Default Tablespace Encryption In The Clouds?

One of my customers called me up last week and said he’s been having the most peculiar problem. He created a new instance on the Microsoft Azure environment (12.1.0.2 SE) and he can’t create new tablespaces. The error he was getting was “ORA-28365: wallet is not open”, and he is wondering “what gives?!”.

This is kind of an interesting issue. When someone who never heard of the wallet, looking at the message doesn’t mean anything reasonable. Why would creating a tablespace need to be using a wallet? What is it all about?

SQL> create tablespace test;
create tablespace test
*
ERROR at line 1:
ORA-28365: wallet is not open

The answer is quite simple. The wallet is related to tablespace encryption and for some reason, Oracle database want to create the new tablespace as TDE (Transparent Data Encryption). The TDE feature means that if we create a tablespace, the data files are being encrypted so if ever one of the files get stolen by someone, he will not be able to open it with an HEX editor and read its content. This makes a lot of sense when thinking about a cloud solution. I asked the customer if he did something of that sort, but he said that he never even heard about this features, so, again, what gives?

I tried to find what is going on – and started by looking at the other tablespaces:

SQL> SELECT tablespace_name , encrypted
2 FROM dba_tablespaces; 

TABLESPACE_NAME                ENC
------------------------------ ---
SYSTEM                         NO
SYSAUX                         NO
UNDOTBS1                       NO
TEMP                           NO
USERS                          NO

None of them looked like they’re already encrypted – so it must be something related to new tablespaces and my next guess was some kind of an init parameter.

I took a sneak peek at the parameters and lo and behold:

SQL> show parameter enc

NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
encrypt_new_tablespaces              string      CLOUD_ONLY

encrypt_new_tablespaces


It is related to a parameter. The encrypt_new_tablespaces is a new “hidden” parameter. It was added in 12.1.0.2 bundle patch 12.1.0.2.160719 and is only applicable in cloud solutions. The new parameter states that in case of a cloud solution, all new tablespace will be created as TDE (which actually requires us to configure a wallet in the sqlnet.ora and open it before using it). If we didn’t setup a wallet – we won’t be able to create new tablespaces.

Here it is from Oracle Cloud Service document

Controlling Default Tablespace Encryption

The ENCRYPT_NEW_TABLESPACES initialization parameter controls default encryption of new tablespaces. In Database Cloud Service databases, this parameter is set to CLOUD_ONLY. See Viewing and Modifying Initialization Parameters for additional information.

Values of this parameter are as follows.

Value Description
ALWAYS Any tablespace created will be transparently encrypted with the AES128 algorithm unless a different algorithm is specified on the ENCRYPTION clause.
CLOUD_ONLY Tablespaces created in a Database Cloud Service database will be transparently encrypted with the AES128 algorithm unless a different algorithm is specified on the ENCRYPTION clause. For non-Database Cloud Service databases, tablespaces will only be encrypted if the ENCRYPTION clause is specified. This is the default value.
DDL Tablespaces are not transparently encrypted and are only encrypted if the ENCRYPTION clause is specified.

Since it was only a testing environment for the customer and since he didn’t want to start messing around with TDE, we decided to quickly changed the parameter to DDL and that was it: problem solved!

SQL> alter system set encrypt_new_tablespaces=ddl scope=both;
System altered.

SQL> create tablespace test;
Tablespace created.

It’s amazing what little gems Oracle is hiding inside different patches, but I’m also happy to see that cloud solutions (all of them, not just the Oracle solution) are not being ignored when thinking about security of the database.

1 reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.