8 Using Transparent Data Encryption with Other Oracle Features
You can use Oracle Data Encryption with other Oracle features, such as Oracle Data Guard or Oracle Real Application Clusters.
- How Transparent Data Encryption Works with Export and Import Operations
Oracle Data Pump can export and import tables that contain encrypted columns, as well as encrypt entire dump sets. - How Transparent Data Encryption Works with Oracle Data Guard
An Oracle Data Guard primary database and secondary secondary database can share both a TDE wallet and an external keystore. - How Transparent Data Encryption Works with Oracle Real Application Clusters
Oracle Real Application Clusters (Oracle RAC) nodes can share both a TDE wallets and an external keystore. - How Transparent Data Encryption Works with SecureFiles
SecureFiles, which stores LOBS, has three features: compression, deduplication, and encryption. - How Transparent Data Encryption Works with Oracle Call Interface
Transparent Data Encryption does not have any effect on the operation of Oracle Call Interface (OCI). - How Transparent Data Encryption Works with Editions
Transparent Data Encryption does not have any effect on the Editions feature of Oracle Database. - Configuring Transparent Data Encryption to Work in a Multidatabase Environment
Each Oracle database on the same server (such as databases sharing the same Oracle binary but using different data files) must access its own TDE keystore.
Parent topic: Using Transparent Data Encryption
8.1 How Transparent Data Encryption Works with Export and Import Operations
Oracle Data Pump can export and import tables that contain encrypted columns, as well as encrypt entire dump sets.
- About Exporting and Importing Encrypted Data
You can use Oracle Data Pump to export and import tables that have encrypted columns. - Exporting and Importing Tables with Encrypted Columns
You can export and import tables with encrypted columns using theENCRYPTION=ENCRYPTED_COLUMNS_ONLY
setting. - Using Oracle Data Pump to Encrypt Entire Dump Sets
Oracle Data Pump can encrypt entire dump sets, not just Transparent Data Encryption columns. - Using Oracle Data Pump with Encrypted Data Dictionary Data
Oracle Data Pump operations provide protections for encrypted passwords and other encrypted data.
8.1.1 About Exporting and Importing Encrypted Data
You can use Oracle Data Pump to export and import tables that have encrypted columns.
For both software and external keystores, the following points are important when you must export tables containing encrypted columns:
-
Sensitive data should remain unintelligible during transport.
-
Authorized users should be able to decrypt the data after it is imported at the destination.
When you use Oracle Data Pump to export and import tables containing encrypted columns, it uses the ENCRYPTION
parameter to enable encryption of data in dump file sets. The ENCRYPTION
parameter allows the following values:
-
ENCRYPTED_COLUMNS_ONLY
: Writes encrypted columns to the dump file set in encrypted format -
DATA_ONLY
: Writes all of the data to the dump file set in encrypted format -
METADATA_ONLY
: Writes all of the metadata to the dump file set in encrypted format -
ALL
: Writes all of the data and metadata to the dump file set in encrypted format -
NONE
: Does not use encryption for dump file sets
8.1.2 Exporting and Importing Tables with Encrypted Columns
You can export and import tables with encrypted columns using the ENCRYPTION=ENCRYPTED_COLUMNS_ONLY
setting.
-
Ensure that the keystore is open before you attempt to export tables containing encrypted columns.
In a multitenant environment, if you are exporting data in a pluggable database (PDB), then ensure that the wallet is open in the PDB. If you are exporting into the root, then ensure that the wallet is open in the root.
To find if the keystore is open, query the
STATUS
column of theV$ENCRYPTION_WALLET
view. If you must open the keystore, then run the following SQL statement:ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY software_keystore_password [CONTAINER = ALL | CURRENT];
The
software_keystore_password
setting is the password for the keystore. The keystore must be open because the encrypted columns must be decrypted using the TDE table keys, which requires access to the TDE master encryption key. The columns are reencrypted using a password, before they are exported. -
Run the
EXPDP
command, using theENCRYPTION_PASSWORD
parameter to specify a password that is used to encrypt column data in the export dump file set.The following example exports the
employee_data
table. TheENCRYPTION_PWD_PROMPT = YES
setting enables you to prompt for the password interactively, which is a recommended security practice.expdp hr TABLES=employee_data DIRECTORY=dpump_dir DUMPFILE=dpcd2be1.dmp ENCRYPTION=ENCRYPTED_COLUMNS_ONLY ENCRYPTION_PWD_PROMPT = YES Password: password_for_hr
-
To import the exported data into the target database, ensure that you specify the same password that you used for the export operation, as set by the
ENCRYPTION_PASSWORD
parameter.The password is used to decrypt the data. Data is reencrypted with the new TDE table keys generated in the target database. The target database must have the keystore open to access the TDE master encryption key. The following example imports the
employee_data
table:impdp hr TABLES=employee_data DIRECTORY=dpump_dir DUMPFILE=dpcd2be1.dmp ENCRYPTION_PWD_PROMPT = YES Password: password_for_hr
8.1.3 Using Oracle Data Pump to Encrypt Entire Dump Sets
Oracle Data Pump can encrypt entire dump sets, not just Transparent Data Encryption columns.
While importing, you can use either the password or the keystore TDE master encryption key to decrypt the data. If the password is not supplied, then the TDE master encryption key in the keystore is used to decrypt the data. The keystore must be present and open at the target database. The open keystore is also required to reencrypt column encryption data at the target database.
You can use the ENCRYPTION_MODE=TRANSPARENT
setting to transparently encrypt the dump file set with the TDE master encryption key stored in the keystore. A password is not required in this case. The keystore must be present and open at the target database, and it must contain the TDE master encryption key from the source database for a successful decryption of column encryption metadata during an import operation.
The open keystore is also required to reencrypt column encryption metadata at the target database. If a keystore already exists on the target database, then you can export the current TDE master encryption key from the keystore of the source database and import it into the keystore of the target database.
-
Use the
ENCRYPTION_MODE
parameter to specify the encryption mode.ENCRYPTION_MODE=DUAL
encrypts the dump set using the TDE master encryption key stored in the keystore and the password provided.
For example, to use dual encryption mode to export encrypted data:
expdp hr DIRECTORY=dpump_dir1 DUMPFILE=hr_enc.dmp ENCRYPTION=all ENCRYPTION_PASSWORD=encryption_password ENCRYPTION_PWD_PROMPT=yes ENCRYPTION_ALGORITHM=AES256 ENCRYPTION_MODE=dual Password: password_for_hr Encryption Password: password_for_encryption
8.1.4 Using Oracle Data Pump with Encrypted Data Dictionary Data
Oracle Data Pump operations provide protections for encrypted passwords and other encrypted data.
When you enable the encryption of fixed-user database passwords in a source database, then an Oracle Data Pump export operation dump stores a known invalid password for the database link password. This password is in place instead of the encrypted password that the export operation extracts from the database. An ORA-39395: Warning: object <database link name> requires password reset after import
warning message is displayed as a result. If you import data into an Oracle Database 18c or later database, then this same warning appears when the database link object with its invalid password is created in the target database. When this happens, you must reset the database link password, as follows:
ALTER DATABASE LINK database_link_name CONNECT TO schema_name IDENTIFIED BY password;
To find information about the database link, you can query the V$DBLINK
dynamic view.
When the encryption of fixed-user database passwords has been disabled in a source database, then there are no changes to Data Pump. The obfuscated database link passwords are exported and imported as in previous releases.
In this case, Oracle recommends the following:
-
Set the
ENCRYPTION_PASSWORD
parameter on theexpdp
command so that you can further protect the obfuscated database link passwords. -
Set the
ENCRYPTION_PWD_PROMPT
parameter toYES
so that the password can be entered interactively from a prompt, instead of being echoed on the screen.
Both the ENCRYPTION_PASSWORD
and the ENCRYPTION_PWD_PROMPT
parameters are available in import operations. ENCRYPTION_PWD_PROMPT
is only available with the expdp
and impdp
command-line clients, whereas ENCRYPTION_PASSWORD
is available in both the command-line clients and the DBMS_DATAPUMP
PL/SQL package.
During an import operation, whether the keystore is open or closed affects the behavior of whether or not an encryption password must be provided. If the keystore was open during the export operation and you provided an encryption password, then you do not need to provide the password during the import operation. If the keystore is closed during the export operation, then you must provide the password during the import operation.
