Skip to main content

Migrate the Master Encryption Key to the HSM

This page is intended for clients who want to migrate their Oracle TDE MEK to an Securosys PrimusHSM or CloudHSM.

info

This document assumes you have already completed the Configuration steps and meet all Prerequisites.

  1. Start with a clean DB instance (re-using any previous samples will likely not work unless you clean all internal DB wallet structures)

  2. Edit the sqlnet.ora file and at the end of the file, add the following entry (do not use single or double quotes around the location):

vi $ORACLE_HOME/network/admin/sqlnet.ora

ENCRYPTION_WALLET_LOCATION =
  (SOURCE =
    (METHOD = HSM)
    (METHOD_DATA =
      (PKCS11_LIBRARY = /usr/local/primus/lib/libprimusP11.so)
    )
  )
  1. Restart the DB:
sqlplus sys/oracle as sysdba
STARTUP FORCE;
  1. Migrate the software wallet to the Primus HSM, using your PKCS11_PASSWORD used to connect to your HSM:
ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "PKCS11_PASSWORD" MIGRATE USING password WITH BACKUP USING 'backup';
  1. Using the MEK on the HSM, display the table columns in clear text:
SELECT BAR FROM FOO;
  1. Close the key store:
ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY "PKCS11_PASSWORD";