Amazon RDS for Oracle Database – Data and Network Encryption
Amazon RDS for Oracle Database now supports a pair of important features to help protect your mission-critical data:
- Transparent Data Encryption protects data at rest. It encrypts your data before it is written to storage, and decrypts it after it is read from storage. You can choose to encrypt tablespaces or specific table columns using a number of industry standard encryption algorithms including Advanced Encryption Standard (AES) and Data Encryption Standard (Triple DES).
- Native Network Encryption protects data in motion using the Oracle Net Services. You can choose between AES, Triple DES, and RC4
These features are components of Oracle’s Advanced Security Option (ASO) for Oracle Database 11g Enterprise Edition, available for use on Amazon RDS under the Bring-Your-Own-License (BYOL) model. There is no additional charge for either feature.
Enabling Native Network Encryption
To enable Native Network Encryption, add the NATIVE_NETWORK_ENCRYPTION option to an option group associated with the RDS DB Instance and specify the option settings. The settings are described in the Options for Oracle DB Engine section of the Amazon RDS Documentation and include SQLNET.ENCRYPTION_SERVER (encryption behavior), SQLNET.CRYPTO_CHECKSUM_SERVER (data integrity behavior), SQLNET.ENCRYPTION_TYPES_SERVER (encryption algorithm), and SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER (checksum algorithm). You must also make the corresponding changes in the sqlnet.ora file on the client in order to be able to connect to the DB Instance.
Enabling Transparent Data Encryption
You can choose to encrypt entire tables (tablespaces) or individual columns.
To enable Transparent Data Encryption, add the TDE option to an option group associated with the RDS DB Instance. Once you choose to enable this option for a DB Instance, it becomes permanent, and cannot be disabled.
This feature is available today and you can start using it now (I never get tired of typing that!).