11i: Transparent Data Encryption Certified with Oracle Applications

Oracle has certified Oracle 10g (10.2.0.2) Transparent Data Encryption (TDE) with Oracle Applications 11i -- TDE is part of the Oracle Advanced Security Option (ASO), which is a database option and is an additional cost.

TDE allows you to selectively encrypt a column when stored on disk.  All database users with permissions on the table and column will see the unencrypted value, but the data is encrypted in the data file, redo log, archive logs, and backups.  The encryption key is stored in the Oracle Wallet in the file system, which must not be included in any backups.  If a backup tape, data file, or storage media is stolen or lost, the data can not be accessed without the encryption key stored in the Oracle Wallet.

Oracle Metalink Note ID 403294.1 has instructions for the requirements, limitations, and configuration of TDE with 11i.  Oracle RDBMS 10.2.0.2 is required, thus TDE can only be used with 11.5.9 and up.  Patch 5693160 provides a nice FND SQL script that analyzes if an Oracle Applications column may be encrypted.

TDE impacts performance in two ways: (1) there is overhead associated with the encryption and decryption and (2) the encrypted column can not be indexed, thus some SQL statements after the change may result in a full table scan.  Organizations most likely will want to use TDE for national identifiers (i.e., social security numbers, driver license numbers), credit card numbers, and bank account numbers.  A number of these columns are indexed, therefore, application performance needs to be thoroughly tested prior to implementing TDE in a production environment.

Reference:

Oracle Metalink ID 403294.1 "Using Transparent Data Encryption (TDE) with the eBusiness Suite (EBS)"