2 Quick-start Setup Guide for Wallet Based Transparent Data Encryption

  1. Create the directories that will hold the TDE wallet (a PKCS#12 container that is encrypted with a key that is derived from the TDE wallet password).

    The last two commands change the ownership of the directories to oracle:oinstall and reduce the file privileges to the minimum:

    The ORACLE_SID in this example is finance:
    mkdir -pv /etc/ORACLE/KEYSTORES/finance
chown -Rv oracle:oinstall /etc/ORACLE
chmod -Rv 700 /etc/ORACLE
  2. Set static system parameter WALLET_ROOT to the directory that you just created:
    SYS> alter system set WALLET_ROOT = '/etc/ORACLE/KEYSTORES/$ORACLE_SID' scope = spfile;
  3. Restart the database to activate this parameter.
  4. The next parameter defines AES256 as the default encryption encryption algorithm (it needs to be executed before the create keystore command, otherwise the default encryption algorithm remains AES128).
    SYS> alter system set "_TABLESPACE_ENCRYPTION_DEFAULT_ALGORITHM" = 'AES256' scope = both;
  5. The last parameter configures the database to use a TDE wallet for file-based TDE setup:
    SYS> alter system set TDE_CONFIGURATION = "KEYSTORE_CONFIGURATION=FILE" scope = both;
  6. Create a new password-protected and local auto-open TDE wallet; the local auto-open wallet enables automatic database restarts without DBA intervention to open the password-protected TDE wallet:

    (N.B.: This command also creates the <WALLET_ROOT>/tde directory) 

    SYSKM> administer key management CREATE KEYSTORE identified by <wallet-pwd>;
    SYSKM> administer key management CREATE LOCAL AUTO_LOGIN KEYSTORE from keystore identified by <wallet-pwd>;
  7. In the root container database, set the first TDE master key:
    SYSKM> administer key management SET KEY force keystore identified by EXTERNAL STORE with backup container = current;
  8. Create either a united or isolated PDB:
    • United PDBIn the PDB, set the first TDE master key:
      SYSKM:FINPDB19C> administer key management SET KEY force keystore identified by EXTERNAL STORE with backup;
    • Isolated PDB
      1. : Create an isolated PDB with its own individual keystore and keystore password:
        SYSKM:FINPDB19C> administer key management CREATE KEYSTORE identified by <PDB-wallet-pwd>;
        This next command does three things:
        1. It sets TDE_CONFIGURATION to FILE for the isolated PDB
        2. It creates the <PDB_GUID>/tde directories under <WALLET_ROOT>
        3. It creates an individual wallet for the PDB, with its own TDE wallet password (that is potentially unknown to the DBA of the root container)
      2. Create a (local) auto-open wallet for the isolated PDB:
        SYSKM:FINPDB19C> administer key management CREATE LOCAL AUTO_LOGIN KEYSTORE from keystore identified by <PDB-wallet-pwd>;
  9. Encrypt the tablespaces in the PDB:
    SYS:FINPDB19C> alter tablespace USERS encryption ONLINE encrypt;
SYS:FINPDB19C> alter tablespace SYSTEM encryption ONLINE encrypt;
SYS:FINPDB19C> alter tablespace SYSAUX encryption ONLINE encrypt;
  10. Confirm:
    SYS> select c.name as PDB_NAME, t.name as TBS_NAME, e.ENCRYPTIONALG as ALG, e.STATUS from v$tablespace t, v$encrypted_tablespaces e, v$containers c where e.ts# = t.ts# and e.con_id = t.con_id and e.con_id = c.con_id order by e.con_id, t.name;
    PDB_NAME        TBS_NAME             ALG     STATUS
--------------- -------------------- ------- -------
FINPDB19C       SYSAUX               AES256  NORMAL
FINPDB19C       SYSTEM               AES256  NORMAL
FINPDB19C       USERS                AES256  NORMAL

Parent topic: Using Transparent Data Encryption