Related Topics
8.2 How Transparent Data Encryption Works with Oracle Data Guard
An Oracle Data Guard primary database and secondary secondary database can share both a TDE wallet and an external keystore.
- About Using Transparent Data Encryption with Oracle Data Guard
For both TDE wallets and external keystores, Oracle Data Guard supports Transparent Data Encryption (TDE). - Encryption of Tablespaces in an Oracle Data Guard Environment
You can control tablespace encryption in the primary and standby databases in an Oracle Data Guard environment. - Configuring TDE and Oracle Key Vault in an Oracle Data Guard Environment
You can configure Oracle Data Guard in a multitenant environment so that it can work with TDE wallets and Oracle Key Vault. - Configuring Wallet-Based Transparent Data Encryption in Oracle Data Guard
You can configure wallet-based Transparent Data Encryption (TDE) in an Oracle Data Guard environment. - Migrating a TDE Wallet in an Oracle Data Guard Environment to Oracle Key Vault
After you have configured TDE wallet-based Transparent Data Encryption (TDE) in an Oracle Data Guard environment, you can migrate primary and standby databases to Oracle Key Vault, without downtime. - Enabling a PDB to Have an Isolated Keystore in an Oracle Data Guard Environment
In an Oracle Data Guard environment, to enable a PDB to have an isolated keystore on the standby, you must manually perform the configuration.
8.2.1 About Using Transparent Data Encryption with Oracle Data Guard
For both TDE wallets and external keystores, Oracle Data Guard supports Transparent Data Encryption (TDE).
If the primary database uses TDE, then each standby database in a Data Guard configuration must have a copy of the encryption keystore from the primary database. If you reset the TDE master encryption key in the primary database, then you must copy the keystore from the primary database that contains the TDE master encryption key to each standby database.
Note the following:
-
Re-key operations with wallet-based TDE will cause the Managed Recovery Process (MRP) on the standby databases to fail because the new TDE master encryption key is not yet available. In order to circumvent this problem, you can configure TDE wallet encryption in an Oracle Data Guard environment.
-
Encrypted data in log files remains encrypted when data is transferred to the standby database. Encrypted data also stays encrypted during transit.
8.2.2 Encryption of Tablespaces in an Oracle Data Guard Environment
You can control tablespace encryption in the primary and standby databases in an Oracle Data Guard environment.
- About the Encryption of Tablespace in an Oracle Data Guard Environment
In an Oracle Data Guard environment, you can control the automatic encryption of tablespaces in both the primary and standby databases, for on-premises and Oracle Cloud Infrastructure (OCI) environments. - Configuring the Encryption of Tablespaces in an Oracle Data Guard Environment
To configure the hybrid encryption of tablespaces, you must set theTABLESPACE_ENCRYPTION
initialization parameter.
8.2.2.1 About the Encryption of Tablespace in an Oracle Data Guard Environment
In an Oracle Data Guard environment, you can control the automatic encryption of tablespaces in both the primary and standby databases, for on-premises and Oracle Cloud Infrastructure (OCI) environments.
To control the encryption of new tablespaces, you set the TABLESPACE_ENCRYPTION
initialization parameter.
Oracle recommends that you encrypt primary databases. However, because encryption requirements may vary depending on the site, you can use the TABLESPACE_ENCRYPTION
parameter to configure a mixed encryption environment for on-premises and in-Cloud environments.
Note the following about using the TABLESPACE_ENCRYPTION
parameter:
- Redo decryption takes place at the redo transport level.
- For Oracle Database 19.16 and later, if you do not have an Advanced Security Option (ASO) license, which includes Transparent Data Encryption, then you can configure an un-encrypted on-premises primary database to have an encrypted standby database in Oracle Cloud Infrastructure (OCI). Even after a role transition (planned or unplanned), the new on-premises standby database remains un-encrypted, while the primary database in OCI is encrypted. See the Oracle Database Product Management YouTube video Hybrid Oracle Data Guard without Transparent Data Encryption (TDE) License.
For releases earlier than 19.16, "split-TDE" deployments are complicated to implement, require constant manual intervention on primary and standby databases, and require an ASO license for the un-encrypted on-premises database.
