PERMITTED :- allows SECUREFILE LOBs to be created provided ASSM tablespace is used. This is the default value.
sqlplus / as sysdbaNEVER :- disallow SECUREFILE LOBs from being created. If securefile option is used then table create command still succeed but secure file is not used. Error is thorwn only if any of the securefile options are specified in the create statement.
SQL> show parameter db_secure
NAME TYPE VALUE
-------------- ----------- ---------
db_securefile string PERMITTED
SQL> create table seclob (a number, b blob) lob(b) store as securefile;
create table seclob (a number, b blob) lob(b) store as securefile
*
ERROR at line 1:
ORA-43853: SECUREFILE lobs cannot be used in non-ASSM tablespace "SYSTEM"
SQL> conn asanga/*****ALWAYS :- creates securefiles even if basicfile is specified.
Connected.
SQL> alter session set db_securefile='NEVER';
Session altered.
SQL> create table seclob (a number, b blob) lob(b) store as securefile;
Table created.
SQL> select table_name,column_name,securefile from user_lobs;
TABLE COLUMN SEC
------ ------ ---
SECLOB B NO
SQL> drop table seclob;
Table dropped.
SQL> create table seclob (a number, b blob) lob(b) store as securefile(compress);
create table seclob (a number, b blob) lob(b) store as securefile(compress)
*
ERROR at line 1:
ORA-43854: use of a BASICFILE LOB where a SECUREFILE LOB was expected
SQL> alter session set db_securefile='ALWAYS';On the securefile and large object guide it is stated "ALWAYS attempts to create all LOBs as SECUREFILE LOBs but creates any LOBs not in ASSM tablespaces as BASICFILE LOBs, unless SECUREFILE is explicitly specified. Any BASICFILE LOB storage options specified will be ignored, and the SECUREFILE defaults are used for all storage options not specified."
SQL> create table seclob (a number, b blob) lob(b) store as basicfile;
Table created.
SQL> select table_name,column_name,securefile from user_lobs;
TABLE COLUMN SEC
------ ------ ---
SECLOB B YES
SQL> create tablespace mssm datafile '+DATA(datafile)' segment space management manual;This was tested on 11.1.0.7.4 database and it seem when MSSM tablespace is specified rather than creating basicfile it throws an error.
Tablespace created.
SQL> alter session set db_securefile='ALWAYS';
Session altered.
SQL> create table seclob (a number, b blob) lob(b) store as securefile (tablespace mssm);
create table seclob (a number, b blob) lob(b) store as securefile (tablespace mssm)
*
ERROR at line 1:
ORA-43853: SECUREFILE lobs cannot be used in non-ASSM tablespace "MSSM"
Securefile and large object guide states "If FORCE is specified, all LOBs created in the system will be created as SECUREFILE LOBs. If the LOB is being created in an MSSM tablespace, an error will be thrown. Any BASICFILE LOB storage options specified will be ignored, and the SECUREFILE defaults are used for all storage options not specified.". This behavior is same as "ALWAYS"
SQL> alter session set db_securefile='FORCE';Last option is ignore which will ignore securefile keyword and any securefile options specified in the create statement. This is true for all options except encrypt, where instead of being ignored an error is thrown if the wallet is not open.
Session altered.
SQL> create table seclob (a number, b blob) lob(b) store as basicfile;
Table created.
SQL> select table_name,column_name,securefile from user_lobs;
TABLE_ COLUMN SEC
------ ------ ---
SECLOB B YES
SQL> drop table seclob;
SQL> create table seclob (a number, b blob) lob(b) store as securefile (tablespace mssm);
create table seclob (a number, b blob) lob(b) store as securefile (tablespace mssm)
*
ERROR at line 1:
ORA-43853: SECUREFILE lobs cannot be used in non-ASSM tablespace "MSSM"
SQL> alter session set db_securefile='IGNORE';As soon as the encrypt option is specified following error is thrown. Encrypt option could be specified in two places but not at the same time
Session altered.
SQL> create table seclob (a number, b blob) lob(b) store as securefile;
Table created.
SQL> select table_name,column_name,securefile from user_lobs;
TABLE_ COLUMN SEC
------ ------ ---
SECLOB B NO
SQL> drop table seclob;
SQL> create table seclob (a number, b blob) lob(b) store as securefile(compress deduplicate);
Table created.
SQL> select table_name,column_name,securefile,compression,deduplication from user_lobs;
TABLE_ COLUMN SEC COMPRE DEDUPLICATION
------ ------ --- ------ -------------
SECLOB B NO NONE NONE
SQL> create table seclob (a number, b blob) lob(b) store as securefile(encrypt using 'AES128');If a wallet is created and if it is open then this create statement will succeed and encrypt option will be ignored.
create table seclob (a number, b blob) lob(b) store as securefile(encrypt using 'AES128')
*
ERROR at line 1:
ORA-28365: wallet is not open
SQL> create table seclob (a number, b blob encrypt using 'AES128') lob(b) store as securefile;
create table seclob (a number, b blob encrypt using 'AES128') lob(b) store as securefile
*
ERROR at line 1:
ORA-28365: wallet is not open
SQL> create table seclob (a number, b blob) lob(b) store as securefile(compress encrypt identified by asanga);
create table seclob (a number, b blob) lob(b) store as securefile(compress encrypt identified by asanga)
*
ERROR at line 1:
ORA-28365: wallet is not open
Create the default wallet directory if does not exists. If this directory doesn't exists "ORA-28368: cannot auto-create wallet" will be thrown
mkdir -p $ORACLE_BASE/admin/$ORACLE_SID/walletCreate the securefile with all options
sqlplus / as sysdba
SQL> alter system set encryption key identified by "asanga321";
System altered.
create table seclob (a number, b blob) lob(b) store as securefile(compress encrypt using 'AES128' deduplicate);Closing the wallet and trying to create the table will fail as before
Table created.
SQL> select table_name,column_name,securefile,compression,deduplication,encrypt from user_lobs;
TABLE_ COLUM SEC COMPRE DEDUPLICATION ENCR
------ ----- --- ------ --------------- ----
SECLOB B NO NONE NONE NONE
alter system set encryption wallet close;
SQL>drop table seclob;
SQL> create table seclob (a number, b blob) lob(b) store as securefile(compress encrypt using 'AES128' deduplicate);
create table seclob (a number, b blob) lob(b) store as securefile(compress encrypt using 'AES128' deduplicate)
*
ERROR at line 1:
ORA-28365: wallet is not open
SQL> alter system set encryption wallet open identified by "asanga321";
SQL> create table seclob (a number, b blob) lob(b) store as securefile(compress encrypt using 'AES128' deduplicate);
Table created.