Skip to main content

Create the MEK on the Oracle Server

In this document we will first create a Software Wallet, which we will then migrate to the HSM.

info

This document assumes you have already completed the Configuration steps and meet all Prerequisites.

  1. Start with a clean TDB01 (ORACLE_SID) setup
note

It is recommended to always start with a clean setup as the DB instance will store internal status information about TDE

  1. Log in as oracle user and create a wallet directory in the home directory:
mkdir -p $ORACLE_BASE/admin/$ORACLE_SID/wallet

Edit the sqlnet.ora file and at the end of the file, add the following entry (do not use single or double quotes around the location).

vi $ORACLE_HOME/network/admin/sqlnet.ora

WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = $ORACLE_WALLET)
    )
  )
  1. Connect to the Database and define the TDE_CONFIGURATION parameter to the FILE and start/restart the DB so the change takes effect.
sqlplus sys/oracle as sysdba
ALTER SYSTEM SET tde_configuration='KEYSTORE_CONFIGURATION=FILE' SCOPE=BOTH;
startup;
  1. Create a new keystore with a password, in the example that is password
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/home/oracle/wallet' IDENTIFIED BY password;
  1. Display the software wallet properties
SELECT wrl_type, status, wallet_type FROM v$encryption_wallet;
| WRL_TYPE | STATUS | WALLET_TYPE |
| -------- | ------ | ----------- |
| FILE     | CLOSED | FILE        |
  1. Open the key store
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY password;

Display the software wallet properties again

SELECT wrl_type, status, wallet_type FROM v$encryption_wallet;
| WRL_TYPE | STATUS             | WALLET_TYPE |
| -------- | ------------------ | ----------- |
| FILE     | OPEN_NO_MASTER_KEY | FILE        |
  1. Create a backup of the Keystore in preparation to migrate to your HSM.
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY password WITH BACKUP USING 'backup';

You can now view the wallet status and show that it's located on the HSM and is open with the migrated MEK.

SELECT wrl_type, status, wallet_type FROM v$encryption_wallet;
| WRL_TYPE | STATUS | WALLET_TYPE |
| -------- | ------ | ----------- |
| FILE     | OPEN   | FILE        |

At this point you are ready to migrate your MEK to your HSM partition.