Oracle Startup (Initialization) Parameters
Versions All

Security Advisory
When an Oracle Database is started and opened there is a three step process. STARTUP NOMOUNT reads the spfile (or iniSID.ora) file. ALTER DATABASE MOUNT reads the control file(s) identified during the first step. ALTER DATABASE OPEN, opens the data files in read-write or read-only mode.

The startup parameters, in addition to providing a pointer to the control files and defining memory and other settings has a number of parameters that can have a profound impact on database security. This page is a collection point for information about as many of them as we can identify.
Recommended Security Rules

 NEVER
  • Alter a startup parameter without going through a formal and documented change process following testing in a pre-production environment.
  • Alter a startup parameter without using the COMMENT= syntax and documenting, within the database, the date, reason, and reference for the change.
  • Write the DDL to alter a parameter without also writing the DDL necessary for rolling that change back.

 WITH GREAT CARE AFTER READING THE DOCS and FULLY APPRECIATING THE RISKS
  • Change parameters first in development, than in a test environment, and finally in production
 CAUTIONS
  • Limit parameter changes to no more than one or two senior DBAs so that they are treated with the care they deserve.
Data Dictionary Objects
GV$PARAMETER X$KSPPCV X$KSPPI
V$PARAMETER    
 
Security Related Parameters
ADG_ACCOUNT_INFO_TRACKING

Default: LOCAL
Controls login attempts of users on an Active Data Guard Standby by extending control of user account security information.
Range of values: {LOCAL | GLOBAL}

How values impact security:

LOCAL

Enforces default behavior by maintaining a local copy of user account information in the Data Guard physical standby's memory. Login failures are only tracked locally on a per database basis, and login is denied when the failure maximum (set in the user's PROFILE) is reached.

GLOBAL
Increases security by maintaining a single global copy of user account information across all Data Guard databases, both primary and standby. Login failures across all databases in the Data Guard configuration count towards the maximum count and logins anywhere will be denied if the count is reached. This setting improves security against login attacks across a production database and all Active Data Guard standby databases.

When running Active Data Guard we are not aware of any reason not to set this parameter to GLOBAL.
col value format a7
col isdef format a5
col sysmod format a6
col ismod format a5
col INSTMOD format a7
col update_comment format a20

SELECT value, isdefault ISDEF, isses_modifiable SESMOD, issys_modifiable SYSMOD, ispdb_modifiable PDBMOD, isinstance_modifiable INSTMOD, ismodified ISMOD, isadjusted ISADJ, isdeprecated, update_comment
FROM gv$parameter
WHERE name = 'adg_account_info_tracking';

VALUE  ISDEF SESMO SYSMOD PDBMO INSTMOD ISMOD ISADJ ISDEP UPDATE_COMMENT
------ ----- ----- ------ ----- ------- ----- ----- ----- -------------------------
LOCAL  TRUE  FALSE FALSE  TRUE  FALSE   FALSE FALSE FALSE

ALTER SYSTEM SET adg_account_info_tracking = 'GLOBAL'
COMMENT='Set by DAM on 18-Aug-2019 to GLOBAL per ticket 67342'
CONTAINER=ALL
SID='*'
scope=SPFILE;

SHUTDOWN IMMEDIATE;
STARTUP NOMOUNT;
ALTER DATABASE MOUNT;
ALTER DATABASE OPEN;
CELL_OFFLOAD_DECRYPTION

Default: TRUE
Enable SQL processing offload of encrypted data to cells
Range of values: {TRUE | FALSE}
cell_offload_decryption=TRUE
DBFIPS_140

Default: FALSE
Enables TDE and DBMS_CRYPTO PL/SQL package program units to run in a mode compliant to the Federal Information Processing Standard.
Range of Values: {FALSE | TRUE}
DBFIPS_140=TRUE
DB_BLOCK_CHECKING

Default MEDIUM
Controls whether Oracle performs block checking for data blocks. When this parameter is set to TRUE, Oracle performs block checking for all data blocks. When it is set to false, Oracle does not perform block checking for blocks in the user tablespaces. However, block checking for the SYSTEM tablespace is always turned on.
Syntax: DB_BLOCK_CHECKING = {FALSE | OFF | LOW | MEDIUM | TRUE | FULL}
db_block_checking=FULL
DB_BLOCK_CHECKSUM

