B Tablespace Encryption for Oracle Key Vault
- Tablespace Encryption for Oracle Key Vault Upgraded from 12.2.0.3.0 or Before
You can refer to this topic for the tablespace encryption for Oracle Key Vault upgraded from 12.2.0.3.0 or before.
B.1 Tablespace Encryption for Oracle Key Vault Upgraded from 12.2.0.3.0 or Before
You can refer to this topic for the tablespace encryption for Oracle Key Vault upgraded from 12.2.0.3.0 or before.
The fresh installations of Oracle Key Vault 12.2.0.4.0 and higher encrypt the tablespaces using AES256 encryption.
If you have an installation of Oracle Key Vault that is upgraded from a fresh installation of Oracle Key Vault version prior to 12.2.0.4.0, the Oracle Key Vault tablespace continues to use AES128 encryption and the auditing tablespace remains unencrypted.
Use the following steps to encrypt the tablespaces of an Oracle Key Vault that is upgraded from a fresh installation of Oracle Key Vault version prior to 12.2.0.4.0 using AES256.
Note:
For the multi-master cluster deployment, you need to run below steps on every node. For the primary-standby deployment, you need to run the steps on the primary node only. The standby conversion takes place automatically.- Perform a full backup of Oracle Key Vault to a remote destination. Ensure that the backup is successful.
- Log in to the Oracle Key Vault server through SSH as user
support, then switch usersutoroot.ssh support@okv_server_IP_address su – root - Switch user to oracle
user.
su - oracle - Use sqlplus to connect to the Database as the
SYSDBAuser.sqlplus / as SYSDBA - Run the query to verify that the tablespace
KEYVAULT_SPACEis encrypted using AES128 and the tablespaceKEYVAULT_AUDIT_TBSis not encrypted.SQL> select a.name, b.encryptionalg, b.status from v$tablespace a, v$encrypted_tablespaces b where a.ts# = b.ts#; NAME ENCRYPT STATUS ------------------------------ ------- ---------- AVSPACE AES256 NORMAL KEYVAULT_SPACE AES128 NORMAL - Ensure that the auxiliary space (tablespace SYSAUX) is at least the same size as the
largest data file of this tablespace.
This size requirement is because Oracle Database performs the conversion one file at a time. For example, if the largest data file of the tablespace is 32 GB, then ensure that you have 32 GB of auxiliary space.
To find the space a data file uses, run the below query.select a.name, a.bytes, a.blocks, a.block_size, a.create_bytes, b.name from v$datafile a, v$tablespace b where a.TS# = b.TS# SQL> / NAME -------------------------------------------------------------------------------- BYTES BLOCKS BLOCK_SIZE CREATE_BYTES NAME ---------- ---------- ---------- ------------ ------------------------------ /var/lib/oracle/oradata/dbfwdb/system01.dbf 1614807040 197120 8192 0 SYSTEM /var/lib/oracle/oradata/dbfwdb/keyvault_tbs 33554432 4096 8192 33554432 KEYVAULT_SPACE /var/lib/oracle/oradata/dbfwdb/sysaux01.dbf 2715811840 331520 8192 0 SYSAUX /var/lib/oracle/oradata/dbfwdb/undotbs01.dbf 2202009600 268800 8192 0 UNDOTBS1 /var/lib/oracle/oradata/DBFWDB/datafile/o1_mf_avspace_ln88t6vp_.dbf 209715200 25600 8192 104857600 AVSPACE /var/lib/oracle/oradata/dbfwdb/users01.dbf 5242880 640 8192 0 USERS /var/lib/oracle/oradata/dbfwdb/keyvault_audit_tbs 33554432 4096 8192 33554432 KEYVAULT_AUDIT_TBSEnsure that the size of tablespace SYSAUX is larger than size of tablespaces
.KEYVAULT_SPACEandKEYVAULT_AUDIT_TBS. - Re-encrypt online tablespace
KEYVAULT_SPACEusing AES256.SQL> ALTER TABLESPACE KEYVAULT_SPACE ENCRYPTION ONLINE USING 'AES256' REKEY; Tablespace altered. - Encrypt online tablespace
KEYVAULT_AUDIT_TBSusing AES256.SQL> ALTER TABLESPACE KEYVAULT_AUDIT_TBS ENCRYPTION ONLINE USING 'AES256' ENCRYPT; Tablespace altered. - Verify that Oracle Key Vault tablespaces are now encrypted using
AES256.
SQL> select a.name, b.encryptionalg, b.status from v$tablespace a, v$encrypted_tablespaces b where a.ts# = b.ts#; NAME ENCRYPT STATUS ------------------------------ ------- ---------- AVSPACE AES256 NORMAL KEYVAULT_SPACE AES256 NORMAL KEYVAULT_AUDIT_TBS AES256 NORMAL
Parent topic: Tablespace Encryption for Oracle Key Vault