Online Tablespace Encryption in Oracle Data Guard 26ai | Complete Guide for Oracle DBAs
✨ Oracle 26ai New Feature
Online Tablespace Encryption
in Oracle Data Guard 26ai
Encrypt tablespaces on Primary and Standby databases without downtime. A complete guide with all commands, architecture walkthrough, and expert DBA tips.
Overview & The Problem We're Solving
Encrypting tablespaces in Oracle has historically required taking the database offline — a painful reality for 24×7 production systems with Data Guard standby databases. Oracle 26ai changes this paradigm completely. Online Tablespace Encryption (OTE) allows DBAs to encrypt or re-key tablespaces on both the Primary and Standby while the database remains fully operational.
Oracle 26ai Feature Highlight
Oracle 26ai introduces native online tablespace encryption in Data Guard configurations, integrating with Oracle Key Vault (OKV) and TDE (Transparent Data Encryption) for zero-downtime encryption operations on both Primary and Active Data Guard standbys.
❌ Before 26ai
- Tablespace must be taken offline
- Application downtime required
- Manual coordination between Primary & Standby
- No encryption of Active Data Guard reads
- Re-keying required full tablespace export/import
✅ With Oracle 26ai OTE
- Tablespace stays ONLINE throughout
- Zero application downtime
- Automatic Redo-stream propagation to Standbys
- Active Data Guard encrypted reads supported
- Online re-keying with REKEY command
Architecture: How OTE Works in Data Guard
Online Tablespace Encryption leverages the Data Guard Redo transport pipeline. Encryption operations on the Primary are journaled as redo, which is shipped to Standby databases and applied in a coordinated fashion — keeping both databases encrypted and consistent.
ONLINE TABLESPACE ENCRYPTION — DATA GUARD FLOW
🔑 Oracle Key Vault
OKV / Software Keystore
TDE Master Encryption Key
26ai: Auto Sync
↕
🗄️ PRIMARY DB
ALTER TABLESPACE ONLINE ENCRYPT
Generates Encryption Redo
——REDO——→
📋 STANDBY DB
Redo Apply (MRP0)
Auto Encryption Applied
26ai: Coord Protocol
↓
📁 Encrypted Datafiles
AES256 / 3DES168
Primary & Standby Sync'd
Key Components
| Component | Role in OTE | 26ai Status |
|---|---|---|
| TDE (Transparent Data Encryption) | Encrypts data blocks on write, decrypts on read | Enhanced |
| Oracle Key Vault (OKV) | Centralized keystore management; auto-syncs keys to Standbys | New Sync |
| Software Keystore | Local wallet; must be manually synced to Standby | Existing |
| MRP0 (Managed Recovery Process) | Applies encryption redo on Standby | Enhanced |
| DBMS_SPACE_ADMIN | Package for online encryption operations | New Proc |
| V$ENCRYPTED_TABLESPACES | Monitor encryption status and progress | Enhanced |
Prerequisites & Setup
Before running online encryption, validate your environment is correctly configured. Missing any step will cause the operation to fail or fall back to offline mode.
Step 1: Verify Oracle Version & TDE Enablement
SQL — Primary DB
-- Confirm Oracle 26ai or higher SELECT banner_full FROM v$version; -- Check if TDE is enabled SELECT name, value FROM v$parameter WHERE name IN ('encrypt_new_tablespaces', 'wallet_root', 'tde_configuration'); -- Verify Data Guard protection mode SELECT name, db_unique_name, protection_mode, open_mode, database_role FROM v$database;
Step 2: Configure the Keystore (Software Wallet)
SQL — Primary DB
-- Set WALLET_ROOT in initialization parameter (requires restart) ALTER SYSTEM SET wallet_root = '/etc/oracle/wallets/${ORACLE_SID}' SCOPE=SPFILE; -- Configure TDE mode (UNITED = single keystore for CDB + PDBs) ALTER SYSTEM SET tde_configuration='KEYSTORE_CONFIGURATION=FILE' SCOPE=BOTH; -- Create the software keystore ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/etc/oracle/wallets/PRIMARY' IDENTIFIED BY "<WalletPassword>"; -- Open the keystore ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<WalletPassword>" CONTAINER=ALL; -- Create and activate the Master Encryption Key (MEK) ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "<WalletPassword>" WITH BACKUP CONTAINER=ALL;
Step 3: Configure Oracle Key Vault (Recommended for 26ai)
SQL — Primary DB (OKV)
-- Configure TDE with OKV (recommended for automatic Standby sync) ALTER SYSTEM SET tde_configuration= 'KEYSTORE_CONFIGURATION=OKV|FILE' SCOPE=BOTH; -- Open keystore with OKV credentials ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED EXTERNALLY CONTAINER=ALL; -- Oracle 26ai: Verify OKV key sync status to all standbys SELECT db_unique_name, key_id, keystoretype, status, creation_time FROM v$encryption_keys ORDER BY creation_time DESC;
Standby Keystore Must Be Open
The keystore on the Standby must be open before the online encryption is initiated on the Primary. If using a Software Keystore (not OKV), you must manually copy the ewallet.p12 to the Standby and open it. With OKV, this is automatic.
