Convert non-encrypted tablespaces to encrypted

If your tablespaces are not encrypted, you can encrypt them online or offline. 

Encrypting your tablespace online requires space of twice the storage size of the tablespace.

If you are using Oracle Managed Files (OMF), you can perform this conversion without specifying file_name_convert parameter. Starting from Oracle 19c , file_name_convert is redundant.

To encrypt your tablespace:

1. Identify the files to be encrypted.

alter session set container=ORA19C_PDB01;

col tablespace_name for a50

col file_name for a70

select ts.tablespace_name, df.file_name from dba_tablespaces ts, dba_data_files df where ts.tablespace_name = df.tablespace_name ;

2. Check the encryption status.

select t.name,e.ENCRYPTIONALG,e.ENCRYPTEDTS,e.STATUS from V$ENCRYPTED_TABLESPACES e, v$tablespace t where t.ts#=e.ts#(+);

LOGMINER_TBS                    /u02/oradata/ORA19C/ora19c_pdb01/logminer_tbs.dbf

LOGMINER_TBS                    /u02/oradata/ORA19C/ora19c_pdb01/LOGMINER_TBS01.DBF

LOGMINER_LOB_TBS                /u02/oradata/ORA19C/logminer_lob_tbs.dbf

ALTER TABLESPACE users ENCRYPTION ONLINE USING 'aes256' ENCRYPT FILE_NAME_CONVERT = ('users01.dbf', 'users01_enc.dbf');

alter tablespace PERF_DATA encryption online using 'aes256' encrypt file_name_convert = ('perf_data_01.dbf','perf_data_01_enc.dbf','perf_data_02.dbf','perf_data_02_enc.dbf','perf_data_03.dbf','perf_data_03_enc.dbf','perf_data_04.dbf','perf_data_04_enc.dbf','perf_data_05.dbf','perf_data_05_enc.dbf');

ALTER TABLESPACE PERF_DATA ENCRYPTION ONLINE FINISH encrypt FILE_NAME_CONVERT = ('perf_data_01.dbf','perf_data_01_enc.dbf','perf_data_02.dbf','perf_data_02_enc.dbf','perf_data_03.dbf','perf_data_03_enc.dbf','perf_data_04.dbf','perf_data_04_enc.dbf','perf_data_05.dbf','perf_data_05_enc.dbf');

For Oracle Database 19c which no longer requires file_name_convert clause, enter the following:

ALTER TABLESPACE PERF_LOBS ENCRYPTION ONLINE USING 'aes256' ENCRYPT;

Notes

• It is a good practice to look in the alert log file to trace these operations.

• If for some reason the tablespace is not on normal mode (SELECT NAME, ENCRYPTIONALG ENCRYPTEDTS, STATUS FROM V$ENCRYPTED_TABLESPACES, V$TABLESPACE WHERE V$ENCRYPTED_TABLESPACES.TS# = V$TABLESPACE.TS#;) do this: 

ALTER TABLESPACE USERS ENCRYPTION ONLINE FINISH encrypt FILE_NAME_CONVERT = ('users01.dbf', 'users01_enc.dbf');

• The KEYSTORE_MODE column of the V$ENCRYPTION_WALLET dynamic view shows whether the united mode or isolated mode has been configured. If you want to change the database default encryption algorithm from AES128, then after you apply Oracle patch 30398099, you can set a dynamic initialization parameter by executing the following statement:

ALTER SYSTEM SET "_TABLESPACE_ENCRYPTION_DEFAULT_ALGORITHM" = 'AES256' SCOPE = BOTH SID = '*';

• For a new encrypted tablespace, do the following:

create tablespace TBLS3 datafile '/u01/app/oracle/admin/ora19c/tbls3.dbf' size 100M autoextend on maxsize unlimited encryption using 'aes256' encrypt;

You can also set the parameter encrypt_new_tablespaces to convert newly created tablespaces without manually specifying the encrypt clause.

show parameter encrypt

altersystem set encrypt_new_tablespaces='ALWAYS';