Skip to main content

Rekey on HSM

This page describes the process of issuing a new MEK, directly on the HSM and using it to encrypt the tablespace.

Issue New MEK

It is best to perform the following prerequisites before issuing the new key, to ensure smooth transition.

If auto-login is not enabled (see Setup Auto-login on HSM), manually open the HSM keystore using the password from SEPS:

ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY EXTERNAL STORE;

Check the current encryption key to help identify the the migration later on:

SET LINESIZE 160 PAGESIZE 200
ALTER SESSION SET nls_timestamp_tz_format="DD.MM.YYYY HH24:MI:SS";
COL key_id FOR A52
COL tag FOR A10
COL creation_time FOR A19
COL activation_time FOR A19
COL creator FOR A10
COL user FOR A10
COL key_use FOR A7
COL creator_dbname FOR A10
COL backed_up FOR A8

SELECT key_id, tag, creation_time, activation_time, creator, user, key_use, backed_up, creator_dbname FROM v$encryption_keys;

Create New MEK

Use the following command to generate a new master key directly in the HSM:

ADMINISTER KEY MANAGEMENT SET KEY FORCE KEYSTORE IDENTIFIED BY EXTERNAL STORE WITH BACKUP USING 'new_mek_wallet';

Afterwards, you can confirm that the new key is in use by checking the encryption key:

SET LINESIZE 160 PAGESIZE 200
ALTER SESSION SET nls_timestamp_tz_format="DD.MM.YYYY HH24:MI:SS";
COL key_id FOR A52
COL tag FOR A10
COL creation_time FOR A19
COL activation_time FOR A19
COL creator FOR A10
COL user FOR A10
COL key_use FOR A7
COL creator_dbname FOR A10
COL backed_up FOR A8

SELECT key_id, tag, creation_time, activation_time, creator, user, key_use, backed_up, creator_dbname FROM v$encryption_keys;
Backup limitations

Once the keystore is on an HSM, backups are not possible natively, via Oracle. The following command:

ADMINISTER KEY MANAGEMENT BACKUP KEYSTORE USING 'new_mek' FORCE KEYSTORE IDENTIFIED BY EXTERNAL STORE;

Will fail with:

ORA-00600: internal error code, arguments: [invalid keystore location], [4], ...

This is because Oracle does not preserve the history of the MEK when it is on an HSM. This is a limitation imposed by Oracle.

The easiest course of action here would be to perform backups on HSM level instead.

Due to the way Oracle DBs function, they do not allow to preserve the history of the encryption key within the keystore itself when using an HSM as the keystore.

With a Software Wallet, it's possible to decrypt tablespaces encrypted by the old keys, but when running on an HSM, this is not possible. One solution for this is to migrate the MEK to Software Wallet and then Migrate back to HSM.

Last updated on