Default: TYPICAL
Determines whether DBWn and the direct loader will calculate a checksum (a number calculated from all the bytes stored in the block) and store it in the cache header of every data block when writing it to disk. Checksums are verified when a block is read-only if this parameter is TRUE and the last write of the block stored a checksum. In addition, Oracle gives every log block a checksum before writing it to the current log.
Syntax: DB_BLOCK_CHECKSUM = {OFF | FALSE | TYPICAL | TRUE | FULL}
db_block_checksum=TRUE
DB_LOST_WRITE_PROTECT

Default: NONE
Enables or disables lost write detection. A data block lost write occurs when an I/O subsystem acknowledges the completion of the block write, while in fact the write did not occur in the persistent storage.

When the parameter is set to TYPICAL on the primary database, the instance logs buffer cache reads for read-write tablespaces in the redo log, which is necessary for detection of lost writes.

When the parameter is set to FULL on the primary database, the instance logs reads for read-only tablespaces as well as read-write tablespaces.

When the parameter is set to TYPICAL or FULL on the standby database or on the primary database during media recovery, the instance performs lost write detection.

When the parameter is set to NONE on either the primary database or the standby database, no lost write detection functionality is enabled.
Range of values: {NONE | TYPICAL | FULL}
db_lost_write_protect=FULL
DB_SECUREFILE

Default: PREFERRED
Specifies whether to treat LOB files as SecureFiles. Requires the tablespace is created with SEGMENT SPACE MANAGEMENT = AUTO
Range of values: {NEVER | PERMITTED | PREFERRED | ALWAYS | IGNORE}
db_securefile=ALWAYS
DB_ULTRA_SAFE

Default: OFF
Sets the default values for other parameters that control protection levels.
Range of values: {OFF | DATA_ONLY | DATA_AND_INDEX}

How values impact security:

OFF
If DB_BLOCK_CHECKING, DB_CHECKSUM, or DB_LOST_WRITE_PROTECT are set, no changes are made.

DATA_ONLY
  DB_BLOCK_CHECKING is set to MEDIUM
  DB_BLOCK_CHECKSUM is set to TYPICAL
  DB_LOST_WRITE_PROTECT is set to FULL

DATA_AND_INDEX
  DB_BLOCK_CHECKING is set to FULL
  DB_BLOCK_CHECKSUM is set to TYPICAL
  DB_LOST_WRITE_PROTECT is set to FULL
db_ultra_safe=OFF
ENCRYPT_NEW_TABLESPACES

Default: CLOUD_ONLY
Specifies whether to encrypt newly created user tablespaces
Range of values: ENCRYPT_NEW_TABLESPACES = {CLOUD_ONLY | ALWAYS | DDL}
encrypt_new_tablespaces=DDL
EXTERNAL_KEYSTORE_CREDENTIAL_LOCATION

Default: <no_value>
Specifies the location of the secure external keystore
external_keystore_credential_location=/u01/app/oracle/admin/ORCL/db_wallet/
LOB_SIGNATURE_ENABLE

Default: FALSE
New 19c parameter

You can secure your LOBs by enabling the LOB locator signature feature. A LOB locator is a pointer to the location of a large object (LOB) value. If the LOB_SIGNATURE_ENABLED initialization parameter is set to true, then when you create a LOB, Oracle Database automatically assigns a signature to the LOB locator. When Oracle Database receives a request from a client, it uses the signature to determine if any tampering with the LOB locator has occurred. When this parameter is set to true, you also have the option of further securing your LOBs by encrypting your LOB locator signature keys.

