Oracle Globally Distributed Database supports Transparent Data Encryption (TDE), but to successfully move chunks in a distributed database with TDE enabled, all of the shards must share and use the same encryption key for the encrypted tablespaces.

A distributed database consists of multiple independent databases and a shard catalog database. For TDE to work properly certain restrictions apply, especially when data is moved between shards. For chunk movement between shards to work when data is encrypted, you must ensure that all of the shards use the same encryption key.

There are two ways to accomplish this:

• Create and export an encryption key from the shard catalog, and then import and activate the key on all of the shards individually.

• Store the wallet in a shared location and have the shard catalog and all of the shards use the same wallet.

The following TDE statements are automatically propagated to shards when run on the shard catalog with shard DDL enabled:

• ALTER SYSTEM SET ENCRYPTION WALLET [OPEN|CLOSE] IDENTIFIED BY password

• ALTER SYSTEM SET ENCRYPTION KEY

• ADMINISTER KEY MANAGEMENT SET KEYSTORE [OPEN|CLOSE] IDENTIFIED BY password

• ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY password

• ADMINISTER KEY MANAGEMENT USE KEY IDENTIFIED BY password

• ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY password

Limitations

The following limitations apply to using TDE with Oracle Globally Distributed Database.

• For GDSCTL MOVE CHUNK to work, all of the shard database hosts must be on the same platform.

• MOVE CHUNK cannot use compression during data transfer, which may impact performance.

• Only encryption on the tablespace level is supported. Encryption on specific columns is not supported.

For more information about TDE see Introduction to Transparent Data Encryption