4 Configuring Isolated Mode
Isolated mode enables you to create a keystore for each pluggable database (PDB).
- About Configuring Isolated Mode
In isolated mode, where a pluggable database (PDB) has its own keystore and keystore password, you manage the keystore and its TDE master encryption keys from the PDB only. - Operations That Are Allowed in Isolated Mode
You can perform manyADMINISTER KEY MANAGEMENT
operations in isolated mode. - Operations That Are Not Allowed in an Isolated Mode PDB
There are severalADMINISTER KEY MANAGEMENT
operations that you cannot perform in an isolated mode PDB. - Configuring the Keystore Location and Type for Isolated Mode
For isolated mode, you can configure the keystore location and type by using only parameters or a combination of parameters and theALTER SYSTEM
statement. - Configuring a TDE Wallet and TDE Master Encryption Key in Isolated Mode
In isolated mode, the TDE wallet is associated with a PDB. - Configuring a Container Database with Isolated Mode PDBs for Oracle Key Vault
Isolated PDBs have their own virtual wallet, with their own password, in Oracle Key Vault.
Parent topic: Using Transparent Data Encryption
4.1 About Configuring Isolated Mode
In isolated mode, where a pluggable database (PDB) has its own keystore and keystore password, you manage the keystore and its TDE master encryption keys from the PDB only.
Similar to united mode, you must first configure a PDB to use isolated mode by setting the WALLET_ROOT
and TDE_CONFIGURATION
parameters. After you set these parameters, you can create and manage the keystore from the PDB. In this way, you can have the following scenario:
-
United mode PDBs inherit the TDE configuration from the root container. For example, the keystore that you create in the CDB root will be used by the root’s associated united mode PDBs.
-
The PDBs that are configured in isolated mode are allowed to independently create and manage their own keystore. An isolated mode PDB can have its own keystore, independent of the keystore of the CDB root.
This scenario is useful in cases where you have many PDBs that must use one type of keystore, but you have a few PDBs that must use a different type. By different types of keystores, this refers to either TDE wallet or to one of the external keystores that Oracle supports (for example, Oracle Key Vault or Cloud Key Management Service). You cannot have a mixture of different external keystore types in one CDB environment because the Oracle server can load only one PKCS#11 vendor library. If necessary, you can configure these PDBs in isolated mode so that each PDB can use its own keystore.
Note:
Oracle Cloud Infrastructure (OCI) cloud tooling does not support isolated PDBs. This non-support applies to Oracle Base Database Service (BaseDB), ExaDB-D, ExaDB-D@Azure, ExaDB-C@C, ADB-C@C, even when Oracle Key Vault provides key management for those database deployments.Parent topic: Configuring Isolated Mode
4.2 Operations That Are Allowed in Isolated Mode
You can perform many ADMINISTER KEY MANAGEMENT
operations in isolated mode.
These operations include creating, backing up, opening keystores; changing keystore passwords, merging keystores, closing keystores; creating, activating, tagging, moving, exporting, importing, and migrating encryption keys; and adding, updating, and deleting client secrets.
Table 4-1 describes the ADMINISTER KEY MANAGEMENT
operations that you can perform in an isolated mode PDB.
