Enable Oracle TDE for Production Databases with no Downtime

Oracle now offers offline in place conversion of datafiles to TDE. Given if you have a Data Guard in place for your production database, you can encryption your production database using TDE with minimum downtime. This feature is only available for 11.2.0.4 and 12.1.0.2 Oracle Database versions and you will need to apply a patch 23315889 to enable this functionality. Once installed, the patch enables offline, in-place TDE conversion of data files at a Data Guard standby with a DDL command instead of having to reload data which can be time consuming, tedious, and in some cases complex

This feature is very important if you have a huge production database requiring 24/7 availability, both unplanned outages and planned downtime is a significant concern. Also it is important to note that if you planning to move your production database to any public cloud, you might be required to encrypt your production database.

You can easily encrypt your production database with standby with no downtime using following 10 steps

  1. Make sure primary and standby databases are in sync.
  2. Create the encryption wallet, and set the master key.
  3. Copy the wallet files to all nodes in the configuration (Oracle RAC primary nodes and all standby nodes).
  4. Place the standby in a mounted state with recovery stopped.
  5. On the standby: Encrypt data files in-place and in parallel.
  6. On the standby: Restart redo apply and catch up.
  7. Execute a Data Guard switchover making the encrypted standby the new primary and the unencrypted primary the new standby.
  8. On the NEW standby: Place the new standby database in a mounted state with recovery stopped.
  9. On the NEW standby: Encrypt data files in-place and in parallel.
  10. On the NEW standby: Restart redo apply and catch up.