Create the MEK directly on the HSM
The best way to protect your Oracle Database is to create the encryption key directly on your PrimusHSM/CloudHSM partition. This way you ensure that the key will not be compromised or leaked.
This document assumes you have already completed the Configuration steps and meet all Prerequisites.
Before any tables or schemas are created on the Database, you want to setup TDE configuration to use an HSM.
Edit the sqlnet.ora file located on $ORACLE_HOME/network/admin/sqlnet.ora and add the following lines to the end of the document:
ENCRYPTION_WALLET_LOCATION =
(SOURCE =
(METHOD = HSM)
(METHOD_DATA =
(PKCS11_LIBRARY = /usr/local/primus/lib/libprimusP11.so)
)
)
Here, you define PKCS11_LIBRARY to be the Primus PKCS#11 provider library file.
Run the following command to define the TDE_CONFIGURATION parameter to be HSM
ALTER SYSTEM SET TDE_CONFIGURATION = 'KEYSTORE_CONFIGURATION=HSM' SCOPE = BOTH;
You can now open the Keystore on the HSM, using your PKCS11_PASSWORD used to connect to your HSM.
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "PKCS11_PASSWORD";
To verify that the connection is truly successful, you can run
SELECT wrl_type, status, wallet_type FROM v$encryption_wallet;
| WRL_TYPE | STATUS | WALLET_TYPE |
| -------- | ------------------ | ----------- |
| HSM | OPEN_NO_MASTER_KEY | HSM |
This shows us that you have an Encryption wallet in the HSM, but the wallet has no Encryption Key.
To create the MEK, the wallet has to be open.
To create the MEK on the HSM run
ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY USING TAG 'initial' IDENTIFIED BY "PKCS11_PASSWORD";
After this, you can verify that the Wallet and Key work by running the commands again
SELECT wrl_type, status, wallet_type FROM v$encryption_wallet;
| WRL_TYPE | STATUS | WALLET_TYPE |
| -------- | ------ | ----------- |
| HSM | OPEN | HSM |
You can now encrypt the content of your Database. Some sample commands are provided at the end of this page to test and verify that the encryption works.