Important note
This article is intended as general guidance only and should not be taken as formal licensing advice. Oracle licensing can be nuanced and context‑specific. You should always assess your own environment and, where necessary, engage a qualified Oracle licensing expert before making licensing or architectural decisions.
Is Oracle TDE free?
Oracle Transparent Data Encryption (TDE) is not free in most environments.
- Oracle Standard Edition → TDE is not available
- Oracle Enterprise Edition → Requires Advanced Security Option (paid)
- OCI managed services → TDE is included and enabled by default
TDE availability depends on database edition and deployment model.
Oracle TDE licensing explained
Oracle TDE licensing depends on two key factors:
- Database edition
- Deployment model
Oracle TDE availability by edition and platform:
| Environment |
TDE Availability |
| Oracle Standard Edition (on-prem / AWS / Azure) |
Not available |
| Oracle Enterprise Edition |
Paid, Available with Advanced Security Option |
| OCI Base Database Service |
Included and mandatory |
| OCI Autonomous Database |
Included and fully managed |
| OCI Compute (IaaS) |
Same as on-prem (BYOL rules) |
Why Oracle TDE licensing is confusing
Oracle TDE licensing feels complex; that's because there it is, and it’s due to differences in licensing across:
- Database edition (Standard vs Enterprise)
- Deployment model (on-prem vs cloud)
- Cloud provider (OCI vs AWS vs Azure)
My goal is to simplify those differences and provide a clear image of when TDE is included, when it is optional (charged), and when it is unavailable.
Before going any further, there are two key questions to answer:
1. What Oracle database edition are you using (or planning to use).
2. What infrastructure will you run it in?
Everything else follows from that.
TDE Licensing for On‑premises and non‑Oracle cloud deployments
Oracle Database Free (formerly XE)
- Oracle Database 26ai Free includes TDE for on‑premises installations at no cost
- Prior to Oracle 21c, TDE was not available in XE / Free editions
Oracle Database Free an exception rather than the norm. Oracle thought it was likely to get developers utilising TDE in the Free edition and therefore increasing the uptake of the option in production databases.
Does Oracle Standard Edition support TDE?
No. Oracle Standard Edition does not support TDE in:
- On-premises environments
- AWS or other cloud providers
There is no paid option to enable it.
The only exception:OCI Base Database Service, where TDE is enabled by default. Outside OCI managed services, TDE is simply unavailable in Standard Edition.
Oracle Enterprise Edition and TDE
In Oracle Enterprise Edition:
- TDE is not included by default
- It requires the Advanced Security Option
- This option is licensed separately
Without this option: TDE cannot be used.
Oracle Engineered Systems (on‑premises Exadata)
- TDE is not included by default.
- It requires the Advanced Security Option, unless deployed under a specific cloud‑based consumption model.
Why Oracle Cloud (OCI) changes everything
Oracle Cloud Infrastructure (OCI) significantly changes TDE licensing.
There are two broad ways to run Oracle databases in OCI:
- Compute‑based deployments (IaaS), where you install and manage the database yourself.
- Managed database services (PaaS / DBaaS) where Oracle manages significant portions of the database lifecycle.
Depending on which of these solutions you utilise, TDE licensing changes
OCI Compute (IaaS)
- Same licensing rules as on‑premises.
- You must bring your own license (BYOL).
- TDE availability depends on the edition and licensed options.
Nothing changes from a licensing perspective from the previous section.
OCI Base Database Service (PaaS)
- TDE is enabled by default and cannot be disabled.
- Applies to both Standard Edition and Enterprise Edition offerings.
- TDE is included as part of the service.
This is one of the most significant differences between OCI and traditional deployments. Even Oracle Standard Edition databases running in Base Database Service are encrypted using TDE by default. This is the only service I’m aware of that includes TDE in the Standard Edition.
OCI Autonomous Database
- TDE is included by default.
- Oracle fully manages encryption, key management, and rotation.
From a licensing perspective, TDE is simply part of the Autonomous service.
OCI Exadata Database Service
-
TDE is enabled by default.
-
Licensing treatment depends on whether the service is license‑included or BYOL.
-
In practice, encryption is treated as a standard platform capability.
TDE on AWS and other cloud providers
AWS
- EC2 (IaaS): Same rules as on‑premises, licensing depends on Edition and Options.
- Amazon RDS for Oracle:
- Oracle Standard Edition does not include TDE.
- Oracle Enterprise Edition (BYOL) can use TDE only if the Advanced Security Option is licensed.
AWS does not provide a managed service equivalent to OCI’s Base Database Service, where TDE is included for Standard Edition.
Oracle Database on Azure/Google Cloud
Oracle Database@Azure
- Exadata infrastructure is co-located in Azure datacentres.
- TDE is enabled by default.
- Database operations, including TDE key rotation, are managed by OCI.
