Create MEK on Software Wallet
In this document we will first create a Software Wallet
to setup our Oracle Database, which we can then migrate to a PrimusHSM.
This document assumes you have already completed the Configuration steps and meet all Prerequisites.
Configure Keystore Parameters
Set the TDE_CONFIGURATION
parameter and the default encryption algorithm.
ALTER SYSTEM SET tde_configuration = 'KEYSTORE_CONFIGURATION=FILE' SCOPE = BOTH;
ALTER SYSTEM SET "_tablespace_encryption_default_algorithm" = 'AES256' SCOPE = BOTH;
Create Software Keystore
Get the WALLET_ROOT into an SQL*Plus
variable for later use:
COLUMN wallet_root NEW_VALUE wallet_root NOPRINT
SELECT value AS wallet_root FROM v$parameter WHERE name = 'wallet_root';
Create Keystore
Create the software keystore in the wallet root directory:
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '&wallet_root/tde' IDENTIFIED BY "<KeystorePassword>";
Store Password in SEPS
Create a secure external password store (SEPS
) for the wallet password. This enables the execution of ADMINISTER KEY MANAGEMENT
without a password or with the use of EXTERNAL STORE
in the following
ADMINISTER KEY MANAGEMENT ADD SECRET '<KeystorePassword>' FOR CLIENT 'TDE_WALLET' TO LOCAL AUTO_LOGIN KEYSTORE '&wallet_root/tde_seps';
Open Keystore
Manually open the keystore. User either the KeystorePassword
or the EXTERNAL STORE
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY EXTERNAL STORE;
Enable Auto-login
Enable local auto-login for the software keystore:
ADMINISTER KEY MANAGEMENT CREATE LOCAL AUTO_LOGIN KEYSTORE FROM KEYSTORE '&wallet_root/tde' IDENTIFIED BY "<KeystorePassword>";
Although AUTOLOGIN LOCAL
has been set for the keystore, PASSWORD
is displayed in the 'v$encryption_wallet'
view. The wallet type is only displayed correctly after restarting the database.
Create Master Encryption Key
Create a master encryption key by using the EXTERNAL STORE
. As the keystore is configured using AUTO_LOGIN
we also have to specify FORCE KEYSTORE
.
ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY USING TAG 'initial' FORCE KEYSTORE IDENTIFIED BY EXTERNAL STORE WITH BACKUP USING 'initial_mek_backup';
Restart Database
Restart the database to make sure the software keystore is now correctly used / displayed:
SHUTDOWN IMMEDIATE;
STARTUP;
Check TDE Configuration and Key
Check the current status of the software keystore:
SET LINESIZE 160 PAGESIZE 200
COL wrl_type FOR A10
COL wrl_parameter FOR A50
COL status FOR A20
COL wallet_type FOR A20
COL wallet_order FOR A20
SELECT wrl_type, wrl_parameter, status, wallet_type,wallet_order FROM v$encryption_wallet;
At this point, TDE is ready to encrypt tablespaces and columns.
Example of encrypting the tablespaces USERS and AUDIT_DATA:
ALTER TABLESPACE users ENCRYPTION ONLINE USING 'AES256' ENCRYPT;
ALTER TABLESPACE audit_data ENCRYPTION ONLINE USING 'AES256' ENCRYPT;
Check the current status of the software keystore:
SET LINESIZE 160 PAGESIZE 200
COL wrl_type FOR A10
COL wrl_parameter FOR A50
COL status FOR A20
COL wallet_type FOR A20
COL wallet_order FOR A20
SELECT wrl_type, wrl_parameter, status, wallet_type,wallet_order FROM v$encryption_wallet;
The database is now ready - TDE is active and tablespaces are encrypted by the new software MEK.