Create MEK directly on HSM
The best way to protect your Oracle Database is to create the encryption key directly on your PrimusHSM/CloudHSM partition. This way you ensure that the key will not be compromised or leaked.
This document assumes you have already completed the Configuration steps and meet all Prerequisites.
Configure HSM as Keystore
Set the TDE_CONFIGURATION
parameter and the default encryption algorithm.
ALTER SYSTEM SET tde_configuration = 'KEYSTORE_CONFIGURATION=HSM' SCOPE = BOTH;
ALTER SYSTEM SET "_tablespace_encryption_default_algorithm" = 'AES256' SCOPE = BOTH;
Create EXTERNAL STORE for HSM Password (Optional)
Optionally, you can add the HSM Password to the External Store, so that it can be fetched from there, rather than writing in plaintext every time.
Below instructions assume that this step is done. However, if you chose not to, you can substitute EXTERNAL STORE
with the actual password itself.
Determine admin directory and get the corresponding directory path as a SQLPlus* variable for later use:
COLUMN wallet_root NEW_VALUE wallet_root NOPRINT
SELECT value AS wallet_root FROM v$parameter WHERE name = 'wallet_root';
Create an EXTERNAL STORE for the HSM password
ADMINISTER KEY MANAGEMENT ADD SECRET '<HSMPassword>'
FOR CLIENT 'HSM_PASSWORD'
TO LOCAL AUTO_LOGIN KEYSTORE '&wallet_root/tde_seps';
Open HSM Keystore
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY EXTERNAL STORE;
If you follow the alert_oracdb.log
, you will see output similar to, which shows that the PrimusHSM PKCS#11 library is loaded:
...
2025-05-07T06:17:05.186008+00:00
Attempting TDE operation in PDB=0: ADMINISTER KEY MANAGEMENT ADD SECRET *
FOR CLIENT 'HSM_PASSWORD'
TO LOCAL AUTO_LOGIN KEYSTORE '/u00/app/oracle/admin/TDEHSM01/wallet/tde_seps'
2025-05-07T06:17:18.470975+00:00
Attempting TDE operation in PDB=0: ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY EXTERNAL STORE
Third-party HSM used with Oracle DB
Manufacturer ID: Securosys SA and Library description: PKCS11 Library
2025-05-07T06:17:35.893738+00:00
...
Check Current Wallet Status
Check the status of the HSM keystore by running:
SET LINESIZE 160 PAGESIZE 200
COL wrl_type FOR A10
COL wrl_parameter FOR A50
COL status FOR A20
COL wallet_type FOR A20
COL wallet_order FOR A20
SELECT wrl_type, wrl_parameter, status, wallet_type,wallet_order FROM v$encryption_wallet;
You will now see that the Wallet Status is set to HSM, is open and does not have a MEK.
WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_ORDER
---------- -------------- ------------------ ---------------- --------------------
HSM OPEN_NO_MASTER_KEY HSM SINGLE
Create Initial Master Encryption Key
We are now ready to create a new MEK on the PrimusHSM. We will also specify a backup:
ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY EXTERNAL STORE WITH BACKUP USING 'initial_hsm_key';
We check the status once again:
SET LINESIZE 160 PAGESIZE 200
COL wrl_type FOR A10
COL wrl_parameter FOR A50
COL status FOR A20
COL wallet_type FOR A20
COL wallet_order FOR A20
SELECT wrl_type, wrl_parameter, status, wallet_type,wallet_order FROM v$encryption_wallet;
And see that the the Wallet Type is HSM, is OPEN and has a MEK (implied):
WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_ORDER
---------- -------------- ------------------ ---------------- --------------------
HSM OPEN HSM SINGLE
Restart and Reopen Keystore
Restart the database to make sure the HSM keystore is now working as expected. As we do not have autologin configured the HSM based keystore has to be opened manually. You can additionally setup Autologin.
SHUTDOWN IMMEDIATE;
STARTUP MOUNT;
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY EXTERNAL STORE;
ALTER DATABASE OPEN;
Final Verification
Check the current status of the software keystore:
SET LINESIZE 160 PAGESIZE 200
COL wrl_type FOR A10
COL wrl_parameter FOR A50
COL status FOR A20
COL wallet_type FOR A20
COL wallet_order FOR A20
SELECT wrl_type, wrl_parameter, status, wallet_type,wallet_order FROM v$encryption_wallet;
At this point, your database is now ready to encrypt your tablespaces and columns, using a MEK stored in your PrimusHSM.