- If the
ENCRYPT_NEW_TABLESPACES
setting that you choose conflicts with theTABLESPACE_ENCRYPTION
setting, thenTABLESPACE_ENCRYPTION
takes precedence. - You must set
TABLESPACE_ENCRYPTION
in the CDB root, not in any PDBs. - The default
TABLESPACE_ENCRYPTION
setting for OCI databases isAUTO_ENABLE
. The setting is mandatory, and any changes to it are ignored. - The default
TABLESPACE_ENCRYPTION
setting for on-premises databases isMANUAL_ENABLE
.
In an Oracle Data Guard environment that uses on-premises databases and Oracle Database in the Cloud (ODBC) or Oracle Exadata Cloud (ExaCS), you can configure tablespace encryption in either of the following scenarios:
- Encrypt the tablespace in the Cloud standby database but not in the on-premises primary database: When an unencrypted on-premises primary database creates an unencrypted tablespace, adds a data file, or updates a table, then the redo is not encrypted. However, when the encrypted Cloud standby database applies the redo, it ensures that the tablespace or data file is created, or that the block is updated, and are all encrypted in the Cloud. After the switchover operation, if the encrypted Cloud primary database adds an implicitly encrypted tablespace or data file, or updates a table, then the tablespace is encrypted. The unencrypted on-premises standby database must decrypt the redo, create an unencrypted tablespace or data file, and then ensure that the block is not encrypted on-premises.
- Encrypt the tablespace in the Cloud primary database but not in the on-premises standby database: When an encrypted Cloud primary database creates an implicitly encrypted tablespace, adds a data file, or updates a table, then the redo is also encrypted. The unencrypted on-premises standby database must decrypt the redo and ensure that the tablespace and data file are created, or the updated files are all unencrypted. After the switchover operation, if the unencrypted on-premises primary database adds an unencrypted tablespace or data file, or updates a table, then the redo is not encrypted. The encrypted Cloud standby database adds an encrypted tablespace or data file, and then ensures that the block is encrypted in the Cloud.
For example, if you want to use TABLESPACE_ENCRYPTION
in a configuration that followed the best practice of having both on-premises and OCI databases encrypted, then you would set TABLESPACE_ENCRYPTION
to AUTO_ENABLE
for both the on-premises and OCI databases. Alternatively, if the on-premises database is not encrypted in a hybrid disaster recovery configuration with ODBC or Oracle ExaCS, for example, you could set TABLESPACE_ENCRYPTION
to DECRYPT_ONLY
. The OCI database is set to AUTO_ENABLE
by default.
See also the video Hybrid Oracle Data Guard without Transparent Data Encryption (TDE) License.
8.2.2.2 Configuring the Encryption of Tablespaces in an Oracle Data Guard Environment
To configure the hybrid encryption of tablespaces, you must set the TABLESPACE_ENCRYPTION
initialization parameter.
When both databases are on-premises, you can have primary and standby settings in pairings of the MANUAL_ENABLE
and DECRYPT_ONLY
settings. For example, you could set MANUAL_ENABLE
on the standby database and DECRYPT_ONLY
on the primary database. In a DECRYPT_ONLY
(primary) and MANUAL_ENABLE
(standby) pairing, you must manually encrypt the database on the standby by using TDE offline conversion.
Note the following with regard to rekey operations:
- Modifying the
TABLESPACE_ENCRYPTION
parameter does not affect master key rotation operations.When a tablespace key rotation is performed on the primary database, then the standby database will attempt to rotate the key for the tablespace as well. However, if the standby tablespace is unencrypted and does not have a key, then it will generate an error because there is no key to regenerate. If the standby tablespace is unencrypted but it has inherited a key from primary because of the
DECRYPT_ONLY
setting, then the key will be rotated. In either case, it does not affect the unencrypted tablespace. - Both the master encryption key and the tablespace key rotation can only be performed on the primary database.
8.2.3 Configuring TDE and Oracle Key Vault in an Oracle Data Guard Environment
You can configure Oracle Data Guard in a multitenant environment so that it can work with TDE wallets and Oracle Key Vault.
8.2.4 Configuring Wallet-Based Transparent Data Encryption in Oracle Data Guard
You can configure wallet-based Transparent Data Encryption (TDE) in an Oracle Data Guard environment.
8.2.5 Migrating a TDE Wallet in an Oracle Data Guard Environment to Oracle Key Vault
After you have configured TDE wallet-based Transparent Data Encryption (TDE) in an Oracle Data Guard environment, you can migrate primary and standby databases to Oracle Key Vault, without downtime.
