- Newest
- Most votes
- Most comments
Hello,
Oracle SE2 as a product doesn't have the partitioning option available to it.
If you used the Oracle Enterprise Edition with the Partitioning option licensed, then the following is useful to know: RDS is doing encryption at rest using Oracle TDE (Transparent Data Encryption) and Oracle TDE uses a two-tier encryption method with one single master key that encrypts multiple data keys, the data keys in turn encrypting the actual data. A customer can't control the data keys but can control (for example rotate) the master key.
The answer to your question then would depend on your view on the meaning of "let each client use their encryption key". Technically if you partition the data per tablespace, then each tablespace will be using a separate data key, but ultimately a single master key. You'll need to see if that conforms to the requirement...
Regards
@ AWS-ADolganov: Is it possible with AWS KMS?
KMS couldn't help here because the limitation lies in the Oracle TDE.
Relevant content
- asked a month ago
- AWS OFFICIALUpdated 4 years ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 2 years ago
Thank you for your reply @ADolganov. If I understood correctly, there will be only one master key irrespective of the number of partitions (for each client), and there is no way to have a separate master key for each partition so that each client can have control over the encryption of their data.
I hope, I have explained the requirement (and not created any confusion)
Thanks, Abhi
Yes, this is a limitation of Oracle TDE, and it's unrelated to AWS RDS really. It would be the same on premises too if the TDE was used.
One theoretical solution for you would involve encrypting data before it's sent to the database but it's a whole other can of worms and might require extensive application rework.
@ADolganov: Is it possible with AWS KMS?