Steps to Configure TDE (Transparent
Data Encryption) on Oracle Single/Multi-tenant database
·
Create a wallet/keystore location.
mkdir
-p <path>/xxwallet
Directory
name and location can be any
·
update sqlnet.ora to have the wallet path
cat $ORACLE_HOME/network/admin/sqlnet.ora
NAMES.DIRECTORY_PATH=
(TNSNAMES, EZCONNECT)
ENCRYPTION_WALLET_LOCATION
=
(SOURCE =(METHOD = FILE)(METHOD_DATA =
(DIRECTORY = <path>/xxwallet)))
Replace the with actual
path
·
Create keystore:
ADMINISTER KEY
MANAGEMENT CREATE KEYSTORE '<path>/xxwallet/'
IDENTIFIED BY <new wallet password>;
This will create wallet
file called “ewallet.p12” under the specified location
·
Open the Wallet/Keystore and activate
ADMINISTER KEY
MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY <wallet
password>;
In case Multi-tenant database
use below command
ADMINISTER KEY
MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY <wallet
password> CONTAINER=ALL;
ADMINISTER KEY
MANAGEMENT SET KEY IDENTIFIED BY <wallet password>
WITH BACKUP;
In case Multi-tenant database
use below command
ADMINISTER KEY
MANAGEMENT SET KEY IDENTIFIED BY <wallet password>
WITH BACKUP CONTAINER=ALL;
At this stage if you query
below table the “WALLET_TYPE” column will show as value “password”
If you are not setting
Autologin, every time database restarts you must open the Wallet/KeyStore exclusively
using the above command. To avoid Autologin should be enabled
SQL> SELECT * FROM
v$encryption_wallet
·
ENABLE AUTOLOGIN:
ADMINISTER KEY
MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '<path>/xxwallet/'
IDENTIFIED BY <new wallet password>;
·
Pluggable database (PDB) encryption verification
Verify the wallet
status in PDB using below
SQL> select
WRL_TYPE,STATUS,WALLET_TYPE,WALLET_ORDER,FULLY_BACKED_UP,CON_ID,WRL_PARAMETER
from v$ENCRYPTION_WALLET;
SQL> select
CON_ID,KEY_ID,KEYSTORE_TYPE,CREATOR_DBNAME,CREATOR_PDBNAME from
v$encryption_keys;
No comments:
Post a Comment