How to Create a New PDB with TDE Enabled and an Encrypted Tablespace in Oracle 19c

Introduction

In modern Oracle database environments, securing sensitive data at rest is a critical requirement. Transparent Data Encryption (TDE) ensures that data stored in tablespaces is automatically encrypted without requiring any application changes.

This post provides a practical, step-by-step guide to:

  • Create a new Pluggable Database (PDB)
  • Enable TDE inside the PDB
  • Create and activate a master encryption key
  • Verify wallet status
  • Create an encrypted tablespace

This guide is useful for DBAs working in Oracle 19c multitenant environments.

Environment

  • Oracle Version: 19c
  • Architecture: Multitenant (CDB/PDB)
  • Encryption: TDE

Step 1: Connect as SYSDBA

sqlplus / as sysdba

Verify the container:

SHOW CON_NAME;

Expected output:

CDB$ROOT

→ Make sure you are in the root container before proceeding.

Step 2: Create a New PDB

CREATE PLUGGABLE DATABASE DFMS
ADMIN USER admin IDENTIFIED BY “SU5d4e2VG#Q”;

Open the PDB:

ALTER PLUGGABLE DATABASE DFMS OPEN READ WRITE;

Save the state so it reopens automatically after a restart:

ALTER PLUGGABLE DATABASE DFMS SAVE STATE;

Switch the session to the new PDB:

ALTER SESSION SET CONTAINER = DFMS;

Step 3: Check the TDE Wallet Status

SELECT * FROM v$encryption_wallet;

Expected status:

OPEN_NO_MASTER_KEY

→ The wallet is open, but no master key exists yet for this PDB.

Step 4: Create a TDE Master Encryption Key

ADMINISTER KEY MANAGEMENT
CREATE ENCRYPTION KEY
USING TAG ‘DFMS_REKEY’
FORCE KEYSTORE
IDENTIFIED BY “SU5d4e2V-G_Q”
WITH BACKUP USING ‘DFMS_REKEY’;

Verify the key was created:

SELECT key_id FROM v$encryption_keys
WHERE tag = ‘DFMS_REKEY’;

→ A valid key_id in the result confirms the key was created.

Step 5: Activate the Encryption Key

ADMINISTER KEY MANAGEMENT
USE ENCRYPTION KEY
‘Ad+0E2RijU+iv9Xur6AYQWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAA’
FORCE KEYSTORE
IDENTIFIED BY “SU5d4e2V-G_Q”
WITH BACKUP;

→ The key is now active in the PDB.

Step 6: Verify the Wallet Again

SELECT * FROM v$encryption_wallet;

→ The wallet should remain OPEN / AUTOLOGIN, and the key should now show as active.

Step 7: Create an Encrypted Tablespace

CREATE TABLESPACE FMS
DATAFILE ‘+DATA’
SIZE 1G
AUTOEXTEND ON NEXT 128M MAXSIZE 30G;

→ The tablespace is created successfully with encryption enabled.

Important Notes

  • TDE must be configured at the CDB level before it can be used inside a PDB.
  • Always back up the keystore immediately after creating a new key.
  • Make sure the wallet is open before performing any encryption-related operations.
  • Use strong, unique passwords for the keystore.

Common Issues

Wallet Not Open

  • Check the sqlnet.ora configuration.
  • Verify the wallet location is correct and accessible.

Key Not Found

  • Verify the tag name matches exactly.
  • Make sure you’re connected to the correct PDB.

Best Practices

  • Back up the wallet regularly.
  • Use an AUTOLOGIN wallet for uninterrupted database startup.
  • Monitor encryption status as part of routine health checks.
  • Avoid hardcoding passwords in scripts.
  • Follow a defined key rotation policy.

Key Takeaways

  • TDE secures data at rest with minimal application impact.
  • Each PDB needs its own active master encryption key.
  • Wallet validation is critical before and after key operations.
  • Encrypted tablespaces ensure sensitive data stays protected.

Conclusion

Implementing TDE in a multitenant Oracle environment provides strong data-at-rest security with minimal impact on applications. By following the steps in this guide, DBAs can securely provision encrypted PDBs and protect sensitive data effectively from the moment a database is created.

Recent Posts