Back to Blog
Oracle Transparent Data Encryption (TDE) is widely used to secure data at rest—but its licensing is one of the most misunderstood aspects of Oracle Database.
The confusion comes from one fact:
TDE licensing changes depending on edition, environment, and cloud provider
In this guide, I break down:
- Whether Oracle TDE is free
- How licensing differs across editions
- What changes in Oracle Cloud (OCI)
- Why licensing decisions directly impact hybrid disaster recovery
This is Blog #3 in a deep dive into Oracle TDE:
Blog #1 - Oracle TDE and Hybrid Disaster Recovery: Why It Breaks & How to Fix It
Blog #2 - What is Oracle TDE?
Blog #4 - Best practice TDE wallet creation & management
Is Oracle TDE free?
Oracle Transparent Data Encryption (TDE) is not free in most environments.
- Oracle Standard Edition → TDE is not available
- Oracle Enterprise Edition → Requires Advanced Security Option (paid)
- OCI managed services → TDE is included and enabled by default
TDE availability depends on database edition and deployment model.
Oracle TDE licensing explained
Oracle TDE licensing depends on two key factors:
- Database edition
- Deployment model
Oracle TDE availability by edition and platform:
| Environment | TDE Availability |
|---|---|
| Oracle Standard Edition (on-prem / AWS / Azure) | Not available |
| Oracle Enterprise Edition | Paid, Available with Advanced Security Option |
| OCI Base Database Service | Included and mandatory |
| OCI Autonomous Database | Included and fully managed |
| OCI Compute (IaaS) | Same as on-prem (BYOL rules) |
Why Oracle TDE licensing is confusing
Oracle TDE licensing feels complex; that's because there it is, and it’s due to differences in licensing across:
- Database edition (Standard vs Enterprise)
- Deployment model (on-prem vs cloud)
- Cloud provider (OCI vs AWS vs Azure)
My goal is to simplify those differences and provide a clear image of when TDE is included, when it is optional (charged), and when it is unavailable.
Before going any further, there are two key questions to answer:
1. What Oracle database edition are you using (or planning to use).
2. What infrastructure will you run it in?
Everything else follows from that.
TDE Licensing for On‑premises and non‑Oracle cloud deployments
Oracle Database Free (formerly XE)
- Oracle Database 26ai Free includes TDE for on‑premises installations at no cost
- Prior to Oracle 21c, TDE was not available in XE / Free editions
Oracle Database Free an exception rather than the norm. Oracle thought it was likely to get developers utilising TDE in the Free edition and therefore increasing the uptake of the option in production databases.
Does Oracle Standard Edition support TDE?
No. Oracle Standard Edition does not support TDE in:
- On-premises environments
- AWS or other cloud providers
There is no paid option to enable it.
The only exception:OCI Base Database Service, where TDE is enabled by default. Outside OCI managed services, TDE is simply unavailable in Standard Edition.
Oracle Enterprise Edition and TDE
In Oracle Enterprise Edition:
- TDE is not included by default
- It requires the Advanced Security Option
- This option is licensed separately
Without this option: TDE cannot be used.
Oracle Engineered Systems (on‑premises Exadata)
- TDE is not included by default.
- It requires the Advanced Security Option, unless deployed under a specific cloud‑based consumption model.
Why Oracle Cloud (OCI) changes everything
Oracle Cloud Infrastructure (OCI) significantly changes TDE licensing.
- Compute‑based deployments (IaaS), where you install and manage the database yourself.
- Managed database services (PaaS / DBaaS) where Oracle manages significant portions of the database lifecycle.
OCI Compute (IaaS)
- Same licensing rules as on‑premises.
- You must bring your own license (BYOL).
- TDE availability depends on the edition and licensed options.
OCI Base Database Service (PaaS)
- TDE is enabled by default and cannot be disabled.
- Applies to both Standard Edition and Enterprise Edition offerings.
- TDE is included as part of the service.
OCI Autonomous Database
- TDE is included by default.
- Oracle fully manages encryption, key management, and rotation.
OCI Exadata Database Service
-
TDE is enabled by default.
-
Licensing treatment depends on whether the service is license‑included or BYOL.
-
In practice, encryption is treated as a standard platform capability.
TDE on AWS and other cloud providers
- EC2 (IaaS): Same rules as on‑premises, licensing depends on Edition and Options.
- Amazon RDS for Oracle:
- Oracle Standard Edition does not include TDE.
- Oracle Enterprise Edition (BYOL) can use TDE only if the Advanced Security Option is licensed.