8.2.6 Enabling a PDB to Have an Isolated Keystore in an Oracle Data Guard Environment
In an Oracle Data Guard environment, to enable a PDB to have an isolated keystore on the standby, you must manually perform the configuration.
ADMINISTER KEY MANAGEMENT
command that is run on the primary does not affect the standby. First, you isolate the PDB in the primary database. The ADMINISTER KEY MANAGEMENT ISOLATE KEYSTORE
command performs the necessary isolation tasks, such as changing the PDB's TDE_CONFIGURATION
parameter to FILE
and moving the key from the united mode wallet to the newly created isolated mode wallet. Next, you must perform these same tasks manually on the standby to complete the isolation mode process.
8.3 How Transparent Data Encryption Works with Oracle Real Application Clusters
Oracle Real Application Clusters (Oracle RAC) nodes can share both a TDE wallets and an external keystore.
- About Using Transparent Data Encryption with Oracle Real Application Clusters
Oracle requires a shared TDE wallet for Oracle Real Application Clusters (Oracle RAC), or a shared common virtual wallet in Oracle Key Vault among cluster instances. - Configuring TDE in Oracle Real Application Clusters for Oracle Key Vault
You can configure TDE in Oracle Real Application Clusters (Oracle RAC) on Oracle Exadata Cloud at Customer (ExaCC) and other servers for centralized key management provided by Oracle Key Vault.
8.3.1 About Using Transparent Data Encryption with Oracle Real Application Clusters
Oracle requires a shared TDE wallet for Oracle Real Application Clusters (Oracle RAC), or a shared common virtual wallet in Oracle Key Vault among cluster instances.
A TDE configuration with Oracle Key Vault uses a network connection from each instance of the database to the external key manager. In Oracle Key Vault, you must create one endpoint for each instance of the Oracle RAC-enabled database, and one virtual wallet for each Oracle RAC-enabled database. Then, make that virtual wallet the default wallet of all endpoints that belong to that database. In an Oracle RAC-enabled Data Guard configuration, all instances (primary and all standby databases) share that one virtual wallet. With this configuration, set key and re-key operations are completely transparent because all participating instances are automatically synchronized. This eliminates the need to manually copy the TDE wallet to each of the other nodes in the cluster.
Oracle does not support the use of individual TDE wallets for each Oracle RAC node. Instead, use shared wallets for TDE in the Oracle RAC environment. This enables all of the instances to access the same shared TDE wallet. If your site uses Oracle Automatic Storage Management Cluster File System (Oracle ACFS), then this is the preferred location for a shared wallet. Directly sharing the wallet in Oracle Automatic Storage Management (Oracle ASM) (for example, +DATA/$ORACLE_UNQNAME/WALLETS
) is an alternative if Oracle ACFS is not available.
Keystore operations (such as opening or closing the keystore, or rekeying the TDE master encryption key) can be issued on any one Oracle RAC instance. Internally, the Oracle database takes care of synchronizing the keystore context on each Oracle RAC node, so that the effect of the keystore operation is visible to all of the other Oracle RAC instances in the cluster. Similarly, when a TDE master encryption key rekey operation takes place, the new key becomes available to each of the Oracle RAC instances. You can perform other keystore operations, such as exporting TDE master encryption keys, rotating the keystore password, merging keystores, or backing up keystores, from a single instance only.
When using a shared file system, ensure that the WALLET_ROOT
static system parameter for all of the Oracle RAC instances point to the same shared TDE wallet location, as follows:
ALTER SYSTEM SET WALLET_ROOT = '+DATA/$ORACLE_UNQNAME' SCOPE = SPFILE SID ='*'; ALTER SYSTEM SET TDE_CONFIGURATION = "KEYSTORE_CONFIGURATION=FILE" SCOPE = BOTH SID = '*';
Note:
- If you have the
ENCRYPTION_WALLET_LOCATION
parameter set, then be aware this parameter is deprecated. Oracle recommends that you use theWALLET_ROOT
static initialization parameter andTDE_CONFIGURATION
dynamic initialization parameter instead. - Storing TDE master encryption keys in individual wallets per Oracle Real Application Clusters (Oracle RAC) instance is not supported. As an alternative, use Oracle Key Vault for centralized key management across your on-premises or Cloud-based database deployments, or Oracle Automatic Storage Management (Oracle ASM), or Oracle ASM Cluster File System (Oracle ACFS) to provide local shared wallets.
