8 Data Encryption

Oracle encrypts data in transit and at rest and uses the Oracle Key Vault to secure keys.

Data In Transit

The Oracle Communications Security Shield Cloud Service (Security Shield) encrypts data in transit using TLS. See Security Shield Transport Layer Security.

Data At Rest

The Security Shield also provides encryption of data at rest. Data at rest is stored using Oracle Data Base as a Service (DBaaS). Oracle DBaaS provides the Transparent Data Encryption (TDE) feature to address security-related regulatory compliance issues. TDE encrypts sensitive data stored in data files. To prevent unauthorized decryption, TDE stores the encryption keys in a security module external to the database, called a keystore. The Security Shield DBaaS is configured so that the tablespaces of each PDB is encrypted. This uses a TDE master encryption key with AES-256 encryption.

Oracle Key Vault

The Oracle Key Vault stores the Oracle-held keys and distributes the keys. Key rotation is implemented automatically on a scheduled basis. (Oracle policy requires rotating keys at least annually).