Oracle Cloud Infrastructure Documentation

Protect Autonomous AI Database

Learn about various data protection methods available for Autonomous Database.

Data in Transit Encryption

Autonomous Database is protected with encryption of data in transit by default. This ensures that data moving between application and the database is secured from unauthorized interception or tampering. Oracle Net Services supports multiple industry-standard encryption algorithms including AES, DES, 3DES, and RC4 for securing data in transit. It also offers MD5, SHA-1, and SHA-2 hashing algorithms to verify data integrity.

All communication between clients and the database is encrypted using Oracle Net Services (SQL*Net). Two types of connection services are supported:
  1. TCPS (Secure TCP) Connections
    • Uses TLS 1.2 or TLS 1.3.
    • Requires a downloadable connection wallet.
    • Ensures symmetric encryption via secure handshake using the wallet.
    • TLS 1.3 support is available starting with Oracle Database 26ai.
  2. TCP Connections with Native Network Encryption
    • Uses Oracle’s built-in encryption protocol.
    • Negotiates encryption during connection (AES-256, AES-192, AES-128).
    • No wallet is required but connection details such as tnsnames.ora must be known.
Clients (applications and tools) connect to an Autonomous Database using Oracle Net Services (also known as SQL*Net) and predefined database connection services. Oracle Autonomous Database provides two types of database connection services, each employing its own method for encrypting data in transit between the database and the client.
  1. TCPS (Secure TCP) database connection services
    • It uses the industry-standard TLS 1.2 and TLS 1.3 (Transport Layer Security) protocol for connections. However, TLS 1.3 is only supported on Oracle Database 23ai or later.
    • When you create an Autonomous Database, a connection wallet is generated containing all the necessary files for a client to connect using TCPS. You should distribute this wallet only to clients who require database access. The client-side configuration uses information from the wallet to perform symmetric-key data encryption.
  2. TCP database connection services
    • It uses the Native Network Encryption crypto system built in Oracle Net Services to negotiate and encrypt data during transmission. For this negotiation, Autonomous Database(s) are configured to require encryption using AES256, AES192 or AES128 cryptography.
    • Because encryption is negotiated when the connection is made, TCP connections do not require the connection wallet needed for TCPS connections. However, the client will still need information about the database connection services. This information is available by selecting DB Connection on the database's Autonomous Database Details page in the OCI console, and in the tnsnames.ora file included in the same downloadable ZIP file that contains the files necessary to connect using TCPS.
These connection services are designed to support different types of database operations:
  • tpurgent_tls and tpurgent: For high priority, time critical transaction processing operations.
  • tp_tls and tp: For typical transaction processing operations.
  • high_tls and high: For high priority reporting and batch operations.
  • medium_tls and medium: For typical reporting and batch operations.
  • low_tls and low: For low priority reporting and batch operations.
This screenshot shows database connection.

Encryption at Rest for Oracle Database@AWS

Oracle Database@AWS supports encryption at rest to safeguard sensitive data residing in database files, backups, and configuration files. This protection is enabled by Transparent Data Encryption (TDE), which ensures that data is encrypted whenever it is written to persistent storage and transparently decrypted when accessed by authorized Oracle processes with no customer configuration is required. The master key encrypts tablespace keys, which in turn encrypt the data.

Transparent Data Encryption (TDE)

Encryption at rest is provided through TDE, a feature included in Oracle Advanced Security. TDE automatically encrypts tablespaces, redo logs, and undo logs, ensuring that all database data is written to disk in encrypted form and transparently decrypted for authorized users and applications. Database backups created using Oracle Recovery Manager (RMAN) or managed backup solutions adopt these encryption settings, protecting all database copies stored on persistent media.

Key Management

TDE uses a master encryption key to protect your tablespaces and columns. For Oracle Database@AWS , there are two key management options:
  1. Oracle-managed keys: The master encryption key is automatically generated and stored in an Oracle Wallet, which is secured within the database environment. Oracle handles all key lifecycle tasks, including backups and restores.
  2. Customer-managed keys: You can integrate with OCI Vault to generate and store the master encryption key outside the database, enabling centralized key control, lifecycle management, rotation, and auditing of key usage events. With customer-managed keys, you control the encryption keys used to protect your data. You can enable customer-managed keys when creating databases, switch from Oracle-managed to customer-managed keys, and rotate keys to meet security and compliance requirements.
Oracle Exadata Database Service on Dedicated Infrastructure offers the following data at rest encryption methods:
  1. Oracle-managed Key (OMK)
  2. Customer-managed Key (CMK)
    • OCI Vault
    • Oracle Key Vault (OKV)

  • Oracle-managed Encryption Key (OMEK) is the default method for securing data encryption in Oracle Database@AWS. In Oracle Database, data encryption at rest is powered by TDE. When you choose OMEK, the database system automatically handles all key management, including key generation, secure storage, and rotation required by TDE. There are no prerequisites or additional configuration steps required to use Oracle-managed Encryption Key on Oracle Database@AWS.

    View Encryption Details
    1. From Oracle Database@AWS dashboard, select Autonomous VM clusters, and then select your Autonomous Database that you are using.
    2. Select the Manage in OCI button, which redirects you to the OCI console.
    3. From the OCI console, select the Autonomous Container Databases tab, and then select your Autonomous Container Database that you want to check the key management.
    4. From the Autonomous Container Database information tab, navigate to the Encryption section to view the Encryption key details. By default, the Encryption key is set to Oracle-managed key.
    Autonomous Pluggable Database
    1. From Oracle Database@AWS dashboard, select Autonomous VM clusters, and then select your Autonomous Database that you are using.
    2. Select the Manage in OCI button, which redirects you to the OCI console.
    3. From the OCI console, select the Autonomous Databases tab, and then select your Autonomous Database that you want to check the key management.
    4. From the Autonomous Database information tab, navigate to the Encryption section to view the Encryption key details. By default, the Encryption key is set to Oracle-managed key.

  • There is currently no content for this page. The Oracle Database@AWS team intends to add content here, and this placeholder text is provided until that text is added.

    The Oracle Database@AWS team is excited about future new features, enhancements, and fixes to this product and this accompanying documentation. We strongly recommend you watch this page for those updates.

  • There is currently no content for this page. The Oracle Database@AWS team intends to add content here, and this placeholder text is provided until that text is added.

    The Oracle Database@AWS team is excited about future new features, enhancements, and fixes to this product and this accompanying documentation. We strongly recommend you watch this page for those updates.