Table 4-1 ADMINISTER KEY MANAGEMENT Isolated Mode Operations
Operation | Syntax | Notes |
---|---|---|
Creating a keystore |
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE
IDENTIFIED BY isolated_PDB_keystore_password; |
You can create password-protected, local auto-login, and auto-login keystores in an isolated mode PDB. |
Creating an auto-login keystore |
ADMINISTER KEY MANAGEMENT
CREATE [LOCAL] AUTO_LOGIN KEYSTORE
FROM KEYSTORE IDENTIFIED BY isolated_PDB_keystore_password; |
The isolated PDB knows the keystore location of both password protected and (local) auto-open wallet from |
Opening a keystore |
ADMINISTER KEY MANAGEMENT
SET KEYSTORE OPEN
[FORCE KEYSTORE]
IDENTIFIED BY EXTERNAL STORE | isolated_PDB_keystore_password; |
The |
Changing a keystore password |
ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD IDENTIFIED BY old_isolated_PDB_keystore_password SET new_isolated_PDB_keystore_password WITH BACKUP [USING 'backup_identifier']; |
- |
Backing up a TDE wallet |
ADMINISTER KEY MANAGEMENT BACKUP KEYSTORE [USING 'backup_identifier'] IDENTIFIED BY EXTERNAL STORE | TDE_wallet_password] [TO 'TDE_wallet_backup_location']; |
- |
Merging the contents of one keystore into an existing keystore |
ADMINISTER KEY MANAGEMENT MERGE KEYSTORE 'keystore1_location' [IDENTIFIED BY TDE_wallet1_password] INTO EXISTING KEYSTORE 'keystore2_location' IDENTIFIED BY TDE_wallet2_password WITH BACKUP [USING 'backup_identifier']; |
- |
Merging the contents of two keystores to create a third keystore |
ADMINISTER KEY MANAGEMENT MERGE KEYSTORE 'keystore1_location' [IDENTIFIED BY TDE_wallet1_password] AND KEYSTORE 'keystore2_password' [IDENTIFIED BY TDE_wallet2_password] INTO NEW KEYSTORE 'keystore3_location' IDENTIFIED BY TDE_wallet3_password; |
- |
Closing a keystore |
ADMINISTER KEY MANAGEMENT
SET KEYSTORE CLOSE
[IDENTIFIED BY [EXTERNAL STORE | keystore_password]]; |
- |
Closing the keystore of the CDB root when a PDB in isolated mode has its keystore open |
ADMINISTER KEY MANAGEMENT
FORCE KEYSTORE CLOSE
[IDENTIFIED BY [EXTERNAL STORE | keystore_password]]; |
The |
Creating and activating a new TDE master encryption key (rekeying) |
ADMINISTER KEY MANAGEMENT SET [ENCRYPTION] KEY [USING TAG 'tag_name'] [FORCE KEYSTORE] IDENTIFIED BY [EXTERNAL STORE | keystore_password ]WITH BACKUP [USING 'backup_identifier']; |
- |
Creating a user-defined TDE master encryption key for either now ( |
ADMINISTER KEY MANAGEMENT SET | CREATE [ENCRYPTION] KEY 'mkid:mk | mk' [USING ALGORITHM 'algorithm'] [FORCE KEYSTORE] [USING TAG 'tag_name'] IDENTIFIED BY EXTERNAL STORE | TDE_wallet_password WITH BACKUP [USING 'backup_identifier'] [CONTAINER = CURRENT]; |
- |
Activating an existing TDE master encryption key |
ADMINISTER KEY MANAGEMENT USE [ENCRYPTION] KEY 'key_id' [USING TAG 'tag'] IDENTIFIED BY [EXTERNAL STORE | keystore_password] WITH BACKUP [USING 'backup_identifier']; |
- |
Tagging a TDE master encryption key |
ADMINISTER KEY MANAGEMENT SET TAG 'tag' FOR 'key_id' IDENTIFIED BY [EXTERNAL STORE | keystore_password] WITH BACKUP [USING 'backup_identifier']; |
- |
Exporting a TDE master encryption key |
ADMINISTER KEY MANAGEMENT EXPORT [ENCRYPTION] KEYS WITH SECRET secret TO 'filename' IDENTIFIED BY TDE_wallet_password [WITH IDENTIFIER IN { 'key_id' [, 'key_id' ]... | ( subquery ) }]; |
- |
Importing a TDE master encryption key |
ADMINISTER KEY MANAGEMENT IMPORT [ENCRYPTION] KEYS WITH SECRET secret FROM 'filename' IDENTIFIED BY TDE_wallet_password WITH BACKUP [USING 'backup_identifier']; |
- |
Migrating an encrypted database from a TDE wallet to Oracle Key Vault |
ADMINISTER KEY MANAGEMENT SET [ENCRYPTION] KEY IDENTIFIED BY Oracle_Key_Vault_password [FORCE KEYSTORE] MIGRATE USING TDE_wallet_password; |
- |
Reverse-migrating an encrypted database from an external keystore to a TDE wallet |
ADMINISTER KEY MANAGEMENT SET [ENCRYPTION] KEY IDENTIFIED BY TDE_wallet_password REVERSE MIGRATE USING Oracle_Key_Vault_password; |
- |
Adding a client secret |
ADMINISTER KEY MANAGEMENT ADD SECRET 'secret' FOR CLIENT 'client_identifier' [USING TAG 'tag_name' ] IDENTIFIED BY [EXTERNAL STORE | keystore_password] WITH BACKUP [USING 'backup_identifier']; |
- |
Updating a client secret |
ADMINISTER KEY MANAGEMENT UPDATE SECRET 'secret' FOR CLIENT 'client_identifier' [USING TAG 'tag_name' ] IDENTIFIED BY [EXTERNAL STORE | keystore_password] WITH BACKUP [USING 'backup_identifier']; |
- |
Deleting a client secret |
ADMINISTER KEY MANAGEMENT DELETE SECRET FOR CLIENT 'client_identifier IDENTIFIED BY [EXTERNAL STORE | keystore_password] WITH BACKUP [USING 'backup_identifier']; |
- |
Isolating a PDB |
ADMINISTER KEY MANAGEMENT ISOLATE KEYSTORE IDENTIFIED BY isolated_keystore_password FROM ROOT KEYSTORE [FORCE KEYSTORE] IDENTIFIED BY [EXTERNAL STORE | united_keystore_password] WITH BACKUP [USING backup_id]; |
This operation performs two actions. First, it changes the |
Parent topic: Configuring Isolated Mode
4.3 Operations That Are Not Allowed in an Isolated Mode PDB
There are several ADMINISTER KEY MANAGEMENT
operations that you cannot perform in an isolated mode PDB.
