Introduction
In modern Oracle database environments, securing sensitive data at rest is a critical requirement. Transparent Data Encryption (TDE) ensures that data stored in tablespaces is automatically encrypted without requiring any application changes.
This post provides a practical, step-by-step guide to:
- Create a new Pluggable Database (PDB)
- Enable TDE inside the PDB
- Create and activate a master encryption key
- Verify wallet status
- Create an encrypted tablespace
This guide is useful for DBAs working in Oracle 19c multitenant environments.
Environment
- Oracle Version: 19c
- Architecture: Multitenant (CDB/PDB)
- Encryption: TDE
Step 1: Connect as SYSDBA
sqlplus / as sysdba
Verify the container:
SHOW CON_NAME;
Expected output:
CDB$ROOT
→ Make sure you are in the root container before proceeding.
Step 2: Create a New PDB
CREATE PLUGGABLE DATABASE DFMS
ADMIN USER admin IDENTIFIED BY “SU5d4e2VG#Q”;
Open the PDB:
ALTER PLUGGABLE DATABASE DFMS OPEN READ WRITE;
Save the state so it reopens automatically after a restart:
ALTER PLUGGABLE DATABASE DFMS SAVE STATE;
Switch the session to the new PDB:
ALTER SESSION SET CONTAINER = DFMS;
Step 3: Check the TDE Wallet Status
SELECT * FROM v$encryption_wallet;
Expected status:
OPEN_NO_MASTER_KEY
→ The wallet is open, but no master key exists yet for this PDB.
Step 4: Create a TDE Master Encryption Key
ADMINISTER KEY MANAGEMENT
CREATE ENCRYPTION KEY
USING TAG ‘DFMS_REKEY’
FORCE KEYSTORE
IDENTIFIED BY “SU5d4e2V-G_Q”
WITH BACKUP USING ‘DFMS_REKEY’;
Verify the key was created:
SELECT key_id FROM v$encryption_keys
WHERE tag = ‘DFMS_REKEY’;
→ A valid key_id in the result confirms the key was created.
Step 5: Activate the Encryption Key
ADMINISTER KEY MANAGEMENT
USE ENCRYPTION KEY
‘Ad+0E2RijU+iv9Xur6AYQWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAA’
FORCE KEYSTORE
IDENTIFIED BY “SU5d4e2V-G_Q”
WITH BACKUP;
→ The key is now active in the PDB.
Step 6: Verify the Wallet Again
SELECT * FROM v$encryption_wallet;
→ The wallet should remain OPEN / AUTOLOGIN, and the key should now show as active.
Step 7: Create an Encrypted Tablespace
CREATE TABLESPACE FMS
DATAFILE ‘+DATA’
SIZE 1G
AUTOEXTEND ON NEXT 128M MAXSIZE 30G;
→ The tablespace is created successfully with encryption enabled.
Important Notes
- TDE must be configured at the CDB level before it can be used inside a PDB.
- Always back up the keystore immediately after creating a new key.
- Make sure the wallet is open before performing any encryption-related operations.
- Use strong, unique passwords for the keystore.
Common Issues
Wallet Not Open
- Check the sqlnet.ora configuration.
- Verify the wallet location is correct and accessible.
Key Not Found
- Verify the tag name matches exactly.
- Make sure you’re connected to the correct PDB.
Best Practices
- Back up the wallet regularly.
- Use an AUTOLOGIN wallet for uninterrupted database startup.
- Monitor encryption status as part of routine health checks.
- Avoid hardcoding passwords in scripts.
- Follow a defined key rotation policy.
Key Takeaways
- TDE secures data at rest with minimal application impact.
- Each PDB needs its own active master encryption key.
- Wallet validation is critical before and after key operations.
- Encrypted tablespaces ensure sensitive data stays protected.
Conclusion
Implementing TDE in a multitenant Oracle environment provides strong data-at-rest security with minimal impact on applications. By following the steps in this guide, DBAs can securely provision encrypted PDBs and protect sensitive data effectively from the moment a database is created.