Using Oracle Multitenant in Database Cloud Service

When you create an Oracle Database Cloud Service database deployment that uses Oracle Database 12c or later, an Oracle Multitenant environment is created.

The multitenant architecture enables an Oracle database to function as a multitenant container database (CDB) that includes zero, one, or many pluggable databases (PDBs). A PDB is a portable collection of schemas, schema objects, and non-schema objects that appears to an Oracle Net Services client as a non-CDB. All Oracle databases before Oracle Database 12c were non-CDBs.

Creating and Activating a Master Encryption Key for a PDB

To use Oracle Transparent Data Encryption (TDE) in a pluggable database (PDB), you must create and activate a master encryption key for the PDB.

In a multitenant environment, each PDB has its own master encryption key which is stored in a single keystore used by all containers.

To determine whether you need to create and activate an encryption key for the PDB, perform the following steps:
  1. Invoke SQL*Plus and log in to the database as the SYS user with SYSDBA privileges.

  2. Set the container to the PDB:

    SQL> ALTER SESSION SET CONTAINER = pdb;
  3. Query V$ENCRYPTION_WALLET as follows:

    SQL> SELECT wrl_parameter, status, wallet_type FROM v$encryption_wallet;

    If the STATUS column contains a value of OPEN_NO_MASTER_KEY you need to create and activate the master encryption key.

To create and activate the master encryption key in a PDB, perform the following steps:

  1. Set the container to the PDB:

    SQL> ALTER SESSION SET CONTAINER = pdb;
  2. Create and activate a master encryption key in the PDB by executing the following command:

    SQL> ADMINISTER KEY MANAGEMENT SET KEY USING TAG 'tag' FORCE KEYSTORE IDENTIFIED BY keystore-password WITH BACKUP USING 'backup_identifier';

    In the above command:

    • keystore-password is the keystore password. By default, the keystore password is set to the value of the administration password that is specified when the database deployment is created.

    • The optional USING TAG 'tag' clause can be used to associate a tag with the new master encryption key.

    • The WITH BACKUP clause, and the optional USING 'backup_identifier' clause, can be used to create a backup of the keystore before the new master encryption key is created.

    See also ADMINISTER KEY MANAGEMENT in Oracle Database SQL Language Reference for Release 18 or 12.2.

    Note:

    To enable key management operations while the keystore is in use, Oracle Database 12c Release 2, and later, includes the FORCE KEYSTORE option to the ADMINISTER KEY MANAGEMENT command. This option is also available for Oracle Database 12c Release 1 with the October 2017, or later, bundle patch.

    If your Oracle Database 12c Release 1 deployment does not have the October 2017, or later, bundle patch installed, you can perform the following alternative steps:

    • Close the keystore.

    • Open the password-based keystore.

    • Create and activate a master encryption key in the PDB by using ADMINISTER KEY MANAGEMENT without the FORCE KEYSTORE option.

    • Update the auto-login keystore by using ADMINISTER KEY MANAGEMENT with the CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE option.

  3. Query V$ENCRYPTION_WALLET again to verify that the STATUS column is set to OPEN:

    SQL> SELECT wrl_parameter, status, wallet_type FROM v$encryption_wallet;

Exporting and Importing a Master Encryption Key for a PDB

You must export and import the master encryption key for any encrypted PDBs you plug in to your database deployment.

If your source PDB is encrypted, you must export the master encryption key and then import it. In a multitenant environment, each PDB has its own master encryption key which is stored in a single keystore used by all containers.

You can export and import all of the TDE master encryption keys that belong to the PDB by exporting and importing the TDE master encryption keys from within a PDB. Export and import of TDE master encryption keys support the PDB unplug and plug operations. During a PDB unplug and plug, all of the TDE master encryption keys that belong to a PDB, as well as the metadata, are involved.

See "Exporting and Importing TDE Master Encryption Keys for a PDB" in Oracle Database Advanced Security Guide for Release 18, 12.2 or 12.1.

See "ADMINISTER KEY MANAGEMENT" in Oracle Database SQL Language Reference for Release 18, 12.2 or 12.1.

To export the master encryption keys, perform the following steps:
  1. Invoke SQL*Plus and log in to the PDB.

  2. Export the master encryption key by executing the following command:

    SQL> ADMINISTER KEY MANAGEMENT EXPORT ENCRYPTION KEYS WITH SECRET "secret" TO 'filename' IDENTIFIED BY keystore-password;

To import the master encryption key perform the following steps:

  1. Invoke SQL*Plus and log in to the PDB.
  2. Export the master encryption key by executing the following command:
    SQL> ADMINISTER KEY MANAGEMENT IMPORT ENCRYPTION KEYS WITH SECRET "secret" FROM 'filename' IDENTIFIED BY keystore-password;