Step 4: Open Keystore on Standby
SQL — Standby DB (run separately)
-- For Software Keystore: copy wallet from Primary first -- Then open on Standby: ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<WalletPassword>" CONTAINER=ALL; -- Verify keystore status on Standby SELECT wrl_type, wrl_parameter, status, wallet_type FROM v$encryption_wallet; -- Oracle 26ai: Check standby TDE coordination status SELECT dest_id, db_unique_name, tde_keystore_status, -- NEW in 26ai status FROM v$archive_dest_status WHERE status = 'VALID';
Performing Online Tablespace Encryption
With the keystore open on both Primary and all Standbys, you can now encrypt tablespaces without taking them offline.
How Oracle 26ai Handles Redo for Encryption
When you issue
ALTER TABLESPACE ... ENCRYPT ONLINE, Oracle 26ai writes special redo records that track each datafile's encryption progress. The MRP0 process on the Standby applies these records, maintaining synchronized encryption state without re-reading the primary's datafiles.
Method 1: Encrypt with ALTER TABLESPACE (26ai DDL)
SQL — Primary DB
-- ONLINE Tablespace Encryption (New in Oracle 26ai) -- Default algorithm: AES256 ALTER TABLESPACE USERS ENCRYPTION ONLINE USING 'AES256' ENCRYPT; -- Encrypt with specific algorithm options ALTER TABLESPACE APPS_DATA ENCRYPTION ONLINE USING 'AES128' ENCRYPT; -- Encrypt multiple tablespaces (run each independently) ALTER TABLESPACE SYSAUX ENCRYPTION ONLINE USING 'AES256' ENCRYPT; ALTER TABLESPACE UNDOTBS1 ENCRYPTION ONLINE USING 'AES256' ENCRYPT;
Method 2: Using DBMS_SPACE_ADMIN Package (26ai Enhanced)
SQL — Primary DB (DBMS_SPACE_ADMIN)
-- Oracle 26ai enhanced: DBMS_SPACE_ADMIN.TABLESPACE_ENCRYPT -- Provides finer control over encryption operations EXEC DBMS_SPACE_ADMIN.TABLESPACE_ENCRYPT( tablespace_name => 'USERS', encrypt_algo => DBMS_SPACE_ADMIN.ENCRYPT_AES256, online_mode => TRUE, -- NEW in 26ai dg_propagate => TRUE -- Auto-propagate to Standbys ); -- Available algorithm constants: -- DBMS_SPACE_ADMIN.ENCRYPT_AES128 -- DBMS_SPACE_ADMIN.ENCRYPT_AES192 -- DBMS_SPACE_ADMIN.ENCRYPT_AES256 (recommended) -- DBMS_SPACE_ADMIN.ENCRYPT_3DES168
Monitor Encryption Progress in Real-Time
SQL — Monitor Progress (Primary)
-- Real-time encryption progress (26ai enhanced V$ view) SELECT t.tablespace_name, t.encrypted, t.encryption_algorithm, t.encrypt_status, -- NEW: IN_PROGRESS / COMPLETED / FAILED t.pct_encrypted, -- NEW: percentage complete t.bytes_encrypted, t.bytes_remaining FROM v$encrypted_tablespaces t ORDER BY t.tablespace_name; -- Monitor background worker sessions SELECT sid, serial#, program, module, action, state FROM v$session WHERE module LIKE '%TDE%' OR action LIKE '%ENCRYPT%'; -- Check datafile-level encryption status SELECT df.file#, df.name, df.tablespace_name, ef.encryptionalg, ef.encryptedts, ef.con_id FROM v$datafile df JOIN v$encrypted_tablespaces ef ON df.ts# = ef.ts# ORDER BY df.tablespace_name, df.file#;
Expected Output for Completed Encryption
When encryption completes,
ENCRYPTED = 'YES', PCT_ENCRYPTED = 100, and ENCRYPT_STATUS = 'COMPLETED'. The Standby should reflect identical status within the redo apply lag window.
