Skip to main content

Create MEK on Software Wallet

In this document we will first create a Software Wallet to setup our Oracle Database, which we can then migrate to a PrimusHSM.

info

This document assumes you have already completed the Configuration steps and meet all Prerequisites.

Configure Keystore Parameters

Set the TDE_CONFIGURATION parameter and the default encryption algorithm.

ALTER SYSTEM SET tde_configuration = 'KEYSTORE_CONFIGURATION=FILE' SCOPE = BOTH;
ALTER SYSTEM SET "_tablespace_encryption_default_algorithm" = 'AES256' SCOPE = BOTH;

Create Software Keystore

Get the WALLET_ROOT into an SQL*Plus variable for later use:

COLUMN wallet_root NEW_VALUE wallet_root NOPRINT
SELECT value AS wallet_root FROM v$parameter WHERE name = 'wallet_root';

Create Keystore

Create the software keystore in the wallet root directory:

ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '&wallet_root/tde' IDENTIFIED BY "<KeystorePassword>";

Store Password in SEPS

Create a secure external password store (SEPS) for the wallet password. This enables the execution of ADMINISTER KEY MANAGEMENT without a password or with the use of EXTERNAL STORE in the following

ADMINISTER KEY MANAGEMENT ADD SECRET '<KeystorePassword>' FOR CLIENT 'TDE_WALLET' TO LOCAL AUTO_LOGIN KEYSTORE '&wallet_root/tde_seps';

Open Keystore

Manually open the keystore. User either the KeystorePassword or the EXTERNAL STORE

ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY EXTERNAL STORE;

Enable Auto-login

Enable local auto-login for the software keystore:

ADMINISTER KEY MANAGEMENT CREATE LOCAL AUTO_LOGIN KEYSTORE FROM KEYSTORE '&wallet_root/tde' IDENTIFIED BY "<KeystorePassword>";
info

Although AUTOLOGIN LOCAL has been set for the keystore, PASSWORD is displayed in the 'v$encryption_wallet' view. The wallet type is only displayed correctly after restarting the database.

Create Master Encryption Key

Create a master encryption key by using the EXTERNAL STORE. As the keystore is configured using AUTO_LOGIN we also have to specify FORCE KEYSTORE.

ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY USING TAG 'initial' FORCE KEYSTORE IDENTIFIED BY EXTERNAL STORE WITH BACKUP USING 'initial_mek_backup';

Restart Database

Restart the database to make sure the software keystore is now correctly used / displayed:

SHUTDOWN IMMEDIATE;
STARTUP;

Check TDE Configuration and Key

Check the current status of the software keystore:

SET LINESIZE 160 PAGESIZE 200
COL wrl_type FOR A10
COL wrl_parameter FOR A50
COL status FOR A20
COL wallet_type FOR A20
COL wallet_order FOR A20
SELECT wrl_type, wrl_parameter, status, wallet_type,wallet_order FROM v$encryption_wallet;

At this point, TDE is ready to encrypt tablespaces and columns.

Example of encrypting the tablespaces USERS and AUDIT_DATA:

ALTER TABLESPACE users ENCRYPTION ONLINE USING 'AES256' ENCRYPT;
ALTER TABLESPACE audit_data ENCRYPTION ONLINE USING 'AES256' ENCRYPT;

Check the current status of the software keystore:

SET LINESIZE 160 PAGESIZE 200
COL wrl_type FOR A10
COL wrl_parameter FOR A50
COL status FOR A20
COL wallet_type FOR A20
COL wallet_order FOR A20
SELECT wrl_type, wrl_parameter, status, wallet_type,wallet_order FROM v$encryption_wallet;

The database is now ready - TDE is active and tablespaces are encrypted by the new software MEK.

What's Next?