These operations include the following:
-
Using the
CONTAINER = ALL
clause to create a new TDE master encryption key for later use in each pluggable database (PDB) -
Moving encryption keys from the keystore of the CDB root into a keystore of a PDB that is configured in isolated mode
Parent topic: Configuring Isolated Mode
4.4 Configuring the Keystore Location and Type for Isolated Mode
For isolated mode, you can configure the keystore location and type by using only parameters or a combination of parameters and the ALTER SYSTEM
statement.
- About Configuring the Keystore Location and Type for Isolated Mode
Configuring theWALLET_ROOT
andTDE_CONFIGURATION
parameters for the CDB environment is similar to the procedure used for united mode. - Configuring the Keystore Location and Keystore Type for an Isolated Mode PDB
You can configure isolated mode by settingWALLET_ROOT
in the initialization parameter file in the CDB root andTDE_CONFIGURATION
in the PDB you want to isolate. - Example: Restoring an Older Version of a Control File
You can setTDE_CONFIGURATION
if you have an older version of a control file that must be restored and only a few PDBs were configured in isolated mode. - Example: Addressing the Problem of a Lost Control File
You can address the problem of a lost control file by using theALTER SYSTEM
statement. - Example: Configuring Isolated Mode in an Oracle Real Application Clusters Environment
You can useALTER SYSTEM
to configure isolated mode in an Oracle Real Application Clusters (Oracle RAC) environment.
Parent topic: Configuring Isolated Mode
4.4.1 About Configuring the Keystore Location and Type for Isolated Mode
Configuring the WALLET_ROOT
and TDE_CONFIGURATION
parameters for the CDB environment is similar to the procedure used for united mode.
The difference is that rather than using the RESET
clause of the ALTER SYSTEM
statement, you use the SET
clause. You can perform the configuration by adding the WALLET_ROOT
and TDE_CONFIGURATION
parameters to the initialization parameter file. To configure a PDB in isolated mode, you must set a value for the TDE_CONFIGURATION
parameter of the PDB, which you can do either by using the ALTER SYSTEM
statement or by issuing the ADMINISTER KEY MANAGEMENT ISOLATE KEYSTORE
statement. This section focuses on the use of the ALTER SYSTEM
statement.
Depending on whether your system uses pfile or spfile, you must set the SCOPE
clause in the ALTER SYSTEM
statement appropriately when setting the value of the TDE_CONFIGURATION
parameter for the PDB. The value of the TDE_CONFIGURATION
parameter is a list of attribute-value pairs, and it is the value of the KEYSTORE_CONFIGURATION
attribute that specifies the type of the keystore, as follows:
-
FILE
specifies a TDE wallet. -
OKV
specifies Oracle Key Vault. -
FILE|OKV
specifies a reverse-migration from the OKV keystore type to the FILE keystore type has occurred. -
FILE|HSM
specifies a reverse-migration from theHSM
keystore type to theFILE
keystore type has occurred. -
OKV|FILE
specifies a migration from theFILE
keystore type to theOKV
keystore type has occurred. The keystore type has two meanings: it either means that you are migrating fromFILE
toOKV
, or it means that the configuration started out as usingOKV
but is now using an auto-loginOKV
configuration, where theOKV
password resides in acwallet.sso
file in theWALLET_ROOT/pdb_guid/tde
directory.
After you have used ALTER SYSTEM
to configure the TDE_CONFIGURATION
value for the selected PDB, the PDB in the CDB environment is in isolated mode. The steps in this procedure explain in detail how to configure an individual PDB to be in isolated mode, using its own keystore type.
4.4.2 Configuring the Keystore Location and Keystore Type for an Isolated Mode PDB
You can configure isolated mode by setting WALLET_ROOT
in the initialization parameter file in the CDB root and TDE_CONFIGURATION
in the PDB you want to isolate.
KEYSTORE_CONFIGURATION
parameter was FILE
(meaning that the PDB is configured to use a TDE wallet), then the keystore location configured for the PDB is WALLET_ROOT/PDB-GUID/tde
. If a keystore exists at that location and contains a TDE master encryption key, then that key is only available to this PDB, not to any other PDB. If no keystore exists at that location, you now can now proceed to create a TDE wallet and set a TDE master encryption key. If you later decide that you want the isolated mode PDB to become a united mode PDB again, then you can use the ADMINISTER KEY MANAGEMENT UNITE KEYSTORE
statement. When you run ADMINISTER KEY MANAGEMENT UNITE KEYSTORE
, it moves the keys from the PDB's keystore to the keystore of the CDB root, but it leaves any client secrets behind. So if there were no client secrets in the first place, then it would leave the PDB's keystore essentially "empty". It can now be backed up, and removed. Always back up keystores before you remove them, even empty keystores.
Related Topics
4.4.3 Example: Restoring an Older Version of a Control File
You can set TDE_CONFIGURATION
if you have an older version of a control file that must be restored and only a few PDBs were configured in isolated mode.
When the CDB root and the PDB are both in the mount state, then you can only change the PDB’s keystore configuration from the CDB root.
-
Log in to the CDB root as a user who was granted the
SYSDBA
administrative privilege. -
For each PDB that you want to change, use the following syntax:
ALTER SYSTEM SET TDE_CONFIGURATION="CONTAINER=pdb_name;KEYSTORE_CONFIGURATION=keystore_type" SCOPE=memory;
For example, for the
hrpdb
andsalespdb
PDBs usingFILE
(for TDE wallets) as the keystore type:ALTER SYSTEM SET TDE_CONFIGURATION="CONTAINER=hrpdb;KEYSTORE_CONFIGURATION=FILE" SCOPE=memory; ALTER SYSTEM SET TDE_CONFIGURATION="CONTAINER=salespdb;KEYSTORE_CONFIGURATION=FILE" SCOPE=memory;
-
After you set the
TDE_CONFIGURATION
parameter for each PDB, log in to the CDB root and then setTDE_CONFIGURATION
for the CDB root itself.ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE";
At this stage, CDB root is in the mounted state. The value of the
TDE_CONFIGURATION
parameter that was set usingALTER SYSTEM
with theCONTAINER
attribute is only present in the memory of the CDB root. To ensure that the configuration is properly applied to each PDB, you must close and then reopen the PDB. When an isolated mode PDB is opened, the configuration set by theALTER SYSTEM
statement that was issued in the CDB root is read from the control file and then is automatically applied to the PDB. -
Connect to each PDB and then close and reopen the PDB.
ALTER PLUGGABLE DATABASE pdb_name CLOSE IMMEDIATE; ALTER PLUGGABLE DATABASE pdb_name OPEN;
4.4.4 Example: Addressing the Problem of a Lost Control File
You can address the problem of a lost control file by using the ALTER SYSTEM
statement.
Running these statements with SCOPE
set to memory will store the CONTAINER
value in memory. When you open the isolated PDB, this configuration will automatically be updated for the PDB.
If you are using an Oracle Data Guard environment, then to correct the control file, run these statements on both the primary and the standby databases.