Online Re-Keying (26ai Feature)
Oracle 26ai also introduces online re-keying — allowing you to rotate Master Encryption Keys (MEK) across the Data Guard configuration without downtime. This is critical for compliance with key rotation policies (PCI-DSS, SOX, GDPR).
SQL — Online Re-Key Operations
-- Online re-key for a specific tablespace (26ai DDL) ALTER TABLESPACE USERS ENCRYPTION ONLINE USING 'AES256' REKEY; -- Online re-key using DBMS_SPACE_ADMIN EXEC DBMS_SPACE_ADMIN.TABLESPACE_REKEY( tablespace_name => 'USERS', encrypt_algo => DBMS_SPACE_ADMIN.ENCRYPT_AES256, online_mode => TRUE, dg_propagate => TRUE ); -- Rotate the Master Encryption Key (MEK) — CDB-level ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "<WalletPassword>" WITH BACKUP USING 'pre_rekey_backup' FORCE KEYSTORE CONTAINER=ALL; -- Monitor re-key progress SELECT tablespace_name, encryption_algorithm, rekey_status, -- NEW in 26ai pct_rekeyed, last_rekey_time FROM v$encrypted_tablespaces WHERE rekey_status IS NOT NULL;
Verifying Standby Encryption Status
After initiating encryption on the Primary, verify that the Standby has applied the encryption redo and that both sides are consistent.
SQL — Standby DB Verification
-- On the STANDBY: Check encryption sync status SELECT ts.tablespace_name, ts.encrypted, ts.encryption_algorithm, ts.encrypt_status, ts.dg_encrypt_sync -- NEW in 26ai: YES/NO/PENDING FROM v$encrypted_tablespaces ts ORDER BY ts.tablespace_name; -- Compare Primary vs Standby key IDs (must match) -- Run on PRIMARY: SELECT key_id, creation_time, activation_time FROM v$encryption_keys WHERE activating_dbid = SYS_CONTEXT('USERENV','CON_ID'); -- Verify MRP0 is active and not lagging on encryption ops SELECT process, status, sequence#, delay_mins, block#, blocks FROM v$managed_standby WHERE process IN ('MRP0','RFS'); -- Check for any encryption-related alert log entries SELECT originating_timestamp, message_text FROM v$diag_alert_ext WHERE message_text LIKE '%TDE%' OR message_text LIKE '%ENCRYPT%' ORDER BY originating_timestamp DESC FETCH FIRST 20 ROWS ONLY;
Online Decryption (Reverting Encryption)
If needed, Oracle 26ai also supports online decryption — removing encryption from a tablespace without downtime.
