Encrypted database creation

The ENCRYPT keyword, which is an option of the CREATE DATABASE command, is used to encrypt a database, and to set encryption options.

Creating an encrypted database

By default, when running the CREATE DATABASE command with no options beyond the ENCRYPT keyword, a new master key is generated and inserted into the keystore as part of database creation. The AES encryption algorithm, with a key length of 256, will be used to encrypt the database.

See Creating an encrypted database for detailed steps on using the ENCRYPT command when creating a new database.

Encrypting an existing database

To encrypt an existing unencrypted database, it is necessary to unload and reload the database to ensure that all of the data is encrypted. The most effective way to do this is to restore a full backup of the database using the ENCRYPT option on the RESTORE DATABASE command. As with database creation, if no further options are provided, the ENCRYPT option will cause a new master key to be generated and inserted into the keystore. The master key is created with the AES encryption algorithm with a key length of 256 to encrypt the database.

For more information on the restore approach, refer to Encrypting an existing database.

It is also possible to use HADR to minimize the outage time by having an unencrypted copy of the database available on the standby while the primary is being encrypted. Refer to Configuring native encryption in an HADR environment for more information.