Oracle Database on Azure/Google Cloud
- Exadata infrastructure is co-located in Azure datacentres.
- TDE is enabled by default.
- Database operations, including TDE key rotation, are managed by OCI.
-
Similar architecture to Oracle Database@Azure.
-
TDE is enabled by default.
-
Master encryption keys can be managed by OCI or integrated with Google Cloud customer‑managed encryption keys (CMEK).
What does Oracle TDE actually include?
While licensing determines whether you can use TDE, it’s equally important to understand what capabilities are actually included and how those capabilities differ across Editions and Services.
A complete overview can be read in this article: What is Oracle TDE?
At a high level, Oracle TDE provides encryption of data at rest using a combination of database-level encryption keys and externally stored master keys. However, the scope of encryption and management model vary depending on the version and deployment model.
Core TDE capabilities that are common across versions
- Encryption of database data files at rest.
- Encryption of RMAN backups containing encrypted data.
- Encryption of redo data associated with encrypted tablespaces.
- Transparent encryption and decryption are handled by the database engine.
- Separation of data and encryption keys using wallets or external key stores.
Tablespace encryption vs column-level encryption
- Encrypts all objects stored in the tablespace.
- Includes data files and associated redo.
- Simplifies security design by avoiding column-level decisions.
- Recommended approach in most modern Oracle environments.
- Encrypts specific columns within tables.
- Allows granular protection of sensitive attributes.
Multitenant considerations
- United mode: A single keystore and master key shared across the CDB and all PDBs.
- Isolated mode: Separate keystores and master keys for individual PDBs.
Summary of the main differences across editions and services
-
Oracle Standard Edition (on-prem / non-OCI):
- TDE not available.
-
Oracle Enterprise Edition (on-prem / BYOL):
- TDE available via Advanced Security Option.
- Supports tablespace and column-level encryption.
- Supports wallets and external key management.
-
OCI Base Database Service:
- TDE is enabled by default and cannot be disabled.
- Tablespace encryption only (Even at the Enterprise Edition levels of BDS).
- Key management is handled by Oracle or OCI KMS.
-
OCI Autonomous Database:
-
TDE is fully managed and always enabled.
-
No customer control over encryption scope or key rotation.
-
What TDE does not include
Oracle TDE does not provide:
- Network encryption (TLS required separately)
- User access control
- Auditing or monitoring
- Cross-environment key management
TDE is a foundational control for data-at-rest protection, but it must be combined with other security and operational controls to form a complete security architecture.
Why TDE licensing matters for hybrid disaster recovery
TDE licensing is not just a cost issue—it directly impacts architecture.
In hybrid disaster recovery:
- OCI databases are encrypted by default
- On-prem Standard Edition cannot use TDE
This mismatch can cause replication failure after switchover.
For a deeper review: READ Oracle TDE and Hybrid Disaster Recovery: Why It Breaks & How to Fix It
Oracle TDE licensing summary
- TDE is not free in most environments
- Standard Edition does not support TDE
- Enterprise Edition requires Advanced Security Option
- OCI includes TDE by default
- Licensing differences can break hybrid DR architectures
Conclusion
READ other articles in this series:
Blog #1 - Oracle TDE and Hybrid Disaster Recovery: Why It Breaks & How to Fix It
Blog #2 - What is Oracle TDE?
Blog #4 - Best practice TDE wallet creation & management
FAQ
Is Oracle TDE free?
Oracle TDE is not free in most environments. It is unavailable in Standard Edition, requires the Advanced Security Option in Enterprise Edition, and is included by default only in Oracle Cloud Infrastructure (OCI) managed services.
2. Does Oracle Standard Edition support TDE?
No, Oracle Standard Edition does not support TDE in on-premises or most cloud environments. The only exception is OCI Base Database Service, where TDE is enabled by default.
3. Does Oracle Enterprise Edition include TDE?
No, Oracle Enterprise Edition does not include TDE by default. It requires the Advanced Security Option, which must be licensed separately.
4. Is TDE included in Oracle Cloud (OCI)?
Yes, TDE is included and enabled by default in OCI managed database services such as Base Database Service and Autonomous Database.
5. Why does TDE licensing matter for disaster recovery?
TDE licensing matters because mismatched encryption capabilities between environments can prevent redo logs from being applied, causing hybrid disaster recovery failures after switchover.
Oracle ACE Pro ; Head of Customer Services at Dbvisit Software
Subscribe to our monthly blog updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of DBVisit's Privacy Policy
