Simplified TDE configuration in Oracle Database 23ai Free

Oracle recently released Database 23ai, taking over from Database 19c as the current Long Term Support Release. As part of the release the Database Free RPM, VM, and container image were updated to 23.4.0.24.05. Time to update the lab VM! I’m a great fan of Vagrant boxes and that’s exactly what I based my installation on.

I used my own Oracle Linux 9 base box, downloaded the Oracle Database Free RPM and installed it alongside the preinstall RPM. As you may know, the next step is to review the configuration file /etc/sysconfig/oracle-free-23ai.conf.

I was pleasantly surprised to see an option I must have failed to notice until now:

#This is a configuration file to setup the Oracle Database.
#It is used when running '/etc/init.d/oracle-free-23ai configure'.

# LISTENER PORT used Database listener, Leave empty for automatic port assignment
LISTENER_PORT=1521

# Character set of the database
CHARSET=AL32UTF8

# Database file directory
# If not specified, database files are stored under Oracle base/oradata
DBFILE_DEST=

# DB Domain name
DB_DOMAIN=

# Configure TDE
CONFIGURE_TDE=false

# Encrypt Tablespaces list, Leave empty for user tablespace alone or provide ALL for encrypting all tablespaces
# For specific tablespaces use SYSTEM:true,SYSAUX:false
ENCRYPT_TABLESPACES=

# SKIP Validations, memory, space
SKIP_VALIDATIONS=false

Have a look at line 18: CONFIGURE_TDE – how nice :) I immediately flipped that switch to true, and ran sudo /etc/init.d/oracle-free-23ai configure. And fair enough, the outcome matched my expectation:

Specify a password to be used for database accounts. Oracle recommends that the password entered 
should be at least 8 characters in length, contain at least 1 uppercase character, 1 lower case character
and 1 digit [0-9]. Note that the same password will be used for SYS, SYSTEM and PDBADMIN accounts:
Confirm the password:
Configuring Oracle Listener.
Listener configuration succeeded.
Configuring Oracle Database FREE.
Enter SYS user password: 
*******
Enter SYSTEM user password: 
*********
Enter PDBADMIN User Password: 
******
Enter password for the TDE wallet: 
*******
Prepare for db operation
7% complete
Copying database files
8% complete
29% complete
Creating and starting Oracle instance
30% complete
33% complete
36% complete
39% complete
43% complete
Completing Database Creation
47% complete
49% complete
50% complete
Creating Pluggable Databases
54% complete
71% complete
Executing Post Configuration Actions
93% complete
Running Custom Scripts
100% complete
Database creation complete. For details check the logfiles at:
 /opt/oracle/cfgtoollogs/dbca/FREE.
Database Information:
Global Database Name:FREE
System Identifier(SID):FREE
Look at the log file "/opt/oracle/cfgtoollogs/dbca/FREE/FREE.log" for further details.

Connect to Oracle Database using one of the connect strings:
     Pluggable database: oracle23aifree/FREEPDB1
     Multitenant container database: oracle23aifree

The database was indeed created with Transparent Data Encryption enabled:

SQLcl: Release 23.4 Production on Mon May 13 10:28:51 2024

Copyright (c) 1982, 2024, Oracle.  All rights reserved.

Connected to:
Oracle Database 23ai Free Release 23.0.0.0.0 - Develop, Learn, and Run for Free
Version 23.4.0.24.05

SQL> select wrl_parameter, status, wallet_type, keystore_mode, con_id from v$encryption_wallet;

WRL_PARAMETER                              STATUS    WALLET_TYPE    KEYSTORE_MODE       CON_ID 
__________________________________________ _________ ______________ ________________ _________ 
/opt/oracle/admin/FREE/wallet_root/tde/    OPEN      AUTOLOGIN      NONE                     1 
                                           OPEN      AUTOLOGIN      UNITED                   2 
                                           OPEN      AUTOLOGIN      UNITED                   3

If you wondered if the relevant tablespaces are encrypted, this might answer your question:

SQL> SELECT
  2      c.name          AS pdb_name,
  3      t.name          AS tbs_name,
  4      e.encryptionalg AS alg,
  5      e.status
  6  FROM
  7      v$tablespace            t,
  8      v$encrypted_tablespaces e,
  9      v$containers            c
 10  WHERE
 11      e.ts# = t.ts#
 12      AND e.con_id = t.con_id
 13      AND e.con_id = c.con_id
 14  ORDER BY
 15      e.con_id,
 16      t.name
 17* /

PDB_NAME    TBS_NAME    ALG       STATUS    
___________ ___________ _________ _________ 
CDB$ROOT    USERS       AES256    NORMAL    
FREEPDB1    SYSAUX      AES256    NORMAL    
FREEPDB1    SYSTEM      AES256    NORMAL    
FREEPDB1    USERS       AES256    NORMAL

Summary

Enabling TDE for Oracle Database Free 23.4.0.24.05 couldn’t be easier. Simply change a configuration parameter and create the database. This option saves me a lot of time and is greatly appreciated.