Oracle Database Encryption Options on Amazon RDS
Editor’s note: This post was updated in February 2023 to reflect the most up-to-date information.
By Pramod Yadav, Cloud Support Engineer – AWS
As a cloud support engineer at Amazon Web Services (AWS), I get opportunities to answer customer queries, many of which require extensive research.
This post is an outcome of my research on various encryption options such as Oracle Transparent Data Encryption (TDE) and Oracle Native Network Encryption (NNE) and SSL options on Amazon Relational Database Service (Amazon RDS). It explains how Amazon RDS supports Oracle TDE, Oracle NNE, and SSL.
If you are an architect or a developer, this post will help you plan and configure storage and network encryption on Amazon RDS. You should be aware of the need to encrypt data at rest and how Oracle TDE, Oracle NNE, and SSL can help you achieve your encryption goals.
Oracle Database uses authentication, authorization, and auditing mechanisms to secure data in the database, but not in the operating system data files where data is stored. To protect these data files, Oracle Database provides Transparent Data Encryption (TDE). TDE encrypts sensitive data stored in data files. To prevent unauthorized decryption, TDE stores the encryption keys in a security module external to the database.
TDE enables you to encrypt sensitive data, such as credit card numbers, stored in tables and tablespaces. Encrypted data is transparently decrypted for a database user or application that has access to data. TDE helps protect data stored on media in the event that the storage media or data file gets stolen.
Database users and applications do not need to manage key storage or create auxiliary tables, views, and triggers. An application that processes sensitive data can use TDE to provide strong data encryption with little or no change to the application.
TDE supports the Advanced Encryption Standard (AES-256, AES-192, and AES-128), and the Triple Data Encryption Algorithm (3DES).
Amazon RDS provides two distinct ways to perform Oracle DB instance encryption at rest:
- Oracle TDE
- Amazon RDS encryption using AWS Key Management Service (AWS KMS)
Oracle Native Network Encryption (NNE) and SSL protect the confidentiality of Oracle data as it is transmitted across the network. Encrypting Oracle network traffic safeguards sensitive data such as social security numbers, credit card numbers and other personally identifiable information against packet sniffing. From Oracle 10.2.0.1 onward, Native Network Encryption and TCP/IP with SSL are no longer part of the Advanced Security Option. Amazon RDS for Oracle provides these options on all editions.
Performing TDE Using Option Groups for Amazon RDS for Oracle
Oracle TDE supports two encryption modes: TDE tablespace encryption and TDE column encryption. TDE tablespace encryption is used to encrypt entire application tables. TDE column encryption is used to encrypt individual data elements that contain sensitive data. You can also apply a hybrid encryption solution that uses both TDE tablespace and column encryption.
Amazon RDS uses option groups to enable and configure additional features that make it easier to manage data and databases, and to provide additional security for your database. The TDE option is a permanent option that cannot be removed from an option group. Once associated, that option group cannot be removed from a DB instance. You cannot disable TDE from a DB instance once that instance is associated with an option group with the Oracle TDE option.
Amazon RDS manages the Oracle Wallet and TDE master key for the DB instance. You do not need to set the encryption key using the command ALTER SYSTEM set encryption key.
The process for using Oracle TDE with Amazon RDS is as follows:
- You can create an option group and add the TDE option or modify the associated option group to add the TDE option if the DB instance is not associated with an option group that has the TDE option enabled. For information about creating or modifying an option group, see Working with Option Groups. For information about adding an option to an option group, see Adding an Option to an Option Group.
- Associate the DB instance with the option group with the TDE option. For information about associating a DB instance with an option group, see Modifying a DB Instance Running the Oracle Database Engine.
If you no longer want to use the TDE option with a DB instance, you must decrypt all your data on the DB instance, copy the data to a new DB instance that is not associated with an option group with TDE enabled, and then delete the original instance. You can rename the new instance to be the same as the previous DB instance if you prefer.
Performing Encryption Using AWS CloudHSM for Amazon RDS for Oracle TDE
AWS CloudHSM is a service that lets you use a hardware appliance called a hardware security module (HSM) for secure key storage and cryptographic operations.
With TDE, the database software encrypts data before storing it on disk. The data in the database’s table columns or tablespaces is encrypted with a table key or tablespace key. These keys are encrypted with the TDE master encryption key. You can store the TDE master encryption key in the HSMs in your AWS CloudHSM cluster, which provides additional security.
Note that you cannot use an Oracle instance in Amazon RDS to integrate with AWS CloudHSM. You must install Oracle Database on an Amazon Elastic Compute Cloud (Amazon EC2) instance.
Performing Encryption with AWS KMS
AWS Key Management Service (AWS KMS) makes it easy to create and control the keys used to encrypt your data. AWS KMS is integrated with other AWS services, including Amazon Elastic Block Store (Amazon EBS), Amazon Simple Storage Service (Amazon S3), Amazon Redshift, Amazon Elastic Transcoder, Amazon WorkMail, and Amazon RDS, to make it simple to encrypt your data with encryption keys that you manage.
AWS KMS is the default option used to perform encryption in Amazon RDS for Oracle databases. While creating an RDS Oracle Enterprise Edition Database instance, you can optionally choose encryption.
Enabling Oracle Native Network Encryption for Amazon RDS for Oracle
Native network encryption (NNE) gives you the ability to encrypt database connections, without the configuration overhead of TCP/IP and SSL/TLS and without the need to open and listen on different ports. NNE not only encrypts the connections but also checks the integrity of the communication by comparing checksums.
Amazon RDS for Oracle uses option groups to enable and configure NNE. The NNE is not a permanent option, so the option can be removed if you no longer want to use the option. To use Oracle Native Network Encryption option on an Amazon RDS Oracle DB instance, you must follow the Oracle Native Network Encryption task.
Enabling SSL Connection for Amazon RDS for Oracle
You enable Secure Socket Layer (SSL) encryption for an Amazon RDS Oracle DB instance by adding the Oracle SSL option to the option group associated with the DB instance. Amazon RDS uses a second port for SSL connections which allows clear text communication and SSL-encrypted connections to establish between an Amazon RDS Oracle DB instance and a client.
To establish SSL connection on an Amazon RDS Oracle DB instance, you must complete the following task:
You can use various clients such as Oracle SQL*Plus and JDBC client to connect to an Amazon RDS Oracle instance. You can reference the following sections to configure those clients.
In this post, I described how you can implement Oracle TDE, Oracle NNE, and SSL successfully on Amazon RDS, and also touched upon some important security and encryption services like Amazon KMS and AWS CloudHSM.