Range of values: {FALSE | TRUE}
max_idle_time=30
MAX_IDLE_TIME

Default: 0
Specifies the maximum number of minutes that a session can be idle after which the session is automatically terminated
Range of values: {0 to the maximum integer. The value of 0 indicates that there is no limit}
max_idle_time=30
ONE_STEP_PLUGIN_FOR_PDB_WITH_TDE

Default: FALSE
If a PDB has Transparent Data Encryption-encrypted (TDEencrypted) tables or tablespaces, you can enable ONE_STEP_PLUGIN_FOR_PDB_WITH_TDE on the target CDB to simplify the move of TDE keys in a single step PDB move operation
Range of values: {FALSE | TRUE}
one_step_plugin_for_pdb_with_tde=TRUE
OPTIMIZER_SECURE_VIEW_MERGING

Default: TRUE
Enables the optimizer to use view merging to improve query performance without performing the checks that would otherwise be performed to ensure that view merging does not violate any security intentions of a view's creator.
Range of values: {TRUE | FALSE}
optimizer_secure_view_merging=TRUE
OS_ROLES

Default: FALSE
Determines whether Oracle or the operating system identifies and manages the roles of each username.
os_rules=FALSE
REMOTE_LOGIN_PASSWORDFILE

Default: EXCLUSIVE
Specifies whether Oracle checks for a password file.
Range of values: {SHARED | EXCLUSIVE | NONE}
remote_login_passwordfile='EXCLUSIVE'
REMOTE_OS_ROLES

Default:FALSE
Specifies whether operating system roles are allowed for remote clients. The default value, false, causes Oracle to identify and manage roles for remote clients.
remote_os_rules=FALSE
SEC_CASE_SENSITIVE_LOGON

Default: TRUE
Case sensitive password enabled for logon
Range of values {TRUE or FALSE}
sec_case_sensitive_logon=TRUE
SEC_MAX_FAILED_LOGIN_ATTEMPTS

Default: 10
Specifies the number of authentication attempts that can be made by a client on a connection to the server process. After the specified number of failure attempts, the connection will be automatically dropped by the server process.
sec_max_failed_login_attempts=3
SEC_PROTOCOL_ERROR_FURTHER_ACTION

Default: CONTINUE
Specifies the further execution of a server process when receiving bad packets from a possibly malicious client.
Range of values: {CONTINUE | DELAY, <integer> | DROP, <integer>}
ALTER SYSTEM SET sec_protocol_error_further_action=DELAY,3 SID='*' SCOPE=SPFILE;
SEC_PROTOCOL_ERROR_TRACE_ACTION

Default: TRACE
Specifies the action that the database should take when bad packets are received from a possibly malicious client
Range of values: {NONE | TRACE | LOG | ALERT}
sec_protocol_eror_trace_action=ALERT
SEC_RETURN_SERVER_RELEASE_BANNER

Default: FALSE
Specifies whether or not the server returns complete database software information to clients.
sec_return_server_release_banner=FALSE
SQL92_SECURITY

Default: TRUE
The SQL standard specifies that security administrators should be able to require that users have SELECT privilege on a table when executing an UPDATE or DELETE statement that references table column values in a WHERE or SET clause. SQL92_SECURITY specifies whether users must have been granted the SELECT object privilege in order to execute such UPDATE or DELETE statements.
Range of values: {FALSE | TRUE}
sql92_security=TRUE
SSL_WALLET

No Default
Undocumented
TBD
TDE_CONFIGURATION

Default: None
Specified on a per-PDB basis for Transparent Data Encryption (TDE). Before Oracle Database 18c, each PDB stored their separate encryption keys in the CDB’s keystore (united mode). Starting with Oracle Database 18c, a PDB can optionally store its encryption keys in a separate keystore (isolation mode), thus allowing protection by a separate keystore password. The WALLET_ROOT initialization parameter must be set for TDE_CONFIGURATION to take effect.
Range of values: {FILE | OKV | HSM | FILE|OKV | FILE|HSM | OKV|FILE | HSM|FILE}
tde_configuration=OKV
WALLET_ROOT

Default: No Value
Specifies the path to the root of a directory tree containing a subdirectory for each pluggable database (PDB), under which a directory structure similar to the Oracle ASM wallet storage directory structure is used to store the various wallets associated with the PDB.
Range of values: wallet-root-directory-path
wallet_root=wallet-root/tde_seps/cwallet.sso
 
Security Related Undocumented "Underscore" Parameters
It is critically important, before you read any entries in this section, that you understand that you are not authorized to alter the value of any underscore parameter without first opening a Service Request (SR) at https://my.oracle.support and getting Oracle's agreement with the proposed change.

