AWS Database Blog

Things to consider when choosing between Oracle TDE and AWS KMS for encryption of data at rest for Amazon RDS for Oracle

In the context of database security, encryption is a critical aspect to make sure that sensitive enterprise data remains protected from unauthorized access. Encryption protects data both in transit between the database and the client or applications as well as at rest in the physical storage media and backups. Implementing encryption for data in transit and at rest is a key requirement for many compliance programs.

Amazon Relational Database Service (Amazon RDS) for Oracle provides two options for encrypting data in transit: Oracle Native Network Encryption (NNE) and SSL/TLS. For encrypting data at rest, Amazon RDS for Oracle offers two choices: AWS Key Management Service (AWS KMS) and Oracle Transparent Data Encryption (Oracle TDE). Although both AWS KMS and Oracle TDE provide encryption at rest capabilities, there are various factors to consider when choosing between them, such as licensing, edition dependency, encryption granularity, and feature restrictions. In this post, we provide guidance on choosing between the AWS KMS and Oracle TDE options for encrypting data at rest in RDS for Oracle, focusing on these key aspects.

Overview of AWS KMS

AWS KMS is a managed service that helps you more easily create and control the encryption keys used for cryptographic operations. Amazon RDS automatically integrates with AWS KMS for encryption of the underlying Amazon Elastic Block Store (Amazon EBS) volumes and key management.

Amazon RDS uses envelope encryption when integrating with AWS KMS. For more details on envelope encryption, refer to AWS KMS cryptography essentials.

You can use two types of AWS KMS keys to encrypt your RDS DB instances:

  1. Customer managed keys – If you want full control over an AWS KMS key, you must create a customer managed key.
  2. AWS managed keys – These are AWS KMS keys in your account that are created, managed, and used on your behalf by an AWS service integrated with AWS KMS.

When an RDS instance is enabled for AWS KMS encryption, its underlying storage, automated backups, read replicas, and snapshots are automatically encrypted using the same AWS KMS key.After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently, with minimal impact on performance and without modifications needed to the database layer or application.

For more details, refer to Encrypting Amazon RDS resources in the Amazon RDS User Guide.

Overview of Oracle TDE

Oracle TDE is a security feature that encrypts data stored in Oracle databases, providing protection against unauthorized access even if the storage media or database files are stolen. It works by encrypting data before it’s written to storage and decrypting it when it’s read, all transparently to the database users and applications.

Oracle TDE is an Enterprise Edition feature that is separately licensed under the Advanced Security Option. Oracle TDE allows encryption of sensitive data at the column level or the tablespace level using a two-tiered key-based architecture. A master key stored outside the database is used to encrypt the second-tier tablespace or column encryption keys, which are stored in the Oracle dictionary. Unauthorized users, such as intruders attempting security attacks, can’t read the data from storage and backup media unless they have the Oracle TDE master encryption key to decrypt it.

For Oracle TDE implementation on RDS for Oracle, Amazon RDS automatically manages the wallet, including password rotation and rekeying the master key. Customers only have to encrypt their desired columns or tablespaces by choosing the appropriate encryption algorithm. Oracle TDE can be enabled for an RDS instance during creation or later by attaching an option group containing the Oracle TDE option to the instance.

For more details on Oracle TDE, refer to Using Transparent Data Encryption in the Oracle Security Guide and Oracle Transparent Data Encryption in the Amazon RDS User Guide.

Comparison of using AWS KMS or Oracle TDE for encryption at rest

The following table provides a comprehensive comparison of the key features and capabilities of AWS KMS and Oracle TDE for encrypting data at rest in Amazon RDS for Oracle:

