Configuration
In this document we provide a breakdown of how you can manage your Master Encryption KEY (MEK) and specify what you need to setup so that your PKCS11 Provider can be used by Oracle to connect to your HSM Partition.
This document assumes that you have already setup your Database or know how to do this and will not go into details of how to create the Database.
Instead, it will focus on the TDE implementation itself. Additionally, it assumes that you have already setup your PKCS#11 Provider and have created a Partition. If you have not done, this please go over the Prerequisites page before continuing.
This tutorial will cover only a basic setup of TDE on a single Oracle DB instance.
Master Encryption Key (MEK)
To start using TDE, you need to have a Master Encryption Key (MEK) which can be stored inside the Primus HSM or locally to the Database. The MEK is used to encrypt or decrypt column/tablespace using keys. The Primus HSM can be used in the following ways to protect the Master Encryption Key in addition to the security provided by the local wallet:
- An HSM Master Encryption Key can be directly generated onto the HSM (see Create the Master Encryption Key on the HSM)
- A Software Wallet Master Encryption Key can be migrated onto the HSM (see Migrate the Master Encryption Key to the HSM)
- Autologin setup to your Database, storing the HSM Partition password in a Software keystore (see Autologin for HSM).
Overview
- Uses
WALLET_ROOTto define the keystore location - Keystore is stored in the filesystem in the admin directory of the ORACLE_SID e.g.
$ORACLE_BASE/admin/$ORACLE_SID/wallet/tde/ - Support Auto-login and credential store (
SEPS)
Configure Wallet Root Parameters
Determine admin directory and get the corresponding directory path as a SQL*Plus variable for later use:
SQLPLUS / AS SYSDBA
COLUMN admin_path NEW_VALUE admin_path NOPRINT
SELECT SUBSTR(value, 1, INSTR(value, '/', -1, 1) - 1) AS admin_path FROM v$parameter WHERE name = 'audit_file_dest';
Create the wallet folders under the admin directory using the same SQL*Plus session as above:
host mkdir -p &admin_path/wallet
host mkdir -p &admin_path/wallet/backup
host mkdir -p &admin_path/wallet/tde
host mkdir -p &admin_path/wallet/tde_seps
Configure initialization parameters for TDE by setting WALLET_ROOT and EXTERNAL_KEYSTORE_CREDENTIAL_LOCATION:
ALTER SYSTEM SET wallet_root = '&admin_path/wallet' SCOPE = SPFILE;
ALTER SYSTEM SET external_keystore_credential_location = '&admin_path/wallet/tde_seps' SCOPE = SPFILE;
Restart the DB to apply latest parameter changes:
SHUTDOWN IMMEDIATE;
STARTUP;
Ensure that the Primus Library file is accessible to Oracle by running:
# here we assume the provider version is 2.3.4, but this can differ
ls -l /opt/oracle/extapi/64/hsm/primus/2.3.4/libprimusP11.so
If not, you can run this command to as root or another elevated user to provide the permissions:
chown oracle:oinstall /opt/oracle/extapi/64/hsm/primus/2.3.4/libprimusP11.so