Starting with Oracle Database 23ai, the default encryption algorithms and the encryption modes have changed.

Encryption algorithm changes:

• Encryption algorithm changes:
  • The default encryption algorithm for both TDE column encryption and TDE tablespace encryption is now AES256. The previous default for TDE column encryption was AES192. For TDE tablespace encryption, the default was AES128.
  • The decryption libraries for the GOST and SEED algorithms are deprecated. New keys cannot use these algorithms. The encryption libraries for both of these libraries are desupported. The GOST decryption libraries are desupported on HP Itanium platforms.
• The column encryption mode is now Galois/Counter mode (GCM) instead of cipher block chaining (CBC), and in tablespace encryption, you can choose between the new "tweakable block ciphertext stealing (XTS)" operating mode or cipher feedback (CFB). XTS is the default.
• The Oracle Recovery Manager (Oracle RMAN) integrity check for column encryption keys now uses SHA512 instead of SHA1.
• The keys for Oracle RMAN and column keys are now derived from SHA512/AES for key generation. In previous releases, they used SHA-1/3DES as a pseudo-random function.

These enhancements enable your Oracle Database environment to use the latest, most secure algorithms and encryption modes.

Starting with Oracle Database 23ai, Transparent Database Encryption (TDE) tablespace encryption supports Advanced Encryption Standard (AES) XTS (XEX-based mode with ciphertext stealing mode) in the CREATE TABLESPACE and ALTER TABLESPACE statements.

AES-XTS provides improved security and better performance, especially on platforms where TDE can take advantage of parallel processing and specialized instructions built into processor hardware.

Available with Oracle Database 23ai, Oracle Data Guard enables you to decrypt redo operations in hybrid cloud disaster recovery configurations where the Cloud database is encrypted with TDE and the on-premises database is not.

To enable this feature, Oracle Database introduces the TABLESPACE_ENCRYPTION initialization parameter, which enables you to control the automatic encryption of tablespaces in both the primary and standby databases, for on-premises and Oracle Cloud Infrastructure (OCI) environments. For example, an on-premises database can be unencrypted and an OCI database can be encrypted.

Hybrid disaster recovery is often considered a quick-stepping stone to cloud adoption. By enabling the ability to quickly configure disaster recovery even in cases where on-premises databases might not already be encrypted with TDE, the steps required to configure hybrid disaster recovery environments are reduced while still ensuring that redo data is still encrypted during the transportation process.

You now can use the DB_RECOVERY_AUTO_REKEY initialization parameter for Oracle Data Guard environments..

DB_RECOVERY_AUTO_REKEY controls whether an Oracle Data Guard standby database recovery operation automatically performs the corresponding tablespace rekey when it encounters a redo that says the primary database has performed a tablespace rekey operation. 

This feature is useful for standby deployments with large tablespaces whose users must perform an online TDE conversion.