We will be testing, as noted below, some of the default values because we do not find the defaults to be the best choice from the standpoint of security. If, and when, we recommend making a change do NOT do as we advise without first opening an SR and obtaining permission from Oracle Support.
_assert_encrypted_tablespace_blocks

Default: TRUE
The default value, TRUE, asserts that encrypted tablespace blocks must be encrypted.

Range of values: {FALSE | TRUE}

Do not alter the default value.
col name format a40
col value format a20
col description format a60

SELECT x.ksppinm NAME, y.ksppstvl VALUE, x.ksppdesc DESCRIPTION
FROM x$ksppi x, x$ksppcv y
WHERE x.inst_id = userenv('Instance')
AND y.inst_id = userenv('Instance')
AND x.indx = y.indx
AND x.ksppinm = '_assert_encrypted_tablespace_blocks';
_backup_encrypt_opt_mode

Default: 4294967294
Specifies the encryption block optimization mode. The various options are not documented so do not alter this default value.

A list of valid values is not known.
col name format a40
col value format a20
col description format a60

SELECT x.ksppinm NAME, y.ksppstvl VALUE, x.ksppdesc DESCRIPTION
FROM x$ksppi x, x$ksppcv y
WHERE x.inst_id = userenv('Instance')
AND y.inst_id = userenv('Instance')
AND x.indx = y.indx
AND x.ksppinm = '_backup_+encrypt_opt_mode';
_db_cache_silicon_secured_memory

Default: TRUE
Enables silicon secured memory.

Range of values: {FALSE | TRUE}

Not using silicon secured memory is a security violation. The default value of this parameter should never be altered.
col name format a40
col value format a20
col description format a60

SELECT x.ksppinm NAME, y.ksppstvl VALUE, x.ksppdesc DESCRIPTION
FROM x$ksppi x, x$ksppcv y
WHERE x.inst_id = userenv('Instance')
AND y.inst_id = userenv('Instance')
AND x.indx = y.indx
AND x.ksppinm = '_db_cache_Silicon_secured_memory';
_db_disable_temp_encryption

Default: FALSE
Disable Temp Encryption for Spills.

Range of values: {FALSE | TRUE}

Not encrypting TEMP is a security violation. The default value of this parameter should never be altered.
col name format a40
col value format a20
col description format a60

SELECT x.ksppinm NAME, y.ksppstvl VALUE, x.ksppdesc DESCRIPTION
FROM x$ksppi x, x$ksppcv y
WHERE x.inst_id = userenv('Instance')
AND y.inst_id = userenv('Instance')
AND x.indx = y.indx
AND x.ksppinm = '_db_disable_temp_encryption';
_db_flash_cache_encryption

Default: FALSE
Set to TRUE to enable flash cache encryption.

Range of values: {FALSE | TRUE}

We have not yet had time to test this on an Exadata but other than the setting causing a very substantial performance issue we do not understand why anyone would want their data in the flash cache to not be encrypted. We will check this out at the very first opportunity and update this entry as soon as we can.
col name format a40
col value format a20
col description format a60

SELECT x.ksppinm NAME, y.ksppstvl VALUE, x.ksppdesc DESCRIPTION
FROM x$ksppi x, x$ksppcv y
WHERE x.inst_id = userenv('Instance')
AND y.inst_id = userenv('Instance')
AND x.indx = y.indx
AND x.ksppinm = '_db_flash_cache_encryption';
_db_xmem_cache_encryption

Default: TRUE
When set to TRUE enables XMEM cache encryption.

Range of values: {FALSE | TRUE}

Not encrypting the XMEM cache is a security violation so do not alter the default value.
col name format a40
col value format a20
col description format a60

SELECT x.ksppinm NAME, y.ksppstvl VALUE, x.ksppdesc DESCRIPTION
FROM x$ksppi x, x$ksppcv y
WHERE x.inst_id = userenv('Instance')
AND y.inst_id = userenv('Instance')
AND x.indx = y.indx
AND x.ksppinm = '_db_xmem_cache_encryption';
_enable_secure_sub_role

Default: FALSE
Disallow enabling of secure sub roles.

