This article was written by Skant Gupta and Joel Perez in Oracle OTN.

Security is one of the main issues that customers think at the time of moving or having the databases, applications and more into the Cloud. Security has many layers, areas, sections and more. When we work with databases “On-Prem”, security in many tasks and configurations is optional but when we work in Cloud, many of them are mandatory.

In this article our focused will be based on Oracle Advanced Security TDE and PDB working in DBCS (Database Cloud Service).

Oracle Advanced Security TDE provides the ability to encrypt sensitive application data on storage media completely transparent to the application itself. TDE addresses encryption requirements associated with public and private privacy and security mandates such as PCI and California SB1386. Oracle Advanced Security TDE column encryption was introduced in Oracle Database 10g Release 2, enabling encryption of application table columns, containing credit card or social security numbers. Oracle Advanced Security TDE tablespace encryption was introduced with Oracle Database 11gR1, being the main focus of our article.

Oracle Multitenant Architecture is one of the key points for having a great scalability for moving and upgrades databases into the Cloud. Moving, creating PDB databases in “On-prem” does not have too much complexity if we are not working with security features but if we are.. we have to take into account additional things.

When you create your CDB database using DBCS is mandatory to have at least a PDB in the minimal configuration, that PDB has already a TDE Master Key created to fulfill conditions related to secure our data but when we create a new PDB into that CDB the TDE Master Key is not created by default, however we can create it without no problem. Later when you will create the first user-defined tablespace is when you will receive an error if the TDE Master Key is not already created for that new PDB.

The first time We were creating a new PDB and a new tablespace within it We got this problem, this article shows how to solve it and the procedure to administer TDE Master Keys working with PDB.

Before continuing reading the article we want to invite you to be part of our network.

If you want to be updated with all our articles send us the Invitation or Follow us:

Joel Perez’s LinkedIn:

Skant Gupta’s LinkedIn:

or Join our LinkedIn group: Oracle Cloud DBaaS :

Full Index of Oracle Cloud Articles: Sir.CloudDBaaSjoelperez

Now, we can continue with the article.

This article shows how to move the PDB in different DBCS Multitenant environment wit exporting TDE master key.


     1. Create the Database Cloud Service database.

2. Create New PDB in Multitenant environment.

3. Create new master key and create demo table

4. Unplug the PDB whilst exporting the TDE master key

5. Move the data unplugged PDB to different DBCS

6. Plug-in the unplugged PDB and show TDE master key

Create the new Cloud Database Service

a) Login to your Oracle cloud services account, go to the “Oracle Database Cloud Service” page and create a new service.

  • For Service Name, select PDB-Security.
  • From the Service Level list, select Oracle Database Cloud Service.
  • From the Metering Frequency list, select whatever frequency is appropriate for your environment.
  • From the Software Release list, select Oracle Database 12c Release2.
  • From the Software Edition list, select Enterprise Edition.
  • From the Database Type list, select Single Instance.

Then click Next to continue.

If you want to read rest to the article, go across this link :Move PDB with exporting the TDE master Key in Oracle 12.2

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.