-
Log in to the CDB root as a user who was granted the
SYSDBA
administrative privilege. -
If you are unsure of the exact state of the system, then you should run
ALTER SYSTEM
withRESET
.For example:
ALTER SYSTEM RESET TDE_CONFIGURATION SCOPE=memory;
-
For each PDB that you want to change, use the following syntax:
ALTER SYSTEM SET TDE_CONFIGURATION="CONTAINER=pdb_name;KEYSTORE_CONFIGURATION=FILE" SCOPE=memory;
For example, for the
hrpdb
andsalespdb
PDBs withFILE
(for TDE wallets) as the keystore type:ALTER SYSTEM SET TDE_CONFIGURATION="CONTAINER=hrpdb;KEYSTORE_CONFIGURATION=FILE" SCOPE=memory; ALTER SYSTEM SET TDE_CONFIGURATION="CONTAINER=salespdb;KEYSTORE_CONFIGURATION=FILE" SCOPE=memory;
-
After you set the
TDE_CONFIGURATION
parameter for each PDB, log in to the CDB root and then setTDE_CONFIGURATION
for the CDB root itself.ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE";
At this stage, CDB root is in the mounted state. The value of the
TDE_CONFIGURATION
parameter that was set usingALTER SYSTEM
with theCONTAINER
attribute is only present in the memory of the CDB root. To ensure that the configuration is properly applied to each PDB, you must close and then reopen the PDB. When an isolated mode PDB is opened, the configuration set by theALTER SYSTEM
statement that was issued in the CDB root is read from the control file and then is automatically applied to the PDB. -
Connect to each PDB and then close and reopen the PDB.
ALTER PLUGGABLE DATABASE pdb_name CLOSE IMMEDIATE; ALTER PLUGGABLE DATABASE pdb_name OPEN;
4.4.5 Example: Configuring Isolated Mode in an Oracle Real Application Clusters Environment
You can use ALTER SYSTEM
to configure isolated mode in an Oracle Real Application Clusters (Oracle RAC) environment.
-
To ensure that the effect of the
ALTER SYSTEM
statement is applied on each Oracle RAC node, specify the wildcard (*
) in theSID
clause of theALTER SYSTEM
statement, as follows. You can run this statement from either the CDB root or a PDB.ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=keystore_type" SID='*';
4.5 Configuring a TDE Wallet and TDE Master Encryption Key in Isolated Mode
In isolated mode, the TDE wallet is associated with a PDB.
- About Configuring a TDE Wallet in Isolated Mode
You can create all types of TDE wallets in isolated mode: password-protected, password protected with the credential provided from an external store, auto-login, local auto-login. - Step 1: Create a TDE Wallet in a PDB Configured in Isolated Mode
A password-protected TDE wallet requires a password to protect the keystore keys and credentials. - Step 2: Open the TDE Wallet in an Isolated Mode PDB
To open a TDE wallet in isolated mode, you must use theADMINISTER KEY MANAGEMENT
statement with theSET KEYSTORE OPEN
clause. - Step 3: Set the TDE Master Encryption Key in the TDE Wallet of the Isolated Mode PDB
To set the TDE master encryption key in a TDE wallet in an isolated mode PDB, use theADMINISTER KEY MANAGEMENT
statement with theSET KEY
clause. - Step 4: Encrypt Your Data in Isolated Mode
Now that you have completed the configuration, you can begin to encrypt data in the PDB.
Parent topic: Configuring Isolated Mode
4.5.1 About Configuring a TDE Wallet in Isolated Mode
You can create all types of TDE wallets in isolated mode: password-protected, password protected with the credential provided from an external store, auto-login, local auto-login.
To enable encryption in the PDB after it is configured in isolated mode with the KEYSTORE_CONFIGURATION
attribute set to FILE
(that is, to use a TDE wallet), you must create a TDE wallet, open the TDE wallet, and then set a TDE master encryption key in the TDE wallet. Afterward, you can begin to encrypt data for tables and tablespaces that will be accessible in the PDB.
In a multitenant environment, you can create a secure external store to hold the credentials of the TDE wallet. This feature enables you to hide the keystore password: it removes the need for storing the wallet password in any script or tool that accesses the database without user intervention, such as an overnight batch script. When the WALLET_ROOT
parameter is specified, the location of the external store for the CDB root is WALLET_ROOT/tde_seps
and for the PDB it is WALLET_ROOT/pdb_guid/tde_seps
. When the WALLET_ROOT
parameter is set, there is no longer a single central external store, so when a keystore password is updated, the corresponding external store must be updated as well. When the WALLET_ROOT
parameter is not specified, then the location of the external store is the same for both the CDB root and for every PDB. The external store location must then be set by the EXTERNAL_KEYSTORE_CREDENTIAL_LOCATION
initialization parameter. When the WALLET_ROOT
parameter is not specified, then there is a single central external store, so when you update the keystore password, only the central external store at the EXTERNAL_KEYSTORE_CREDENTIAL_LOCATION
must be updated.