Range of values: {FALSE | TRUE}

We are not convinced that this is the best choice for a secure environment and will be testing this parameter in the near future and reporting back our results on this page.
col name format a40
col value format a20
col description format a60

SELECT x.ksppinm NAME, y.ksppstvl VALUE, x.ksppdesc DESCRIPTION
FROM x$ksppi x, x$ksppcv y
WHERE x.inst_id = userenv('Instance')
AND y.inst_id = userenv('Instance')
AND x.indx = y.indx
AND x.ksppinm = '_enable_secure_sub_role';
_grant_secure_role

Default: FALSE
Disallows granting of a Secure Role to another Secure Role or Non-Secure Role.

Range of values: {FALSE | TRUE}

Granting Secure roles to Non-Secure Roles is a security violation so do not alter the default value.
col name format a40
col value format a20
col description format a60

SELECT x.ksppinm NAME, y.ksppstvl VALUE, x.ksppdesc DESCRIPTION
FROM x$ksppi x, x$ksppcv y
WHERE x.inst_id = userenv('Instance')
AND y.inst_id = userenv('Instance')
AND x.indx = y.indx
AND x.ksppinm LIKE '_grant_secure_role';
_log_silicon_secured_memory

Default: TRUE
Enables silicon secured memory (log).

Range of values: {FALSE | TRUE}

Disabling silicon secured memory is a security violation so do not alter the default value.
col name format a40
col value format a20
col description format a60

SELECT x.ksppinm NAME, y.ksppstvl VALUE, x.ksppdesc DESCRIPTION
FROM x$ksppi x, x$ksppcv y
WHERE x.inst_id = userenv('Instance')
AND y.inst_id = userenv('Instance')
AND x.indx = y.indx
AND x.ksppinm = '_log_silicon_secured_memory';
_default_encrypt_alg

Default: 0
Use the default encryption algorithm.

Range of values: unknown

We have insufficient information as to the valid values and their meaning to make any recommendation so do not alter the value of this parameter.
col name format a40
col value format a20
col description format a60

SELECT x.ksppinm NAME, y.ksppstvl VALUE, x.ksppdesc DESCRIPTION
FROM x$ksppi x, x$ksppcv y
WHERE x.inst_id = userenv('Instance')
AND y.inst_id = userenv('Instance')
AND x.indx = y.indx
AND x.ksppinm = '_default_encrypt_alg';
_disable_data_block_check_after_decrypt

Default: FALSE
If TRUE, disable data block check after decryption.

Range of values: {FALSE | TRUE}

Disabling data block checking after decryption might provide a performance enhancement but it would be one that potentially compromises data integrity. Do not alter the value of this parameter.
col name format a40
col value format a20
col description format a60

SELECT x.ksppinm NAME, y.ksppstvl VALUE, x.ksppdesc DESCRIPTION
FROM x$ksppi x, x$ksppcv y
WHERE x.inst_id = userenv('Instance')
AND y.inst_id = userenv('Instance')
AND x.indx = y.indx
AND x.ksppinm = '_disable_data_block_check_after_decrypt';
_kcfis_disable_platform_decryption

Default: FALSE
Don't use platform-specific decryption on the storage cell.

Range of values: {FALSE | TRUE}

Oracle really needs to try to not make default values a double-negative which is the enemy of clarity. If set to TRUE this parameter it is instructing the database to not use platform-specific decryption which might only make sense if the platform has an unpatchable bug. We recommend not altering the value of this parameter.
col name format a40
col value format a20
col description format a60

SELECT x.ksppinm NAME, y.ksppstvl VALUE, x.ksppdesc DESCRIPTION
FROM x$ksppi x, x$ksppcv y
WHERE x.inst_id = userenv('Instance')
AND y.inst_id = userenv('Instance')
AND x.indx = y.indx
AND x.ksppinm = '_kcfis_disable_platform_decryption';
_kdlxp_lobencrypt

Default: FALSE
When set to TRUE enables LOB encryption only on SecureFiles.

Range of values: {FALSE | TRUE}

We cannot imagine why anyone would want to disable LOB encryption anywhere at any time so this parameter's default value should not be altered.
col name format a40
col value format a20
col description format a60

SELECT x.ksppinm NAME, y.ksppstvl VALUE, x.ksppdesc DESCRIPTION
FROM x$ksppi x, x$ksppcv y
WHERE x.inst_id = userenv('Instance')
AND y.inst_id = userenv('Instance')
AND x.indx = y.indx
AND x.ksppinm = '_kdlxp_lobencrypt'
ORDER BY 1;
_override_datafile_encrypt_check

Default: FALSE
If TRUE, override datafile tablespace encryption cross check.