Oracle Database@Google Cloud
-
Similar architecture to Oracle Database@Azure.
-
TDE is enabled by default.
-
Master encryption keys can be managed by OCI or integrated with Google Cloud customer‑managed encryption keys (CMEK).
What does Oracle TDE actually include?
While licensing determines whether you can use TDE, it’s equally important to understand what capabilities are actually included and how those capabilities differ across Editions and Services.
A complete overview can be read in this article: What is Oracle TDE?
At a high level, Oracle TDE provides encryption of data at rest using a combination of database-level encryption keys and externally stored master keys. However, the scope of encryption and management model vary depending on the version and deployment model.
Core TDE capabilities that are common across versions
Where TDE is available, the following core capabilities are provided:
- Encryption of database data files at rest.
- Encryption of RMAN backups containing encrypted data.
- Encryption of redo data associated with encrypted tablespaces.
- Transparent encryption and decryption are handled by the database engine.
- Separation of data and encryption keys using wallets or external key stores.
Tablespace encryption vs column-level encryption
Tablespace encryption (default)
- Encrypts all objects stored in the tablespace.
- Includes data files and associated redo.
- Simplifies security design by avoiding column-level decisions.
- Recommended approach in most modern Oracle environments.
Tablespace encryption is available wherever TDE is supported
<IMPORTANT> Note that it is the only option available in several deployment models, including Oracle Standard Edition and the OCI Base Database Service.
Column-level encryption
- Encrypts specific columns within tables.
- Allows granular protection of sensitive attributes.
Column-level encryption is only available in Oracle Enterprise Edition with the Advanced Security Option and is not supported in Standard Edition or OCI Base Database Service.
Multitenant considerations
In multitenant databases, TDE supports two key management modes:
- United mode: A single keystore and master key shared across the CDB and all PDBs.
- Isolated mode: Separate keystores and master keys for individual PDBs.
Isolated mode provides stronger tenant isolation but is not supported when using OCI KMS. As a result, OCI-managed services typically operate in unified mode.
Summary of the main differences across editions and services
The table below summarises the most important functional differences:
-
Oracle Standard Edition (on-prem / non-OCI):
-
Oracle Enterprise Edition (on-prem / BYOL):
- TDE available via Advanced Security Option.
- Supports tablespace and column-level encryption.
- Supports wallets and external key management.
-
OCI Base Database Service:
- TDE is enabled by default and cannot be disabled.
- Tablespace encryption only (Even at the Enterprise Edition levels of BDS).
- Key management is handled by Oracle or OCI KMS.
-
OCI Autonomous Database:
What TDE does not include
Oracle TDE does not provide:
- Network encryption (TLS required separately)
- User access control
- Auditing or monitoring
- Cross-environment key management
TDE is a foundational control for data-at-rest protection, but it must be combined with other security and operational controls to form a complete security architecture.
Why TDE licensing matters for hybrid disaster recovery
TDE licensing is not just a cost issue—it directly impacts architecture.
In hybrid disaster recovery:
- OCI databases are encrypted by default
- On-prem Standard Edition cannot use TDE
This mismatch can cause replication failure after switchover.
Oracle TDE licensing summary
- TDE is not free in most environments
- Standard Edition does not support TDE
- Enterprise Edition requires Advanced Security Option
- OCI includes TDE by default
- Licensing differences can break hybrid DR architectures
Conclusion
Oracle TDE is a powerful security feature, but its licensing model varies significantly depending on where and how your databases are deployed.
Understanding these differences, particularly across editions, cloud services, and hybrid architectures, is critical to avoiding unexpected constraints later.
Treating TDE as both a security control and a licensing decision leads to better‑designed, more resilient Oracle environments.
READ other articles in this series:
Blog #1 - Oracle TDE and Hybrid Disaster Recovery: Why It Breaks & How to Fix It
Blog #2 - What is Oracle TDE?
Blog #4 - Best practice TDE wallet creation & management
FAQ
1. Is Oracle TDE free?
Oracle TDE is not free in most environments. It is unavailable in Standard Edition, requires the Advanced Security Option in Enterprise Edition, and is included by default only in Oracle Cloud Infrastructure (OCI) managed services.
2. Does Oracle Standard Edition support TDE?
No, Oracle Standard Edition does not support TDE in on-premises or most cloud environments. The only exception is OCI Base Database Service, where TDE is enabled by default.
3. Does Oracle Enterprise Edition include TDE?
No, Oracle Enterprise Edition does not include TDE by default. It requires the Advanced Security Option, which must be licensed separately.
4. Is TDE included in Oracle Cloud (OCI)?
Yes, TDE is included and enabled by default in OCI managed database services such as Base Database Service and Autonomous Database.
5. Why does TDE licensing matter for disaster recovery?
TDE licensing matters because mismatched encryption capabilities between environments can prevent redo logs from being applied, causing hybrid disaster recovery failures after switchover.