus hari/hari
SQL*Plus: Release 19.0.0.0.0 – Production on Mon Aug 10 01:30:53 2025
Version 19.11.0.0.0
Copyright (c) 1982, 2020, Oracle. All rights reserved.
Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 – Production
Version 19.11.0.0.0
SQL> show user
USER is “HARI”
SQL> create table test (snb number, real_exch varchar2(20));
Table created.
insert into test (snb, real_exch)
select 385000000 + level – 1, ‘GSMB’
from dual
connect by level <= 10;
10 rows created.
SQL> commit;
Commit complete.
Now use the OS ‘strings’ command to determine whether the string value inserted in the table is ‘visible’:
SQL> !strings /u02/app/oracle/oradata/PROD/tde_tbs1.dbf | grep GSMB
GSMB,
GSMB,
GSMB,
GSMB,
GSMB,
GSMB,
GSMB,
GSMB,
GSMB,
GSMB
Step:-5 Online Encryption of Tablespace
From 19c onwords no need go for Offline Encryption.This method creates a new datafile with encrypted data
SQL> alter tablespace users encryption online encrypt;
Tablespace altered.
(OR)
Before:-
[oracle@localhost PROD]$ ls -lrt
total 2721356
-rw-r—–. 1 oracle oinstall 209715712 Aug 10 01:41 redo02.log
-rw-r—–. 1 oracle oinstall 209715712 Aug 10 01:41 redo03.log
-rw-r—–. 1 oracle oinstall 52436992 Aug 10 01:41 tde_tbs1.dbf
-rw-r—–. 1 oracle oinstall 68165632 Aug 10 01:41 temp01.dbf
-rw-r—–. 1 oracle oinstall 1038098432 Aug 10 01:41 system01.dbf
-rw-r—–. 1 oracle oinstall 692068352 Aug 10 01:42 sysaux01.dbf
-rw-r—–. 1 oracle oinstall 356524032 Aug 10 01:42 undotbs01.dbf
-rw-r—–. 1 oracle oinstall 5251072 Aug 10 01:42 users01.dbf
-rw-r—–. 1 oracle oinstall 209715712 Aug 10 01:42 redo01.log
-rw-r—–. 1 oracle oinstall 10600448 Aug 10 01:42 control01.ctl
SQL> alter tablespace TDE_ORACLEDBWR_TBS encryption online using ‘AES192’
encrypt file_name_convert =(‘/u02/app/oracle/oradata/PROD/tde_tbs1.dbf’,’/u02/app/oracle/oradata/PROD/tde_tbs1_encrypted.dbf’);
Tablespace altered.
After:-
[oracle@localhost PROD]$ ls -lrt
total 2721356
-rw-r—–. 1 oracle oinstall 209715712 Aug 10 18:41 redo02.log
-rw-r—–. 1 oracle oinstall 209715712 Aug 10 19:12 redo03.log
-rw-r—–. 1 oracle oinstall 68165632 Aug 10 20:41 temp01.dbf
-rw-r—–. 1 oracle oinstall 1038098432 Aug 10 21:21 system01.dbf
-rw-r—–. 1 oracle oinstall 692068352 Aug 10 21:26 sysaux01.dbf
-rw-r—–. 1 oracle oinstall 356524032 Aug 10 21:26 undotbs01.dbf
-rw-r—–. 1 oracle oinstall 5251072 Aug 10 21:27 users01.dbf
-rw-r—–. 1 oracle oinstall 52436992 Aug 10 21:29 tde_tbs1_encrypted.dbf
-rw-r—–. 1 oracle oinstall 209715712 Aug 10 21:29 redo01.log
-rw-r—–. 1 oracle oinstall 10600448 Aug 10 21:29 control01.ctl
Now Testing the data
Now use the OS ‘strings’ command to determine whether the string value inserted in the table is ‘visible’:
SQL> !strings /u02/app/oracle/oradata/prod/tde_tbs1_encrypted.dbf | grep GSMB
Conclusion
We have successfully configured TDE in Oracle 19c.
The wallet and master key are in place, and tablespaces are encrypted.
This ensures data is secure even if files are accessed outside the database.
TDE is now part of the database’s core security setup.
