1. Transparent Data Encryption Guide
  2. Quick-start Setup Guide for Wallet Based Transparent Data Encryption

1 Quick-start Setup Guide for Wallet Based Transparent Data Encryption

  1. Create the directories that will hold the TDE wallet (a PKCS#12 container that is encrypted with a key that is derived from the TDE wallet password).

    The last two commands change the ownership of the directories to oracle:oinstall and reduce the file privileges to the minimum:

    The ORACLE_SID in this example is finance:
    mkdir -pv /etc/ORACLE/KEYSTORES/finance/tde_seps
chown -Rv oracle:oinstall /etc/ORACLE
chmod -Rv 700 /etc/ORACLE
  2. Set static system parameter WALLET_ROOT to the directory that you just created:
    SYS> alter system set WALLET_ROOT = '/etc/ORACLE/KEYSTORES/$ORACLE_SID' scope = spfile;
  3. Set the static TABLESPACE_ENCRYPTION parameter to AUTO_ENABLE, so that all new tablespaces are encrypted, even if the encryption key-words are not part of the create tablespace commands:
    SYS> alter system set TABLESPACE_ENCRYPTION = AUTO_ENABLE scope = spfile;
  4. Restart the database to activate those two parameters.
  5. The next parameter configures the database to use a TDE wallet for file-based TDE setup:
    SYS> alter system set TDE_CONFIGURATION = "KEYSTORE_CONFIGURATION=FILE" scope = both;
  6. Create a new password-protected and local auto-open TDE wallet; the local auto-open wallet enables automatic database restarts without DBA intervention to open the password-protected TDE wallet:

    Note:

    Do not lose your wallet password. You should record the password, protecting it according to your organization's standards for sensitive IT secrets

    (This command also creates the <WALLET_ROOT>/tde directory) 

    SYSKM> administer key management CREATE KEYSTORE identified by <wallet-pwd>;
    SYSKM> administer key management CREATE LOCAL AUTO_LOGIN KEYSTORE from keystore identified by <wallet-pwd>;
  7. Add the TDE wallet password as a secret into another (local) auto-open wallet in <WALLET_ROOT>/tde_seps. This allows you to hide the TDE wallet password from the SQL*Plus command line and replace it with EXTERNAL STORE:
    SYSKM> administer key management ADD SECRET '<wallet-pwd>' for client 'TDE_WALLET' to LOCAL auto_login keystore '/etc/ORACLE/KEYSTORES/finance/tde_seps';
  8. In the root container database, set the first TDE master key:
    SYSKM> administer key management SET KEY force keystore identified by EXTERNAL STORE with backup container = current;
  9. Encrypt the tables in the root CDB: 
    SYS:CDB$ROOT>
alter tablespace USERS encryption ONLINE encrypt;
alter tablespace SYSTEM encryption ONLINE encrypt;
alter tablespace SYSAUX encryption ONLINE encrypt;
  10. Define either a united or isolated keystore for the PDB:
    • United Keystore In the PDB, set the first TDE master key:
      SYSKM:FINPDB23AI> administer key management SET KEY force keystore identified by EXTERNAL STORE with backup;
    • Isolated Keystore
      1. From the PDB, create an isolated keystore with its own keystore password:
        SYSKM:FINPDB23AI> administer key management CREATE KEYSTORE identified by <PDB-wallet-pwd>;
        The previous command does three things:
        1. It sets TDE_CONFIGURATION to FILE for the isolated PDB
        2. It creates the <PDB_GUID>/tde directories under <WALLET_ROOT>
        3. It creates an individual wallet for the PDB, with its own TDE wallet password (that is potentially unknown to the DBA of the root container)
      2. Create a (local) auto-open wallet for the isolated PDB:
        SYSKM:FINPDB23AI> administer key management CREATE LOCAL AUTO_LOGIN KEYSTORE from keystore identified by <PDB-wallet-pwd>;
      3. Create the directory <WALLET_ROOT>/<PDB_GUID>/tde_seps by executing the output of the following command:
        SYS:FINPDB23AI> select ' host mkdir -pvm700 '''||v.value||'/'||guid||'/tde_seps'';' from v$pdbs, v$parameter v where v.name like '%root%';
      4. Add the TDE wallet password as a secret into the wallet in <WALLET_ROOT>/<PDB_GUID>/tde_seps by executing the output of the following command. This allows you to hide the TDE wallet password of the isolated PDB from the SQL*Plus command line and replace it with EXTERNAL STORE:
        SYS:FINPDB23AI> select ' administer key management ADD SECRET ''<PDB-wallet-pwd>'' for client ''TDE_WALLET'' to LOCAL auto_login keystore '''||v.value||'/'||guid||'/tde_seps/'';' from v$pdbs, v$parameter v where v.name like '%root%';
  11. Encrypt the tablespaces in the PDB:
    SYS:FINPDB23AI> alter tablespace USERS encryption ONLINE encrypt;
SYS:FINPDB23AI> alter tablespace SYSTEM encryption ONLINE encrypt;
SYS:FINPDB23AI> alter tablespace SYSAUX encryption ONLINE encrypt;
  12. Confirm:
    SYS> select distinct c.name as PDB_NAME, t.name as TBS_NAME, nvl(e.encryptionalg, '----') as 
ENC_ALG, nvl(e.ciphermode, '---') as "MODE", nvl(e.status, '----') as ENC_STATUS from
v$containers c, v$tablespace t, v$encrypted_tablespaces e where (c.con_id != 2) and e.ts#(+) =
t.ts# and c.con_id(+)=t.con_id order by 1, 3 desc, 2;
    PDB_NAME        TBS_NAME             ENC_ALG   MODE  ENC_STATUS
--------------- -------------------- --------- ----- -------
CDB$ROOT        SYSAUX               AES256    XTS   NORMAL
CDB$ROOT        SYSTEM               AES256    XTS   NORMAL
CDB$ROOT        USERS                AES256    XTS   NORMAL
CDB$ROOT        TEMP                 ----      ---   ----
CDB$ROOT        UNDOTBS1             ----      ---   ----
FINPDB23AI      SYSAUX               AES256    XTS   NORMAL
FINPDB23AI      SYSTEM               AES256    XTS   NORMAL
FINPDB23AI      USERS                AES256    XTS   NORMAL
FINPDB23AI      TEMP                 ----      ---   ----
FINPDB23AI      UNDOTBS1             ----      ---   ----