Feature AWS KMS Oracle TDE
Encryption scope and granularity Entire RDS instance (storage, backups, snapshots, read replicas). Specific columns or tablespaces
Key management Stored and managed in AWS KMS. IAM policies allow control of access to the keys. Stored in Oracle wallet on the RDS instance and fully managed by RDS.
Bring your own keys Yes. Not supported.
Key rotation Customer has control. Managed by RDS.
Performance impact Minimal performance impact*. Minimal performance impact*.
Application changes No changes required. No changes required in the code. However, the encryption should be enabled manually at the table-column or tablespace level.
Application access to encrypted data Transparent. Database is unaware of storage-level encryption. Transparent. For authenticated users with required access to the data, it appears as unencrypted.
Pricing AWS Key Management Service Pricing Separately licensed feature (Advanced Security Option) on top of Oracle Enterprise Edition.
Supported editions For all versions and editions. Enterprise Edition specific. Not available for Standard Edition 2 (SE2).
How to enable Choose to encrypt the instance using AWS KMS while creating the RDS for Oracle instance. Enabled through option group.
How to disable You can’t disable the AWS KMS encryption setting of an RDS for Oracle instance. But you can create an unencrypted copy of the snapshot and then restore that snapshot to provision a new unencrypted instance. You can also move the data logically using tools like Oracle DataPump to another unencrypted instance to disable encryption. The Oracle TDE option is permanent and persistent. After you associate your DB instance with an option group that has the Oracle TDE option enabled, you can’t disable the Oracle TDE option in the currently associated option group. However, you can copy data to another RDS for Oracle instance that isn’t associated with an option group that has the Oracle TDE option, using logical utilities like Oracle Data Pump or AWS DMS.
Encryption algorithms Each volume is encrypted using AES-256-XTS. Wide choice of algorithms including AES 128, AES 256, and 3DES168.

*The performance impact of both AWS KMS and Oracle TDE is typically minimal but can vary depending on the specific workload and data access patterns. It’s highly recommended to assess the performance impact of the workload before you enable encryption using either of these technologies for a performance-sensitive workload.

Key limitations on using Oracle TDE in Amazon RDS for Oracle

When choosing an encryption option for your Amazon RDS for Oracle instance, it’s important to understand the following limitations of implementing Oracle TDE in the RDS for Oracle instance:

  1. Oracle TDE is only supported for the Enterprise Edition – The Oracle TDE option in Amazon RDS for Oracle is only available for the Enterprise Edition of the database.
  2. Disabling Oracle TDE isn’t allowed – After you associate your DB instance with an option group that has the Oracle TDE option enabled, you can’t disable the Oracle TDE option in the currently associated option group. However, you can copy data to another RDS for Oracle instance that isn’t associated with an option group having the Oracle TDE option using logical utilities such as Oracle Data Pump or AWS Database Migration Service (AWS DMS).
  3. Changing option groups with Oracle TDE is restricted – You can’t associate your DB instance with a different option group that doesn’t include the Oracle TDE option.
  4. Sharing Oracle TDE–encrypted snapshots isn’t supported – You can’t share a DB snapshot that uses the Oracle TDE option. For more information, refer to Sharing a DB snapshot for Amazon RDS in the Amazon RDS User Guide.
  5. Oracle TDE support in AWS DMS is limited – When using AWS DMS to replicate from Amazon RDS for Oracle, Oracle TDE is only supported with encrypted tablespaces and using Oracle LogMiner.When using Binary Reader, AWS DMS supports Oracle TDE only for self-managed Oracle database sources. Amazon RDS for Oracle doesn’t support wallet password retrieval for Oracle TDE encryption keys.
  6. XTTS migration strategy doesn’t support Oracle TDE – The XTTS migration strategy doesn’t support Oracle TDE–enabled databases as the source or target.
  7. RMAN backup restoration outside RDS isn’t possible – You can’t restore backups of RDS for Oracle instances taken using rdsadmin.rdsadmin_rman_util API to a platform outside RDS because the encrypted data would remain inaccessible due to the lack of access to the Oracle TDE wallet in Amazon RDS for Oracle.
  8. Transparent encryption mode isn’t supported for Data Pump imports – Amazon RDS for Oracle doesn’t support the transparent encryption mode (ENCRYPTION_MODE=TRANSPARENT) when importing data using Oracle Data Pump.

Restrictions of Amazon RDS Instances Encrypted Using KMS

When using RDS instances encrypted with AWS KMS, there are a few important restrictions to be aware of:

  1. Encryption can’t be enabled or disabled on existing instances – You can’t enable or disable encryption on an existing RDS for Oracle instance. Encryption must be enabled when creating the instance. However, you can work around this by creating a snapshot of the instance, copying the snapshot to another with the desired encryption setting, and then restoring the snapshot to enable or disable encryption of the existing instance.
  2. Cross-Region snapshot copying requires specifying the AWS KMS key – To copy an encrypted snapshot from one AWS Region to another, you must specify the AWS KMS key in the destination Region. This is because AWS KMS keys are specific to the Region (except Multi-Region keys) in which they are created.

For more details on the limitations of Amazon RDS encrypted DB instances, refer to Limitations of Amazon RDS encrypted DB instances.

By understanding these restrictions in advance, you can plan your Amazon RDS deployments accordingly and make sure your data remains securely encrypted using AWS KMS.

Choosing between AWS KMS and Oracle TDE for Amazon RDS for Oracle

With the details mentioned in the comparison table and the known restrictions of using Oracle TDE and AWS KMS, you should be able to choose the optimal encryption mechanism for your specific use case.In general, use AWS KMS in the following scenarios:

  1. Full database encryption – You need to encrypt the full or majority of the data in the database with minimal performance overhead.
  2. Centralized key management – You want centralized key management across AWS services.
  3. Bring your own key – You want to use your own keys for encryption of the data.
  4. Compliance requirements – Your compliance requirements mandate encrypting the entire database and automated snapshots.
  5. Oracle Standard Edition 2 – You need to encrypt an RDS for Oracle Standard Edition 2 instance.
  6. No Oracle TDE licenses – You don’t have Advanced Security Option licenses to cover Oracle TDE implementation.
  7. XTTS migration – You intend to migrate the database to RDS for Oracle using XTTS.
  8. Cross-account or cross-Region sharing – You need to share snapshots of an instance between accounts or Regions for use cases such as refreshing lower environments from production.

On the other hand, Oracle TDE might be a better choice in the following scenarios:

  1. Selective encryption – You need fine-grained encryption for specific database columns or tablespaces or when only a small subset of the entire database needs to be encrypted.
  2. Specific encryption algorithms – You have regulatory requirements that mandate column-level encryption or encryption using specific algorithms that aren’t supported by AWS KMS.
  3. Existing Oracle TDE licenses – You already have licenses to cover the usage of Oracle TDE, and you’re not restricted by the limitations of Oracle TDE explained earlier.

Conclusion

Although both AWS KMS and Oracle TDE provide robust encryption mechanisms for Amazon RDS for Oracle, they come with different features, capabilities, and restrictions. This post has covered a comprehensive comparison of both options so you can make an educated decision on when to choose one over the other for encrypting data at rest in Amazon RDS for Oracle.

In summary, use AWS KMS when you need to encrypt the full or majority of the database, require centralized key management, have compliance requirements for full database encryption, or are using Oracle Standard Edition 2. On the other hand, choose Oracle TDE when you need fine-grained, column-level encryption, have specific algorithm requirements, or already have the necessary licenses.

By understanding the tradeoffs between these two encryption solutions, you can select the one that best fits your unique requirements and keeps your sensitive data securely protected in Amazon RDS for Oracle.

If you have comments or questions, leave them in the comments section. We’re here to help you make the most informed decision for your database encryption needs.

About the authors

Jobin Joseph

Jobin Joseph

Jobin is a Senior Database Specialist Solutions Architect based in Toronto. With a focus on relational database engines, he assists customers in migrating and modernizing their database workloads to Amazon Web Services (AWS). He is an Oracle Certified Master with over 20 years of experience with Oracle databases.

Alok Srivastava

Alok Srivastava

Alok is a Senior Consultant and Data Architect at AWS, specializing in database migration and modernization programs. With expertise in both traditional and cutting-edge technologies, he guides AWS customers and partners through their journey to the AWS Cloud. Alok’s role encompasses not only database solutions but also the integration of generative AI to enhance data-driven insights and innovation.