Enabling TDE for EBS Release 12.2 with Oracle AI Database 26ai Using Fast Online Conversion

Platform Note: Oracle AI Database 26ai replaces Oracle Database 23ai. You can transition from Oracle Database 23ai to Oracle AI Database 26ai by simply applying the October 2025 Release Update (RU) — no full database upgrade is required.

Table of Contents

1. Introduction
2. Why Fast Online Conversion?
3. Prerequisites
4. TDE Online Datafile Encryption Restrictions
5. Step-by-Step Procedure: TDE Tablespace Online Encryption
6. Procedure for Decryption (Reversing TDE)
7. Validation, Verification & Best Practices

Section 1: Introduction

This blog post provides a complete, structured walkthrough for enabling Transparent Data Encryption (TDE) Tablespace Online Encryption on an Oracle E-Business Suite (EBS) Release 12.2 database running on Oracle AI Database 26ai.

The procedure described here is referred to as the Fast Online Conversion method. It allows you to convert existing clear-text application data into TDE-encrypted tablespaces without taking the Oracle E-Business Suite database offline.

Key characteristics of this approach:

Attribute	Description
Downtime	None — the EBS application remains available throughout
Application Impact	Transparent — no SQL or PL/SQL code changes required
Session Visibility	Authorized DB sessions continue to read data normally
Encryption Scope	Data-at-rest only (datafiles and their backups)
MAA Alignment	Recommended Oracle Maximum Availability Architecture (MAA) best practice

This method supersedes earlier TDE conversion approaches and represents Oracle's recommended path for converting existing EBS databases to encrypted tablespaces.

Section 2: Why Fast Online Conversion?

Fast Online Conversion is now the preferred path for TDE adoption on EBS 12.2 because it delivers:

• Zero application downtime — encryption runs while users continue transacting in EBS modules (Financials, SCM, HRMS, etc.).
• Simplified workflow — a single ALTER TABLESPACE ... ENCRYPTION ONLINE command replaces the older offline data-pump or move-tablespace patterns.
• Lower operational risk — no need to rewrite application code, regenerate forms, or rebuild indexes.
• Reversibility — encryption can be undone using a symmetric DECRYPT operation (see Section 6).
• Compliance enablement — meets data-at-rest encryption requirements typical of financial, healthcare, and public-sector regulatory frameworks.

Section 3: Prerequisites

Before beginning, ensure the following are in place:

1. Understand TDE concepts and operational impact. Review the Oracle Database Transparent Data Encryption Guide 26ai, including key management, wallet lifecycle, and backup/recovery implications.

2. Validate the COMPATIBLE parameter. It must be set to the appropriate database release value:

   SQL> SHOW PARAMETER COMPATIBLE;
   -- Expected: 23.0.0
   

3. Take a full database backup. A complete RMAN backup of the database — including controlfile and archive logs — is mandatory before any TDE operation.

4. Plan wallet and key management. Define a documented procedure for:

   • Wallet location and file-system permissions
   • Master encryption key rotation
   • Wallet password custody (vault / privileged-access management)
   • Backup of wallet artifacts alongside (but separately from) database backups

5. Verify file-system free space. TDE online encryption requires temporary headroom — see the note in Section 5, Step 7.

Section 4: TDE Online Datafile Encryption Restrictions

The following limitations apply when implementing tablespace encryption via Fast Online Conversion:

Restriction	Detail
TEMP tablespaces	Cannot be encrypted with this method. Drop and recreate temporary tablespaces as encrypted if required.
External Large Objects (BFILEs)	Cannot be encrypted using TDE tablespace encryption because BFILE data resides outside the database datafiles.

Plan for these exceptions during your encryption-coverage assessment.

Section 5: Step-by-Step Procedure: TDE Tablespace Online Encryption

This section walks through the full procedure for enabling TDE Tablespace Online Encryption on an Oracle E-Business Suite database hosted on Oracle AI Database 26ai.

Step 1: Source the Oracle E-Business Suite Database Oracle Home

Source the database environment file so that all subsequent commands run against the correct Oracle Home and SID.

Step 2: Configure the Wallet Location

(a) Create the wallet directory on the file system:

$ mkdir -p $ORACLE_BASE/admin/<db_unique_name>/wallet

(b) Set the WALLET_ROOT initialization parameter:

SQL> ALTER SYSTEM SET WALLET_ROOT='$ORACLE_BASE/admin/<db_unique_name>/wallet'
     SCOPE=SPFILE SID='*';

(c) Restart the database for the static parameter to take effect.

Step 3: Set the TDE Configuration

Specify the keystore type using the TDE_CONFIGURATION dynamic initialization parameter:

SQL> ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" SCOPE=BOTH;

Restart the database again to ensure the keystore configuration is fully applied.

Step 4: Verify the Wallet Location and Status

$ sqlplus / as sysdba

SQL> SELECT * FROM V$ENCRYPTION_WALLET;

You should see the wallet location pointing to $ORACLE_BASE/admin/<db_unique_name>/wallet/tde.

Step 5: Set the Master Encryption Key

(a) Source the container database environment and connect:

$ sqlplus / as sysdba

(b) Create the keystore, open it, and set the CDB master key:

SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE 'keystore_location'
     IDENTIFIED BY software_keystore_password;

SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN
     IDENTIFIED BY software_keystore_password;

SQL> ADMINISTER KEY MANAGEMENT SET KEY
     IDENTIFIED BY software_keystore_password WITH BACKUP;

(c) Switch to the EBS PDB and set the PDB master key:

SQL> ALTER SESSION SET CONTAINER="<PDB_NAME>";

SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN
     IDENTIFIED BY software_keystore_password;

SQL> ADMINISTER KEY MANAGEMENT SET KEY
     IDENTIFIED BY software_keystore_password WITH BACKUP;

Step 6: (Optional) Create an Auto-Login or Local Auto-Login Software Keystore

An auto-login keystore allows the database to open the wallet automatically at startup without requiring the password.

SQL> ADMINISTER KEY MANAGEMENT CREATE [LOCAL] AUTO_LOGIN KEYSTORE
     FROM KEYSTORE 'keystore_location'
     IDENTIFIED BY software_keystore_password;

Note: The keystore location is $ORACLE_BASE/admin/<db_unique_name>/wallet/tde.

Restart the database to confirm the wallet opens correctly:

SQL> SHUTDOWN NORMAL;
SQL> EXIT;

$ sqlplus "/ as sysdba"

For Auto-Login:

SQL> STARTUP;

For Password-Based:

SQL> STARTUP MOUNT;
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN
     IDENTIFIED BY software_keystore_password;
SQL> ALTER DATABASE OPEN;

Verify the wallet again:

SQL> SELECT * FROM V$ENCRYPTION_WALLET;

Step 7: Perform Encryption Conversions

7.1 Identify Tablespaces That Cannot Be Encrypted

Before encrypting, list all temporary and undo tablespaces in both the CDB and PDB — these will be skipped:

SQL> SELECT tablespace_name FROM dba_tablespaces
     WHERE contents='TEMPORARY' AND status='ONLINE';

SQL> SELECT tablespace_name FROM dba_tablespaces
     WHERE contents='UNDO' AND status='ONLINE';

7.2 Encrypt Existing Online Tablespaces (Other Than TEMP)

Source the container database environment and connect:

$ sqlplus "/ as sysdba"

The following commands can be performed at the CDB or PDB level, depending on your operational requirement.

Connect to the EBS PDB:

SQL> ALTER SESSION SET CONTAINER="<PDB_NAME>";

Choose one of the following encryption methods per tablespace:

Option A — Tablespace-level encryption (in place):

SQL> ALTER TABLESPACE USERS ENCRYPTION ONLINE USING 'AES256' ENCRYPT;

Option B — Datafile-level encryption (with renamed encrypted datafiles):

SQL> ALTER TABLESPACE users ENCRYPTION ONLINE USING 'AES256' ENCRYPT
     FILE_NAME_CONVERT = ('users1.dbf', 'users1_enc.dbf',
                          'users2.dbf', 'users2_enc.dbf');

Repeat for every tablespace targeted for encryption.

Important — File System Space: Ensure sufficient free space on the file system. If a datafile is 5 GB, you need approximately 6 GB of additional free space for the online encryption operation to complete successfully.

If any datafile is missed during the run, you can resume by re-running the ALTER TABLESPACE ... ENCRYPTION ONLINE command for the affected tablespace — the operation is restartable.

Step 8: Verify Encryption Status

$ sqlplus / as sysdba

SQL> ALTER SESSION SET CONTAINER="<PDB_NAME>";
SQL> SELECT tablespace_name, encrypted FROM dba_tablespaces;

Tablespaces that have been successfully encrypted will show YES in the ENCRYPTED column.

Section 6: Procedure for Decryption (Reversing TDE)

Online Tablespace Encryption is a fully reversible operation. The following steps show how to decrypt a previously encrypted database.

Step 1: Source the Oracle E-Business Suite Container Database Oracle Home

Step 2: Decrypt the Datafiles

$ sqlplus "/ as sysdba"

Connect to the EBS PDB:

SQL> ALTER SESSION SET CONTAINER="<PDB_NAME>";

Run the decrypt command — note the FILE_NAME_CONVERT arguments are simply reversed from the encryption step:

SQL> ALTER TABLESPACE users ENCRYPTION ONLINE DECRYPT
     FILE_NAME_CONVERT = ('users1_enc.dbf', 'users1.dbf',
                          'users2_enc.dbf', 'users2.dbf');

Repeat for each tablespace that needs to be decrypted. If a datafile is missed, re-run the ALTER TABLESPACE ... ENCRYPTION ONLINE DECRYPT command for the affected tablespace — the operation is restartable.

Step 3: Verify Decryption

Re-run the encryption-status query from Step 8 above. The ENCRYPTED column should now show NO for the decrypted tablespaces.

Step 4: Close the Wallet

Step 5: Bounce the Container or Pluggable Database

Shut down the CDB or PDB:

$ export ORACLE_PDB_SID="<PDB_NAME>"
$ sqlplus / as sysdba

SQL> SHUTDOWN;

Start the CDB or PDB:

$ export ORACLE_PDB_SID="<PDB_NAME>"
$ sqlplus / as sysdba

SQL> STARTUP;

 

Section 7: Validation, Verification & Best Practices

After completing encryption (or decryption), incorporate the following checks into your operational runbook:

7.1 Post-Encryption Validation Checklist

Check	SQL / Action	Expected Result
Wallet open status	SELECT * FROM V$ENCRYPTION_WALLET;	STATUS=OPEN
Encrypted tablespaces inventory	SELECT tablespace_name, encrypted FROM dba_tablespaces;	All targeted tablespaces show YES
Master key set in CDB and PDB	SELECT * FROM V$ENCRYPTION_KEYS;	One active key per container
EBS application sanity	Run AD utilities, log in to EBS, run a Concurrent Request	All flows succeed without TDE-related errors
RMAN backup	BACKUP DATABASE PLUS ARCHIVELOG;	Successful backup including encrypted datafiles

7.2 Operational Best Practices

• Back up the wallet immediately after creating or rotating the master key — store the backup in a secure location separate from the database backups.
• Document the wallet password in your enterprise password vault. Loss of the master key password renders encrypted data unrecoverable.
• Rotate master keys periodically in line with your organization's key-management policy (ADMINISTER KEY MANAGEMENT SET KEY ... WITH BACKUP).
• Test decryption in a non-production environment before relying on the reversibility of online encryption in production.
• Monitor file-system space during encryption — large datafiles can require significant temporary headroom.
• Coordinate with EBS patching cycles — apply TDE conversion during a stable application baseline, not in the middle of a major patch cycle.

Conclusion:

Enabling Transparent Data Encryption on Oracle E-Business Suite Release 12.2 with Oracle AI Database 26ai has never been more accessible. The Fast Online Conversion method removes the traditional barriers of downtime, code changes, and complex migration workflows — replacing them with a straightforward set of ALTER TABLESPACE ... ENCRYPTION ONLINE commands that run transparently against a live EBS system.

By following the procedure outlined in this article, you achieve:

• Data-at-rest protection across all targeted EBS tablespaces, covering datafiles and their RMAN backups.
• Zero disruption to business operations — users in Financials, SCM, HRMS, and other EBS modules continue transacting without interruption during the encryption run.
• Regulatory compliance alignment — encryption at the storage layer satisfies data-at-rest requirements mandated by financial, healthcare, and public-sector frameworks.
• Operational confidence — the process is fully reversible, restartable on interruption, and validated through a clear set of SQL queries and post-encryption checks.

The transition from Oracle Database 23ai to Oracle AI Database 26ai via the October 2025 Release Update means that existing 23ai environments can inherit all the TDE improvements of 26ai without a full upgrade cycle — making this an ideal time to standardize on the Fast Online Conversion approach across your EBS landscape.

As with any security-critical procedure, the long-term health of your TDE implementation depends equally on operational discipline: consistent wallet backups, master key rotation, password custody, and regular validation against your RMAN strategy. Treat these not as one-time tasks but as permanent components of your database operations runbook.