default_table_encryption has two scopes global and session scope. The global value of this variable is used to instruct encryption background thread - as encryption background threads work globally on all tablespaces in the server. The possible values for defaul_table_encryption are: OFF, ON, ONLINE_TO_KEYRING, ONLINE_FROM_KEYRING_TO_UNENCRYPTED. The options ONLINE_TO_KEYRING and ONLINE_FROM_KEYRING_TO_UNENCRYPTED should be only allowed for global scope and disallowed for session scope. When global d_t_e is set to:

• ONLINE_TO_KEYRING - It should not be possible to set session d_t_e to ON or CREATE DATABASE with DEFAULT ENCRYPTION=ON. Setting session variable to ON, while having global value set to ONLINE_TO_KEYRING - would mean that tables are created by default with Master Key encryption, but encryption threads would immediately started to re-encrypt those tables to keyring.

• OFF : can be overwritten by session scope (current behavior)

• ON : can be overwritten by session scope (current behavior)