SQL — Online Decrypt
-- Online decryption — tablespace remains available ALTER TABLESPACE USERS ENCRYPTION ONLINE DECRYPT; -- Verify decryption completed SELECT tablespace_name, encrypted, encrypt_status FROM v$encrypted_tablespaces WHERE tablespace_name = 'USERS';
Troubleshooting Common Issues
| Error / Symptom | Likely Cause | Resolution |
|---|---|---|
ORA-28365: wallet is not open |
Keystore not open on Primary or Standby | Run ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN on the affected node |
| Encryption stalls at X% | I/O bottleneck or undo space exhaustion | Check I/O wait events via v$session_wait; ensure undo tablespace has free space |
DG_ENCRYPT_SYNC = 'PENDING' |
Redo apply lag on Standby | Monitor MRP0 progress; check transport lag with v$dataguard_stats |
| Standby ENCRYPT_STATUS ≠ Primary | Redo gap or keystore mismatch | Verify keystore has same MEK; check for redo gaps with v$archive_gap |
ORA-46700: cannot encrypt |
Tablespace contains LOB segments not yet converted | Run DBMS_SPACE_ADMIN.ASSM_SEGMENT_VERIFY and resolve LOB issues |
SQL — Diagnostic Queries
-- Check Data Guard transport and apply lag SELECT name, value, unit, time_computed FROM v$dataguard_stats WHERE name IN ('transport lag', 'apply lag'); -- Identify blocking sessions during encryption SELECT w.sid waiter, w.event, b.sid blocker, b.sql_id FROM v$session w JOIN v$session b ON w.blocking_session = b.sid WHERE w.module LIKE '%TDE%'; -- Check archive gaps SELECT thread#, low_sequence#, high_sequence# FROM v$archive_gap;
Best Practices & DBA Tips
1
Always Use AES256
Oracle recommends AES256 as the encryption algorithm for all new encryption operations in 26ai. It is FIPS 140-2 compliant and the most widely audited standard. Avoid 3DES168 for new deployments.
2
Encrypt During Low-Activity Windows
Even though encryption is "online," it is a resource-intensive background operation. Schedule on nights or weekends to minimize I/O contention. Monitor using v$encrypted_tablespaces.pct_encrypted.
3
Back Up Before Encrypting
Always take an RMAN backup of the tablespace before initiating online encryption. The encryption process reads every block — an RMAN backup right before ensures you have a clean pre-encryption baseline.
4
Use Oracle Key Vault for Production
Software keystores require manual synchronization to Standbys and Observers. OKV automates key distribution, is auditable, and supports HSM integration — essential for enterprise Data Guard configurations.
5
Enable Auto-Login Wallet for CDB
To prevent startup failures after a restart, configure an auto-login wallet (ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE). This ensures the keystore opens automatically, allowing MRP0 to function without DBA intervention.
Quick Reference: All Commands
SQL — Complete Command Reference
-- ============================================================ -- ORACLE 26ai: ONLINE TABLESPACE ENCRYPTION — FULL REFERENCE -- ============================================================ -- 1. SETUP: Configure wallet root + TDE ALTER SYSTEM SET wallet_root='/oracle/wallets/${DB_NAME}' SCOPE=SPFILE; ALTER SYSTEM SET tde_configuration='KEYSTORE_CONFIGURATION=FILE' SCOPE=BOTH; -- 2. KEYSTORE: Create, open, activate MEK ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/path/to/wallet' IDENTIFIED BY "pwd"; ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "pwd" CONTAINER=ALL; ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "pwd" WITH BACKUP CONTAINER=ALL; -- 3. ENCRYPT: Online tablespace encryption (26ai) ALTER TABLESPACE <ts_name> ENCRYPTION ONLINE USING 'AES256' ENCRYPT; -- 4. MONITOR: Track progress SELECT tablespace_name,encrypted,encrypt_status,pct_encrypted FROM v$encrypted_tablespaces; -- 5. REKEY: Online re-keying (26ai) ALTER TABLESPACE <ts_name> ENCRYPTION ONLINE USING 'AES256' REKEY; -- 6. DECRYPT: Online decryption (26ai) ALTER TABLESPACE <ts_name> ENCRYPTION ONLINE DECRYPT; -- 7. VERIFY: Standby encryption sync SELECT tablespace_name,dg_encrypt_sync,encrypt_status FROM v$encrypted_tablespaces; -- 8. AUTO-LOGIN WALLET (no-manual-open after restart) ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '/path/to/wallet' IDENTIFIED BY "pwd";
🔐 Oracle TDE
🛡️ Data Guard
⭐ Oracle 26ai
🔑 Oracle Key Vault
📊 AES256
🔄 Online Re-Key
🎯 Zero Downtime
Post a Comment: