Can I encrypt data stored in Exadata?
In Oracle Database 11g Release 2, the table keys (for TDE column encryption) or tablespace keys (for TDE tablespace encryption) are sent to the Exadata storage cells, so that content can be first decrypted and then, pre-selection and column filtering takes place. Content is encrypted on the compute nodes. Decryption usually takes place in the compute nodes, but when queries are pushed to the storage nodes, decryption takes place there, to enable “Smart Scan” In Exadata X2-2 and X2-8, the storage cells are equipped with Intel® XEON® L5640 CPUs with AES-NI hardware crypto acceleration to provide ‘near-zero’ impact decryption for TDE tablespace encryption. In Exadata V1 (Oracle Database 11gR1), “Smart Scan” cannot be performed in the cells, because the content is encrypted and the encryption keys reside in database memory.
Transparent Data Encryption is a great way to protect sensitive data in large-scale Exadata scenarios. With Exadata, substantial crypto performance gains are possible. Unique factors in Exadata that maximize the crypto performance include: • Optimized Oracle hardware and software within the Exadata stack • Distributed crypto processing across discrete storage and compute nodes • Native features of Exadata such as Smart Scan and Hybrid Columnar Compression (EHCC) • The availability of hardware-based crypto acceleration For example, the hardware-based crypto acceleration in Exadata alone can improve performance by up to 10x (relative to without hardware acceleration). Below is a table that summarizes the performance characteristics of Exadata X2 systems across compute and storage. The table highlights where hardware-based crypto accleration may be enabled. The speedup comparisons are based on encryption/decryption throughput measured with and without hardware acceleration enabled Exadata
