Oracle internals, debugging and undocumented features
Inside Encrypted tablespace 11g Part2
February 3, 2009Posted by on
I have been vey busy these days but today finally I got some time ..
Well few weeks ago I did a post on encrypted tablespace in 11g and one of the questions posted by Martin Beger ( Sorry I did not have a chance to replay earlier ) was that data are unencrypted in buffer cache.
I did some reading and research ( still working on my case as time permits ) and found that actually that’s a true statement.
So how it works?
1) When you do select data are moved from storage ( encrypted data ) to buffer cache.
2) Data are DECRYPTED before loading buffer cache
3) Data are in CLEAR TEXT UNENCRYPTED inside buffer cache
Since most of operations ( index scans , table access ) are performed on clear text data which are in buffer cache there is no differences in peformances between encrypted tablespace ( unencrypted in buffer cache ) and unencrypted data.That’s the trick why encrypted tablespaces has better performances over regular TDE on table ( Have to test regular TDE on table – next workshop ).
Eventually we have to record data back to storage.
DB writer process during checkpoint will encrypted data before writing to disk ( I have proved this in my previous blog).
Now there is interesting point.According to Oracle DIRECT PATH operations perform encryption inline.When log writer process write log buffer data to redo logs they are ENCRYPTED.If I am not mistaken in my case from previous post data were UNENCRYPTED inside redo log files but I did not use DIRECT PATH. That would be next test.