Blog

Oracle TDE licensing: What you need to know

Written by Vijayganesh Sivaprakasam | Feb 2, 2026 3:15:29 AM
In our Oracle TDE blog series, we’ve covered:
 
  • What Oracle Transparent Data Encryption (TDE) is, and how it works at a technical and architectural level.
  • The challenges TDE introduces in hybrid disaster recovery environments, including practical solutions for Oracle Standard Edition deployments.
In this post, we’ll focus on a topic that often causes confusion even for experienced teams: Oracle TDE licensing.
 
An important note before we begin
This article is intended as general guidance only and should not be taken as formal licensing advice. Oracle licensing can be nuanced and context‑specific. You should always assess your own environment and, where necessary, engage a qualified Oracle licensing expert before making licensing or architectural decisions.
 
Now, with that said, let's dive into this!
 

Why Oracle TDE licensing is confusing

You’re right if Oracle TDE licensing feels complex; that's because there it is, and it’s due to differences in licensing across:  

  • Database editions.
  • Deployment models (on‑premises vs cloud).
  • Cloud providers.

The goal of this page is to simplify those differences and provide a clear image of when TDE is included, when it is optional (charged), and when it is unavailable.

Before going any further, there are two key questions to answer:

1. What Oracle database edition are you using (or planning to use).

2. What infrastructure will you run it in? 

Everything else follows from that.

Is Oracle TDE free?

The honest answer is: sometimes, but usually not.  In most traditional deployments, TDE is a paid option or an edition‑specific capability. However, there are important exceptions, particularly in Oracle Cloud Infrastructure (OCI), where TDE is enabled by default as part of managed database services, but not infrastructure as a service offerings.  Understanding where those exceptions apply is critical.
 

TDE Licensing for On‑premises and non‑Oracle cloud deployments

Oracle Database Free (formerly XE)

  • Oracle Database 26ai Free includes TDE for on‑premises installations at no cost
  • Prior to Oracle 21c, TDE was not available in XE / Free editions

This makes Oracle Database Free an exception rather than the norm. Oracle’s thought here was likely to get developers utilising TDE in the Free edition and therefore increasing the uptake of the option in production databases. 

Oracle Standard Edition

  • TDE is not included.
  • There is no paid option available to add TDE.

This is a hard limitation. If you are running Standard Edition outside OCI managed services, TDE is simply unavailable.

Oracle Enterprise Edition

  • TDE is not included by default.
  • It is licensed as part of the Advanced Security Option.

Advanced Security is licensed separately from the core Enterprise Edition database. If this option is not licensed, TDE cannot be used.

Oracle Engineered Systems (on‑premises Exadata)

  • TDE is not included by default.
  • It requires the Advanced Security Option, unless deployed under a specific cloud‑based consumption model.

Oracle Cloud Infrastructure (OCI), where everything changes… 

OCI changes the licensing conversation significantly, particularly when using managed database services.

 
There are two broad ways to run Oracle databases in OCI:
  1. Compute‑based deployments (IaaS), where you install and manage the database yourself.
  2. Managed database services (PaaS / DBaaS) where Oracle manages significant portions of the database lifecycle.
Depending on which of these solutions you utilise, TDE licensing changes. So let's look at the various options. 
 

OCI Compute (IaaS)

  • Same licensing rules as on‑premises.
  • You must bring your own license (BYOL).
  • TDE availability depends on the edition and licensed options.
In other words, nothing changes from a licensing perspective from the previous section. 
 

OCI Base Database Service (PaaS)

  • TDE is enabled by default and cannot be disabled.
  • Applies to both Standard Edition and Enterprise Edition offerings.
  • TDE is included as part of the service.
This is one of the most significant differences between OCI and traditional deployments. Even Oracle Standard Edition databases running in Base Database Service are encrypted using TDE by default. This is the only service I’m aware of that includes TDE in the Standard Edition.
 

OCI Autonomous Database

  • TDE is included by default.
  • Oracle fully manages encryption, key management, and rotation.
From a licensing perspective, TDE is simply part of the Autonomous service.
 

OCI Exadata Database Service

  • TDE is enabled by default.
  • Licensing treatment depends on whether the service is license‑included or BYOL.
  • In practice, encryption is treated as a standard platform capability.

Other cloud providers

AWS
  • EC2 (IaaS): Same rules as on‑premises, licensing depends on Edition and Options.
  • Amazon RDS for Oracle:
    • Oracle Standard Edition does not include TDE.
    • Oracle Enterprise Edition (BYOL) can use TDE only if the Advanced Security Option is licensed.
AWS does not provide a managed service equivalent to OCI’s Base Database Service, where TDE is included for Standard Edition.

