Configuration
In this document we provide a breakdown of how you can manage your Master Encryption KEY (MEK) and specify what you need to setup so that your PKCS11 Provider can be used by Oracle to connect to your HSM Partition.
This document assumes that you have already setup your Database or know how to do this and will not go into details of how to create the Database. Instead, it will focus on the TDE implementation itself. Additionally, it assumes that you have already setup your PKCS#11 Provider and have created a Partition. If you have not done, this please go over the Prerequisites page before continuing.
This tutorial will cover only a basic setup of TDE on a single Oracle DB instance.
Before any of the below activities, you must take a backup of your Oracle database.
You can only create encrypted tablespaces; you cannot modify existing tablespaces to encrypt them. So, when you need existing data in encrypted tablespaces, the best solution is to first create encrypted tablespaces and then move the objects from the unencrypted tablespaces to them.
Master Encryption Key (MEK)
To start using TDE, you need to have a Master Encryption Key (MEK) which can be stored inside the Primus HSM or locally to the Database. The MEK is used to encrypt or decrypt column/tablespace using keys. The Primus HSM can be used in the following ways to protect the Master Encryption Key in addition to the security provided by the local wallet:
- A Master Encryption Key can be directly generated onto the HSM (see Create the Master Encryption Key on the HSM)
- An existing Master Encryption Key can be migrated onto the HSM (see Migrate the Master Encryption Key to the HSM)
Setup PKCS#11 for TDE
Copy the Primus HSM PKCS#11 library file /usr/local/primus/lib/libprimusP11.so to your Oracle specified directory structure.
# mkdir -p /opt/oracle/extapi/64/hsm/primus/2.3.4/
/opt/oracle/extapi/64/hsm/primus/2.3.4/libprimusP11.so //on Unix
# chmod -R 0755 /opt/oracle
%SYSTEMDRIVE%\oracle\extapi\64\hsm\primus\2.3.4\primusP11.dll //on Windows
Export the following environment variables for the oracle account or add them to the end of bashrc and source it.
export ORACLE_UNQNAME=TDB01
export ORACLE_BASE=/u01/app/oracle
export ORACLE_HOME=$ORACLE_BASE/product/19.0.0/dbhome_1
export ORA_INVENTORY=/u01/app/oraInventory
export ORACLE_SID=TDB01
export PDB_NAME=PDB1
export DATA_DIR=/u02/oradata
export TNS_ADMIN=$ORACLE_HOME/network/admin
export ORACLE_WALLET=$ORACLE_BASE/admin/$ORACLE_SID/wallet
export LD_LIBRARY_PATH=$ORACLE_HOME/lib:/lib:/usr/lib:/usr/local/primus/lib