8.3.2 Configuring TDE in Oracle Real Application Clusters for Oracle Key Vault
You can configure TDE in Oracle Real Application Clusters (Oracle RAC) on Oracle Exadata Cloud at Customer (ExaCC) and other servers for centralized key management provided by Oracle Key Vault.
Related Topics
8.4 How Transparent Data Encryption Works with SecureFiles
SecureFiles, which stores LOBS, has three features: compression, deduplication, and encryption.
- About Transparent Data Encryption and SecureFiles
SecureFiles encryption uses TDE to provide the encryption facility for LOBs. - Example: Creating a SecureFiles LOB with a Specific Encryption Algorithm
TheCREATE TABLE
statement can create a SecureFiles LOB with encryption specified. - Example: Creating a SecureFiles LOB with a Column Password Specified
TheCREATE TABLE
statement can create a SecureFiles LOB with a column password.
8.4.1 About Transparent Data Encryption and SecureFiles
SecureFiles encryption uses TDE to provide the encryption facility for LOBs.
When you create or alter tables, you can specify the SecureFiles encryption or LOB columns that must use the SecureFiles storage. You can enable the encryption for a LOB column by either using the current Transparent Data Encryption (TDE) syntax or by using the ENCRYPT
clause as part of the LOB parameters for the LOB column. The DECRYPT
option in the current syntax or the LOB parameters turn off encryption.
Parent topic: How Transparent Data Encryption Works with SecureFiles
8.4.2 Example: Creating a SecureFiles LOB with a Specific Encryption Algorithm
The CREATE TABLE
statement can create a SecureFiles LOB with encryption specified.
Example 8-1 shows how to create a SecureFiles LOB in a CREATE TABLE
statement.
Example 8-1 Creating a SecureFiles LOB with a Specific Encryption Algorithm
CREATE TABLE table1 ( a BLOB ENCRYPT USING 'AES256') LOB(a) STORE AS SECUREFILE ( CACHE );
Parent topic: How Transparent Data Encryption Works with SecureFiles
8.4.3 Example: Creating a SecureFiles LOB with a Column Password Specified
The CREATE TABLE
statement can create a SecureFiles LOB with a column password.
Example 8-2 shows an example of creating a SecureFiles LOB that uses password protections for the encrypted column.
All of the LOBS in the LOB column are encrypted with the same encryption specification.
Example 8-2 Creating a SecureFiles LOB with a Column Password Specified
CREATE TABLE table1 (a VARCHAR2(20), b BLOB)
LOB(b) STORE AS SECUREFILE (
CACHE
ENCRYPT USING 'AES192' IDENTIFIED BY password
);
Parent topic: How Transparent Data Encryption Works with SecureFiles
8.5 How Transparent Data Encryption Works with Oracle Call Interface
Transparent Data Encryption does not have any effect on the operation of Oracle Call Interface (OCI).
For most practical purposes, TDE is transparent to OCI except for the row shipping feature. You cannot use the OCI row shipping feature with TDE because the key to make the row usable is not available at the receipt-point.
8.6 How Transparent Data Encryption Works with Editions
Transparent Data Encryption does not have any effect on the Editions feature of Oracle Database.
For most practical purposes, TDE is transparent to Editions. Tables are always noneditioned objects. TDE Column Encryption encrypts columns of the table. Editions are not affected by TDE tablespace encryption.
- How ALTER SYSTEM and orapki Map to ADMINISTER KEY MANAGEMENT
Many of the clauses from theALTER SYSTEM
statement correspond to theADMINISTER KEY MANAGEMENT
statement.
8.6.1 How ALTER SYSTEM and orapki Map to ADMINISTER KEY MANAGEMENT
Many of the clauses from the ALTER SYSTEM
statement correspond to the ADMINISTER KEY MANAGEMENT
statement.
Table 8-1 compares the Transparent Data Encryption usage of the ALTER SYSTEM
statement and the orapki
utility from previous releases with the ADMINISTER KEY MANAGEMENT
statement.
Table 8-1 How ALTER SYSTEM and orapki Map to ADMINISTER KEY MANAGEMENT
Behavior | ALTER SYSTEM or orapki | ADMINISTER KEY MANAGEMENT |
---|---|---|
Creating a keystore |
For TDE wallets: ALTER SYSTEM SET ENCRYPTION KEY ["certificate_ID"] IDENTIFIED BY keystore_password; For external keystores, the keystore is available after you configure the external keystore. |
For TDE wallets: ADMINISTER KEY MANAGEMENT CREATE KEYSTORE
IDENTIFIED BY TDE_wallet_password For external keystores, the keystore is available after you configure the external keystore. |
Creating an auto-login keystore |
orapki wallet create -wallet wallet_location -auto_login [-pwd password] |
For TDE wallets: ADMINISTER KEY MANAGEMENT CREATE [LOCAL]
AUTO_LOGIN KEYSTORE FROM KEYSTORE
IDENTIFIED BY TDE_wallet_password; This type of keystore applies to TDE wallets only. |
Opening a keystore |
ALTER SYSTEM SET [ENCRYPTION]
WALLET OPEN IDENTIFIED BY
keystore_password; |
ADMINISTER KEY MANAGEMENT SET KEYSTORE
OPEN [FORCE KEYSTORE]
IDENTIFIED BY keystore_password | EXTERNAL STORE
[CONTAINER = ALL | CURRENT]; |
Closing a keystore |
ALTER SYSTEM SET [ENCRYPTION]
WALLET CLOSE IDENTIFIED BY
keystore_password; |
For both software and external keystores: ADMINISTER KEY MANAGEMENT SET KEYSTORE
CLOSE [IDENTIFIED BY keystore_password]
[CONTAINER = ALL | CURRENT]; |
Migrating from an external keystore to a TDE wallet |
|
ADMINISTER KEY MANAGEMENT SET [ENCRYPTION] KEY IDENTIFIED BY keystore_password REVERSE MIGRATE USING "external_key_manager_password" WITH BACKUP [USING 'backup_identifier']; |
Migrating from a TDE wallet to Oracle Key Vault or Oracle Cloud Interface (OCI) Key Management Service (KMS) |
ALTER SYSTEM SET [ENCRYPTION] KEY IDENTIFIED BY "Oracle_Key_Vault_password" MIGRATE USING wallet_password; |
ADMINISTER KEY MANAGEMENT SET [ENCRYPTION] KEY IDENTIFIED BY "Oracle_Key_Vault_password" MIGRATE USING wallet_password; |
Changing a keystore password |
orapki wallet change_pwd -wallet wallet_location [-oldpwd password ] [-newpwd password] |
For password-based TDE wallets: ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD IDENTIFIED BY TDE_wallet_old_password SET TDE_wallet_new_password [WITH BACKUP [USING 'backup_identifier']]; For external keystores, you close the keystore, change it in the external key manager interface, and then reopen the keystore. |
Backing up a password-based TDE wallet |
No |
ADMINISTER KEY MANAGEMENT BACKUP KEYSTORE [USING 'backup_identifier'] IDENTIFIED BY TDE_wallet_password [TO 'TDE_wallet_location']; |
Merging two TDE wallets into a third new keystore |
No |
ADMINISTER KEY MANAGEMENT MERGE KEYSTORE 'TDE_wallet1_location' [IDENTIFIED BY TDE_wallet1_password] AND KEYSTORE 'TDE_wallet2_location' [IDENTIFIED BY TDE_wallet2_password] INTO NEW KEYSTORE 'TDE_wallet3_location' IDENTIFIED BY TDE_wallet3_password; |
Merging one TDE wallet into another existing keystore |
No |
ADMINISTER KEY MANAGEMENT MERGE KEYSTORE 'TDE_wallet1_location' [IDENTIFIED BY TDE_wallet1_password] INTO EXISTNG KEYSTORE 'TDE_wallet2_location' IDENTIFIED BY TDE_wallet2_password [WITH BACKUP [USING 'backup_identifier']]; |
Setting or rekeying the master encryption key |
ALTER SYSTEM SET [ENCRYPTION] KEY
IDENTIFIED BY keystore_password; Note: The |
ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY [USING TAG 'tag'] IDENTIFIED BY keystore_password WITH BACKUP [USING 'backup_identifier'] [CONTAINER = ALL | CURRENT]; After you rekey the encryption key, the |
Creating a master encryption key for later user |
No |
ADMINISTER KEY MANAGEMENT CREATE KEY [USING TAG 'tag'] IDENTIFIED BY keystore_password [WITH BACKUP [USING 'backup_identifier']] [CONTAINER = (ALL|CURRENT)]; |
Activating a master encryption key |
No |
ADMINISTER KEY MANAGEMENT USE KEY 'key_identifier' [USING TAG 'tag'] IDENTIFIED BY keystore_password [WITH BACKUP [USING 'backup_identifier']]; |
Creating custom tags for master encryption keys |
No |
ADMINISTER KEY MANAGEMENT SET TAG 'tag' FOR 'master_key_identifier' IDENTIFIED BY keystore_password [WITH BACKUP [USING 'backup_identifier']]; |
Exporting a master encryption key |
No |
ADMINISTER KEY MANAGEMENT EXPORT [ENCRYPTION] KEYS WITH SECRET "export_secret" TO 'file_path' IDENTIFIED BY keystoe_password [WITH IDENTIFIER IN 'key_id1', 'key_id2', 'key_idn' | (SQL_query)] |
Importing a master encryption key |
No |
ADMINISTER KEY MANAGEMENT IMPORT [ENCRYPTION] KEYS WITH SECRET "import_secret" | FROM 'file_name' IDENTIFIED BY keystore_password [WITH BACKUP [USING 'backup_identifier']]; |
Storing Oracle Database secrets in a keystore |
No |
For TDE wallets: ADMINISTER KEY MANAGEMENT ADD SECRET|UPDATE SECRET|DELETE SECRET "secret" FOR CLIENT 'client_identifier' [USING TAG'tag'] IDENTIFIED BY keystore_password [WITH BACKUP [USING 'backup_identifier']; For external keystores: ADMINISTER KEY MANAGEMENT ADD SECRET|UPDATE SECRET|DELETE SECRET "secret" FOR CLIENT 'client_identifier' [USING TAG 'tag'] IDENTIFIED BY "external_key_manager_password"; |
Parent topic: How Transparent Data Encryption Works with Editions
8.7 Configuring Transparent Data Encryption to Work in a Multidatabase Environment
Each Oracle database on the same server (such as databases sharing the same Oracle binary but using different data files) must access its own TDE keystore.
Keystores are not designed to be shared among databases. By design, there must be one keystore per database. You cannot use the same keystore for more than one database.
-
To configure the use of keystores in a multidatabase environment, use one of the following options:
-
Option 1: Specify the keystore location by individually setting the
WALLET_ROOT
static initialization parameter and theTDE_CONFIGURATION
dynamic initialization parameter (itsKEYSTORE_CONFIGURATION
attribute set toFILE
) for each CDB (or standalone database). You must set theKEYSTORE_CONFIGURATION
attribute toFILE
in order for theWALLET_ROOT
parameter to work.For example:
WALLET_ROOT = $ORACLE_BASE/admin/db_unique_name TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE"
-
Option 2: If
WALLET_ROOT
andTDE_CONFIGURATION
are not set, and if the databases share the same Oracle home, then ensure that theWALLET_LOCATION
andENCRYPTION_WALLET_LOCATION
parameters insqlnet.ora
are not set. By default,sqlnet.ora
is located in the$ORACLE_BASE/network/admin
directory (if$ORACLE_BASE
is set) or in the$ORACLE_HOME/network/admin
directory.This enables Oracle Database to use the keystore that is located in either the
$ORACLE_BASE/admin/db_unique_name/wallet
(assuming$ORACLE_BASE
is set) or the$ORACLE_HOME/admin/db_unique_name/wallet
directory. -
Option 3: If options 1 and 2 are not feasible, then use separate
sqlnet.ora
files, one for each database. Ensure that you correctly set theTNS_ADMIN
environment variable to point to the correct database configuration. However, be aware that theENCRYPTION_WALLET_LOCATION
parameter insqlnet.ora
is deprecated, starting with release 19c, in favor of theWALLET_ROOT
andTDE_CONFIGURATION
initialization parameters.
-
Caution:
Using a keystore from another database can cause partial or complete data loss.