Oracle Database services on other clouds

Oracle Database@Azure
  • Exadata infrastructure is co-located in Azure datacentres.
  • TDE is enabled by default.
  • Database operations, including TDE key rotation, are managed by OCI.
Oracle Database@Google Cloud
  • Similar architecture to Oracle Database@Azure.
  • TDE is enabled by default.
  • Master encryption keys can be managed by OCI or integrated with Google Cloud customer‑managed encryption keys (CMEK).

What does Oracle TDE actually include?

While licensing determines whether you can use TDE, it’s equally important to understand what capabilities are actually included and how those capabilities differ across Editions and Services. Below is a short introduction, but a complete overview can be found in our blog here
 
At a high level, Oracle TDE provides encryption of data at rest using a combination of database-level encryption keys and externally stored master keys. However, the scope of encryption and management model vary depending on the version and deployment model.
 

Core TDE capabilities that are common across versions

Where TDE is available, the following core capabilities are provided:
  • Encryption of database data files at rest.
  • Encryption of RMAN backups containing encrypted data.
  • Encryption of redo data associated with encrypted tablespaces.
  • Transparent encryption and decryption are handled by the database engine.
  • Separation of data and encryption keys using wallets or external key stores.

Tablespace encryption vs column-level encryption

Tablespace encryption (default)
  • Encrypts all objects stored in the tablespace.
  • Includes data files and associated redo.
  • Simplifies security design by avoiding column-level decisions.
  • Recommended approach in most modern Oracle environments.
Tablespace encryption is available wherever TDE is supported. <IMPORTANT> Note that it is the only option available in several deployment models, including Oracle Standard Edition and the OCI Base Database Service.
Column-level encryption
  • Encrypts specific columns within tables.
  • Allows granular protection of sensitive attributes.
Column-level encryption is only available in Oracle Enterprise Edition with the Advanced Security Option and is not supported in Standard Edition or OCI Base Database Service.
 

Multitenant considerations

In multitenant databases, TDE supports two key management modes:
 
  • United mode: A single keystore and master key shared across the CDB and all PDBs.
  • Isolated mode: Separate keystores and master keys for individual PDBs.
Isolated mode provides stronger tenant isolation but is not supported when using OCI KMS. As a result, OCI-managed services typically operate in unified mode.
 

Summary of the main differences across editions and services

The table below summarises the most important functional differences:
  • Oracle Standard Edition (on-prem / non-OCI):
    • TDE not available.
  • Oracle Enterprise Edition (on-prem / BYOL):
    • TDE available via Advanced Security Option.
    • Supports tablespace and column-level encryption.
    • Supports wallets and external key management.
  • OCI Base Database Service:
    • TDE is enabled by default and cannot be disabled.
    • Tablespace encryption only! (Even at the Enterprise Edition levels of BDS).
    • Key management is handled by Oracle or OCI KMS.
  • OCI Autonomous Database:
    • TDE is fully managed and always enabled.
    • No customer control over encryption scope or key rotation.

What TDE does not include

It’s also important to be clear about what TDE does not provide:
  • It does not replace network encryption (e.g. TLS).
  • It does not control user access to data.
  • It does not provide auditing or activity monitoring.
  • It does not automatically solve key management across hybrid environments.
TDE is a foundational control for data-at-rest protection, but it must be combined with other security and operational controls to form a complete security architecture.

Why TDE licensing differences matter for hybrid DR

Licensing differences become particularly important in hybrid disaster recovery architectures.
 
A common challenge arises when a primary database runs in an OCI PaaS like the Base Database Service, where TDE is mandatory and included, while the secondary site runs on‑premises or in another cloud, where TDE may be unavailable (Standard Edition) or require additional licensing (Enterprise Edition).
 
These mismatches can complicate hybrid DR designs, key management, and replication strategies. We explore these challenges and practical ways to address them, especially for Oracle Standard Edition environments, in a separate blog focused specifically on TDE in hybrid DR architectures. 
 

Common misconceptions about Oracle TDE licensing

  • “TDE is free everywhere in OCI” - This is true for managed services, but not for compute‑based deployments.
  • “Standard Edition includes TDE” - No, only in specific OCI managed services.
  • “Cloud removes licensing complexity” - No, it often shifts it instead.
  • “Encryption choice is purely technical” - No, licensing and DR design are tightly coupled.

Conclusion

Oracle TDE is a powerful security feature, but its licensing model varies significantly depending on where and how your databases are deployed.
 
Understanding these differences, particularly across editions, cloud services, and hybrid architectures, is critical to avoiding unexpected constraints later. Treating TDE as both a security control and a licensing decision leads to better‑designed, more resilient Oracle environments.
View full post