Using Oracle Multitenant in Database Classic Cloud Service
When you create an Oracle Database Classic Cloud Service database deployment that uses Oracle Database 12c or later, an Oracle Multitenant environment is created.
The multitenant architecture enables an Oracle database to function as a multitenant container database (CDB) that includes zero, one, or many pluggable databases (PDBs). A PDB is a portable collection of schemas, schema objects, and non-schema objects that appears to an Oracle Net Services client as a non-CDB. All Oracle databases before Oracle Database 12c were non-CDBs.
Creating and Activating a Master Encryption Key for a PDB
To use Oracle Transparent Data Encryption (TDE) in a pluggable database (PDB), you must create and activate a master encryption key for the PDB.
In a multitenant environment, each PDB has its own master encryption key which is stored in a single keystore used by all containers.
-
Invoke SQL*Plus and log in to the database as the
SYS
user withSYSDBA
privileges. -
Set the container to the PDB:
SQL> ALTER SESSION SET CONTAINER = pdb;
-
Query
V$ENCRYPTION_WALLET
as follows:SQL> SELECT wrl_parameter, status, wallet_type FROM v$encryption_wallet;
If the
STATUS
column contains a value ofOPEN_NO_MASTER_KEY
you need to create and activate the master encryption key.
To create and activate the master encryption key in a PDB, perform the following steps:
-
Set the container to the PDB:
SQL> ALTER SESSION SET CONTAINER = pdb;
-
Create and activate a master encryption key in the PDB by executing the following command:
SQL> ADMINISTER KEY MANAGEMENT SET KEY USING TAG 'tag' FORCE KEYSTORE IDENTIFIED BY keystore-password WITH BACKUP USING 'backup_identifier';
In the above command:
-
keystore-password
is the keystore password. By default, the keystore password is set to the value of the administration password that is specified when the database deployment is created. -
The optional
USING TAG 'tag'
clause can be used to associate a tag with the new master encryption key. -
The
WITH BACKUP
clause, and the optionalUSING 'backup_identifier'
clause, can be used to create a backup of the keystore before the new master encryption key is created.
See also
ADMINISTER KEY MANAGEMENT
in Oracle Database SQL Language Reference for Release 18 or 12.2.Note:
To enable key management operations while the keystore is in use, Oracle Database 12c Release 2, and later, includes the
FORCE KEYSTORE
option to theADMINISTER KEY MANAGEMENT
command. This option is also available for Oracle Database 12c Release 1 with the October 2017, or later, bundle patch.If your Oracle Database 12c Release 1 deployment does not have the October 2017, or later, bundle patch installed, you can perform the following alternative steps:
-
Close the keystore.
-
Open the password-based keystore.
-
Create and activate a master encryption key in the PDB by using
ADMINISTER KEY MANAGEMENT
without theFORCE KEYSTORE
option. -
Update the auto-login keystore by using
ADMINISTER KEY MANAGEMENT
with theCREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE
option.
-
-
Query
V$ENCRYPTION_WALLET
again to verify that theSTATUS
column is set toOPEN
:SQL> SELECT wrl_parameter, status, wallet_type FROM v$encryption_wallet;
Exporting and Importing a Master Encryption Key for a PDB
You must export and import the master encryption key for any encrypted PDBs you plug in to your database deployment.
If your source PDB is encrypted, you must export the master encryption key and then import it. In a multitenant environment, each PDB has its own master encryption key which is stored in a single keystore used by all containers.
You can export and import all of the TDE master encryption keys that belong to the PDB by exporting and importing the TDE master encryption keys from within a PDB. Export and import of TDE master encryption keys support the PDB unplug and plug operations. During a PDB unplug and plug, all of the TDE master encryption keys that belong to a PDB, as well as the metadata, are involved.
See "Exporting and Importing TDE Master Encryption Keys for a PDB" in Oracle Database Advanced Security Guide for Release 18, 12.2 or 12.1.
See "ADMINISTER KEY MANAGEMENT" in Oracle Database SQL Language Reference for Release 18, 12.2 or 12.1.
-
Invoke SQL*Plus and log in to the PDB.
-
Export the master encryption key by executing the following command:
SQL> ADMINISTER KEY MANAGEMENT EXPORT ENCRYPTION KEYS WITH SECRET "secret" TO 'filename' IDENTIFIED BY keystore-password;
To import the master encryption key perform the following steps: