Default Tablespace Encryption In The Clouds?
One of my customers called me up last week and said he’s been having the most peculiar problem. He created a new instance on the Microsoft Azure environment (12.1.0.2 SE) and he can’t create new tablespaces. The error he was getting was “ORA-28365: wallet is not open”, and he is wondering “what gives?!”.
This is kind of an interesting issue. When someone who never heard of the wallet, looking at the message doesn’t mean anything reasonable. Why would creating a tablespace need to be using a wallet? What is it all about?
SQL> create tablespace test; create tablespace test * ERROR at line 1: ORA-28365: wallet is not open
The answer is quite simple. The wallet is related to tablespace encryption and for some reason, Oracle database want to create the new tablespace as TDE (Transparent Data Encryption). The TDE feature means that if we create a tablespace, the data files are being encrypted so if ever one of the files get stolen by someone, he will not be able to open it with an HEX editor and read its content. This makes a lot of sense when thinking about a cloud solution. I asked the customer if he did something of that sort, but he said that he never even heard about this features, so, again, what gives?
I tried to find what is going on – and started by looking at the other tablespaces:
SQL> SELECT tablespace_name , encrypted 2 FROM dba_tablespaces; TABLESPACE_NAME ENC ------------------------------ --- SYSTEM NO SYSAUX NO UNDOTBS1 NO TEMP NO USERS NO
None of them looked like they’re already encrypted – so it must be something related to new tablespaces and my next guess was some kind of an init parameter.
I took a sneak peek at the parameters and lo and behold:
SQL> show parameter enc NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ encrypt_new_tablespaces string CLOUD_ONLY
encrypt_new_tablespaces
It is related to a parameter. The encrypt_new_tablespaces is a new “hidden” parameter. It was added in 12.1.0.2 bundle patch 12.1.0.2.160719 and is only applicable in cloud solutions. The new parameter states that in case of a cloud solution, all new tablespace will be created as TDE (which actually requires us to configure a wallet in the sqlnet.ora and open it before using it). If we didn’t setup a wallet – we won’t be able to create new tablespaces.
Here it is from Oracle Cloud Service document
Controlling Default Tablespace Encryption
The ENCRYPT_NEW_TABLESPACES
initialization parameter controls default encryption of new tablespaces. In Database Cloud Service databases, this parameter is set to CLOUD_ONLY
. See Viewing and Modifying Initialization Parameters for additional information.
Values of this parameter are as follows.
Value | Description |
---|---|
ALWAYS |
Any tablespace created will be transparently encrypted with the AES128 algorithm unless a different algorithm is specified on the ENCRYPTION clause. |
CLOUD_ONLY |
Tablespaces created in a Database Cloud Service database will be transparently encrypted with the AES128 algorithm unless a different algorithm is specified on the ENCRYPTION clause. For non-Database Cloud Service databases, tablespaces will only be encrypted if the ENCRYPTION clause is specified. This is the default value. |
DDL |
Tablespaces are not transparently encrypted and are only encrypted if the ENCRYPTION clause is specified. |
Since it was only a testing environment for the customer and since he didn’t want to start messing around with TDE, we decided to quickly changed the parameter to DDL and that was it: problem solved!
SQL> alter system set encrypt_new_tablespaces=ddl scope=both; System altered. SQL> create tablespace test; Tablespace created.
It’s amazing what little gems Oracle is hiding inside different patches, but I’m also happy to see that cloud solutions (all of them, not just the Oracle solution) are not being ignored when thinking about security of the database.
Thank you, this post hit the head of the nail. I can’t thank you enough