Monday, December 17, 2018

Remove TDE online

 
One question came from a co-worker, was how to disable/remove TDE (at tablespace level) in Oracle database.
 
This blog post will make use the script provided in the earlier post for demonstration.
 
Though the documentation is not clear on disabling the TDE, thought it might worth a blog post to discuss that in detail here.
 
Starting with 12.2 and above, not only TDE can be done online, also the decryption can be done online.
 
demo@ORA12C> select tablespace_name,encrypted
  2  from dba_tablespaces
  3  where encrypted='YES';
 
TABLESPACE_NAME                ENC
------------------------------ ---
TS_CLEAR                       YES
 
demo@ORA12C> select owner,segment_name,segment_type
  2  from dba_segments
  3  where tablespace_name ='TS_CLEAR';
 
OWNER      SEGMENT_NAME                   SEGMENT_TYPE
---------- ------------------------------ ------------------
DEMO       T                              TABLE
DEMO       T_IDX                          INDEX
 
So got a tablespace TS_CLEAR with encryption enabled.
 
To remove the encryption, all we have to do is decrypt it.
 
demo@ORA12C> alter tablespace ts_clear
  2  encryption online
  3  decrypt
  4  file_name_convert = ( 'TS_CLEAR_ENC_01.dbf','TS_CLEAR_01.dbf'
  5     ,'TS_CLEAR_ENC_02.dbf','TS_CLEAR_02.dbf' );
 
Tablespace altered.
 
demo@ORA12C> select file_name
  2  from dba_data_files
  3  where tablespace_name ='TS_CLEAR' ;
 
FILE_NAME
----------------------------------------------------------
D:\APP\VNAMEIT\VIRTUAL\ORADATA\ORA12C\TS_CLEAR_01.DBF
D:\APP\VNAMEIT\VIRTUAL\ORADATA\ORA12C\TS_CLEAR_02.DBF
 
 
Post that no encryption is available at the tablespace level.
 
 
demo@ORA12C> select tablespace_name,encrypted
  2  from dba_tablespaces
  3  where encrypted ='YES';
 
no rows selected
 
 
Once decrypted, we can close the Key store safely and access the tables without any errors.
 
 
demo@ORA12C> conn syskm/Password-1@ora12c as SYSKM
Connected.
syskm@ORA12C> administer key management set keystore close identified by foobar;
 
keystore altered.
 
syskm@ORA12C> conn demo/demo@ora12c
Connected.
demo@ORA12C> select count(*) from t;
 
  COUNT(*)
----------
        47
 
demo@ORA12C>
 
 
So accessing the tables with wallet being closed, confirms that encryption is no more in place.
 
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)