Range of values: {FALSE | TRUE}

Overriding the cross check is a security violation. Do not alter the value of this parameter.
col name format a40
col value format a20
col description format a60

SELECT x.ksppinm NAME, y.ksppstvl VALUE, x.ksppdesc DESCRIPTION
FROM x$ksppi x, x$ksppcv y
WHERE x.inst_id = userenv('Instance')
AND y.inst_id = userenv('Instance')
AND x.indx = y.indx
AND x.ksppinm = '_override_datafile_encrypt_check'
ORDER BY 1;
_stats_encryption_enabled

Default: FALSE
Enable statistics encryption on sensitive data.

Range of values: {FALSE | TRUE}

The default set by Oracle doesn't make any sense to us unless the encryption creates an unexpectedly large performance hit. This will be tested in the near future and we will post our recommendation here once we have verified the impact, if any.
col name format a40
col value format a20
col description format a60

SELECT x.ksppinm NAME, y.ksppstvl VALUE, x.ksppdesc DESCRIPTION
FROM x$ksppi x, x$ksppcv y
WHERE x.inst_id = userenv('Instance')
AND y.inst_id = userenv('Instance')
AND x.indx = y.indx
AND x.ksppinm = '_stats_encryption_enabled'
ORDER BY 1;
_tablespace_encryption_default_algorithm

Default: AES128
Default tablespace encryption block cipher mode.

Range of values: not known

At first sight our thought is that AES256 would be more secure. We plan to test a variety of algorithms and see if we can provide guidance that lead to an improved security level without having a negative impact on performance.
col name format a40
col value format a20
col description format a60

SELECT x.ksppinm NAME, y.ksppstvl VALUE, x.ksppdesc DESCRIPTION
FROM x$ksppi x, x$ksppcv y
WHERE x.inst_id = userenv('Instance')
AND y.inst_id = userenv('Instance')
AND x.indx = y.indx
AND x.ksppinm = '_tablespace_encryption_default_algorithm'
ORDER BY 1;
_use_hybrid_encryption_mode

Default: FALSE
Enable platform optimized encryption in hybrid mode.

Range of values: {FALSE | TRUE}

There is no documentation on what "hybrid mode" is so we recommend not altering this parameter.
col name format a40
col value format a20
col description format a60

SELECT x.ksppinm NAME, y.ksppstvl VALUE, x.ksppdesc DESCRIPTION
FROM x$ksppi x, x$ksppcv y
WHERE x.inst_id = userenv('Instance')
AND y.inst_id = userenv('Instance')
AND x.indx = y.indx
AND x.ksppinm = '_use_hybrid_encryption_mode'
ORDER BY 1;
_use_platform_encryption_lib

Default: TRUE
Enable platform optimized encryption implementation.

Range of values: {FALSE | TRUE}

Overriding this setting is a security violation. Do not alter the value of this parameter.
col name format a40
col value format a20
col description format a60

SELECT x.ksppinm NAME, y.ksppstvl VALUE, x.ksppdesc DESCRIPTION
FROM x$ksppi x, x$ksppcv y
WHERE x.inst_id = userenv('Instance')
AND y.inst_id = userenv('Instance')
AND x.indx = y.indx
AND x.ksppinm = '_use_platform_encryption_lib'
ORDER BY 1;
_verify_encrypted_tablespace_keys

Default: TRUE
If TRUE, verify encryption key signature for data files.

Range of values: {FALSE | TRUE}

Not verifying the encryption key is a security violation. Do not alter the value of this parameter.
col name format a40
col value format a20
col description format a60

SELECT x.ksppinm NAME, y.ksppstvl VALUE, x.ksppdesc DESCRIPTION
FROM x$ksppi x, x$ksppcv y
WHERE x.inst_id = userenv('Instance')
AND y.inst_id = userenv('Instance')
AND x.indx = y.indx
AND x.ksppinm = '_verify_encrypted_tablespace_keys'
ORDER BY 1;

Related Topics
ALTER SYSTEM