In a multitenant environment, different PDBs can access this external store location when you run the ADMINISTER KEY MANAGEMENT
statement using the IDENTIFIED BY EXTERNAL STORE
clause. This way, you can centrally locate the password and then update it only once in the external store.
4.5.2 Step 1: Create a TDE Wallet in a PDB Configured in Isolated Mode
A password-protected TDE wallet requires a password to protect the keystore keys and credentials.
ewallet.p12
file, which is the TDE wallet, appears in the TDE wallet location.
4.5.3 Step 2: Open the TDE Wallet in an Isolated Mode PDB
To open a TDE wallet in isolated mode, you must use the ADMINISTER KEY MANAGEMENT
statement with the SET KEYSTORE OPEN
clause.
Related Topics
4.5.4 Step 3: Set the TDE Master Encryption Key in the TDE Wallet of the Isolated Mode PDB
To set the TDE master encryption key in a TDE wallet in an isolated mode PDB, use the ADMINISTER KEY MANAGEMENT
statement with the SET KEY
clause.
4.6 Configuring a Container Database with Isolated Mode PDBs for Oracle Key Vault
Isolated PDBs have their own virtual wallet, with their own password, in Oracle Key Vault.
- About Configuring an External Keystore in Isolated Mode
You can configure an external keystore for a PDB when the PDB is configured in isolated mode. - Step 1: Configure Isolated PDBs for Oracle Key Vault
You can configure isolated mode PDBs for Oracle Key Vault by setting theTDE_CONFIGURATION
parameter. - Step 2: Open the Isolated Mode PDB External Keystore
If the isolated PDB does not have an auto-open connection into the external keystore, then you must open it manually before your open the PDB. - Step 3: Set the First TDE Master Encryption Key in the External Keystore
After you have opened the external keystore in an isolated mode PDB, you are ready to set the TDE master encryption key for the PDB. - Step 4: Encrypt Your Data in Isolated Mode
Now that you have completed the keystore configuration and the PDB is configured in isolated mode, you can begin to encrypt data in the PDB.
Parent topic: Configuring Isolated Mode
4.6.1 About Configuring an External Keystore in Isolated Mode
You can configure an external keystore for a PDB when the PDB is configured in isolated mode.
To configure an external keystore for a PDB in isolated mode, you first must set the WALLET_ROOT
parameter. This is necessary for two reasons: first, to have support for migrating to a TDE wallet in the future, and second, because the configuration file for Oracle Key Vault is retrieved from a location under WALLET_ROOT
. Afterwards, you must set the KEYSTORE_CONFIGURATION
attribute of the TDE_CONFIGURATION
parameter to OKV
, open the configured external keystore, and then set the TDE master encryption key for the PDB. After you complete these tasks, you can begin to encrypt data in your database.
How you specify the IDENTIFIED BY
clause when you run the ADMINISTER KEY MANAGEMENT
statement depends on the type of external keystore. Use the following syntax:
IDENTIFIED BY EXTERNAL STORE|Oracle_Key_Vault_password
Enter the Oracle Key Vault password that was given during the Oracle Key Vault client installation. If at that time no password was given, then the password in the ADMINISTER KEY MANAGEMENT
statement becomes NULL
.
4.6.2 Step 1: Configure Isolated PDBs for Oracle Key Vault
You can configure isolated mode PDBs for Oracle Key Vault by setting the TDE_CONFIGURATION
parameter.
4.6.3 Step 2: Open the Isolated Mode PDB External Keystore
If the isolated PDB does not have an auto-open connection into the external keystore, then you must open it manually before your open the PDB.
4.6.4 Step 3: Set the First TDE Master Encryption Key in the External Keystore
After you have opened the external keystore in an isolated mode PDB, you are ready to set the TDE master encryption key for the PDB.
- Setting the TDE Master Encryption Key in the Isolated Mode External Keystore
You should complete this procedure if you have not previously configured an external keystore for Transparent Data Encryption. - Migration of a Previously Configured Encryption Key in Isolated Mode
You must migrate the previously configured master encryption key if you previously configured a TDE wallet.
4.6.4.1 Setting the TDE Master Encryption Key in the Isolated Mode External Keystore
You should complete this procedure if you have not previously configured an external keystore for Transparent Data Encryption.