Oracle TDE, hybrid DR, and how to avoid the problem that stops hybrid deployments
Oracle has traditionally focused on security, and its Transparent Data Encryption (TDE) is widely recognised as a good thing.
Encrypt data at rest, protect backups, meet security requirements, what’s not to like?
In Oracle Cloud Infrastructure (OCI), that decision is effectively already made. The OCI Base Database Service includes TDE and requires encrypted tablespaces across both Standard Edition (Oracle SE) and Enterprise Edition (Oracle EE). If you're new to TDE, you can learn more about it in our other blog.
The challenge appears when teams try to extend that encrypted environment into a hybrid disaster recovery design where one site does not support TDE. This commonly occurs when an on-premises environment is running Standard Edition, or when TDE has not been licensed in an Enterprise Edition environment.
Oracle has addressed this challenge within Data Guard for EE users. However, for teams running Oracle SE, the architectural limitation still exists. Solving it in those environments requires a different approach, and that’s where Dbvisit has focused its efforts.
In this article, I’ll cover:
- Why TDE introduces unexpected limitations in hybrid DR.
- Where most designs quietly fail, usually during switchover or failover.
- Why does this affect SE users the most?
- And how this problem can be solved in practice using Dbvisit Standby MultiPlatform (StandbyMP).
Why Oracle DBAs like TDE
Let’s start at the beginning.
TDE encrypts data at rest, including datafiles, backups, and (when tablespaces are encrypted) the associated redo logs. There is no effect on Applications or Users. The database just transparently decrypts data when accessed.
From a security and compliance perspective, it makes sense, and Oracle has leaned into this strongly in OCI:
- TDE is ON in OCI Base Database Service; it's not a design choice.
- This applies to both Oracle SE and Oracle EE.
For cloud-first or cloud-mandated architectures, this is the right direction; but for hybrid DR, this introduces a complication that’s easy to miss.
Where hybrid DR starts to break
A very common architecture looks like this:
- Primary: On-premises Oracle SE, not encrypted.
- Standby: OCI Base Database Service, TDE enabled by default.
This non-TDE to TDE replication is straightforward and does not require any special steps, as the source environment is unencrypted.
- Initial replication works.
- Archive logs ship.
- Standby stays in sync.
At this point, most teams think they’re done. The problem only appears after a switchover or failover.
The moment OCI hybrid DR fails (and why)
After switchover:
- The OCI database becomes primary.
- The unencrypted database becomes the standby.
- Redo generated in OCI is now encrypted.
- That encrypted redo is shipped back to the unencrypted on-prem standby.
And this is where things stop.
The on-prem SE database cannot apply encrypted redo as it does not have access to the Advanced Security Option to use TDE, making it impossible to decrypt what it receives.
At that point:
- The standby falls behind.
- Your “hybrid DR” design no longer behaves like DR.
This isn’t a misconfiguration. It’s not a missed step. It’s an architectural reality of how encryption and redo interact.
Oracle has acknowledged this, but with a specific scope
Oracle has publicly recognised this challenge and released a fix for this in 19.16. In Enterprise environments, Oracle now addresses encrypted redo handling inside Data Guard, including hybrid scenarios.
That’s an important acknowledgement because it shows this challenge is real, it’s not an edge case, and it affects real customer environments.
However, it doesn’t cover all environments because the solution:
- Lives inside Data Guard.
- Applies to Enterprise Edition.
- Assumes Data Guard is available and appropriate.
For teams running SE or for environments where Data Guard isn’t an option, the underlying hybrid DR limitation still exists.
- The OCI Base Database Service, Standard Edition tier, delivers excellent performance, is reasonably priced, and has a license included option.
- But it cannot be used for Hybrid DR of on-premise environments due to TDE on the OCI service.
The table below clearly outlines the TDE options available for different editions, both in OCI and on-premise.
So, how do you actually solve OCI hybrid DR challenges for Standard Edition users?
Solving this problem requires rethinking how replication is handled, not just toggling encryption settings.
This is where Dbvisit StandbyMP’s Hybrid OCI support, released in 12.2, comes in!
Instead of relying on the database to handle encrypted redo compatibility, StandbyMP manages replication in a way that:
- Allows non-TDE primaries to replicate to TDE-enabled standbys.
- Supports switchover and failover without breaking replication.
- Works with Oracle Standard Edition.
- Enables true hybrid DR between on-prem and OCI Base Database Service.
What this means for Oracle architects and DBAs
If you’re designing OCI Base Database Service hybrid DR:
- Assume encryption will be involved.
- Don’t assume initial sync equals long-term viability.
- Test switchover paths early, not after go-live.
Most importantly, recognise that:
Hybrid DR with TDE is absolutely achievable, but only if the replication technology accounts for encryption differences across editions and environments. For Standard Edition users, that means choosing tools that are built for this reality, not retrofitted around it.
Final thoughts
TDE is not the problem.
Hybrid DR is not the problem.
The problem is assuming they naturally coexist without considering redo behaviour.
Once you design for that, the solution becomes very clear.