C.1 Error: ORA-28374: Typed Master Key Not Found

Missing or incorrect keys can cause the database to experience error ORA- 28374: typed master key not found in wallet. As master keys are very much required to access an encrypted tablespace or redo logs, any missing master keys can potentially impact database availability.

Complete the following steps to resolve this error.

1. Identify the missing key:
   • In non-RAC databases run the following command:

     select MASTERKEYID as REQUIRED_KEYS from v$encrypted_tablespaces MINUS select
             HEXTORAW(substr(utl_encode.base64_decode(utl_raw.cast_to_raw(enckeys.key_id)), 3,32)) as
             AVAILABLE_KEYS from v$encryption_keys enckeys;

   • In RAC databases run the following command:

     select inst_id, MASTERKEYID as REQUIRED_KEYS from gv$encrypted_tablespaces MINUS select
             inst_id, HEXTORAW(substr(utl_encode.base64_decode(utl_raw.cast_to_raw(enckeys.key_id)),
             3,32)) as AVAILABLE_KEYS from gv$encryption_keys enckeys;

   The output will look similar to:

   REQUIRED_KEYS
   --------------------------------
   4859998402964F35BFF830640BE7E384 

   This shows the key-ID of the missing key. If no rows are returned then the database does have all required keys.

2. Identify the wallet path where the TDE keys are stored.

   select WRL_TYPE, WRL_PARAMETER from v$encryption_wallet;

   The output will look similar to:

   WRL_TYPE  WRL_PARAMETER
   --------------------------------------------------
   FILE.     /scratch/user/master23ai/tde/

3. Run the orapki utility through all current and backed up wallets, to check for the missing key.

   orapki wallet display -wallet <wallet-file>

   The <wallet-file> will be the result of the command from the previous step.

   You should run this command for both the .sso and .p12 files.

   For example /scratch/user/master23ai/tde/ewallet.p12, /scratch/user/master23ai/tde/cwallet.sso, and /scratch/user/master23aibkp/ewallet_2025032607100793.p12(the backup file) should all be checked.

   The output will look similar to:

   orapki wallet display -wallet /scratch/user/master23aibkp/ewallet_2025032607100793.p12
   Oracle PKI Tool Release 23.0.0.0.0 - Production
   Version 23.0.0.0.0
   Copyright (c) 2004, 2025, Oracle and/or its affiliates. All rights reserved.
   
   Enter wallet password:
   Requested Certificates:
   Subject:        CN=oracle
   User Certificates:
   Oracle Secret Store entries:
   ORACLE.SECURITY.DB.ENCRYPTION.AUhZmYQClk81v/gwZAvn44QAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
   ORACLE.SECURITY.ID.ENCRYPTION.
   ORACLE.SECURITY.KB.ENCRYPTION.
   ORACLE.SECURITY.KM.ENCRYPTION.AUhZmYQClk81v/gwZAvn44QAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
   Trusted Certificates:
   

4. Convert the missing key from step 1 to base 64 form.

   select
   utl_raw.cast_to_varchar2(utl_encode.base64_encode('01'||substr('<key from step 1>',1,4)))||
   utl_raw.cast_to_varchar2(utl_encode.base64_encode(substr('<key from step 1>',5,length('<key from step 1>')))) masterkeyid_base64
   FROM dual;

   The output will be similar to:

   MASTERKEYID_BASE64
   --------------------------------------------------------------------------------
   AUhZmYQClk81v/gwZAvn44Q=

5. Compare the output from step 4 to that from the Oracle Secret Store entries: section of the output of step 3 to identify which file is missing the key.

   In this example, the missing key is in one of the ewallet_2025032607100793.p12 backup files.

6. Take the backup of current ewallet.p12 and cwallet.sso before modifying.
7. Merge the missing key to the current keystore.

   ADMINISTER KEY MANAGEMENT MERGE KEYSTORE '<keystore_location1>' [IDENTIFIED BY
           <keystore1_password>] INTO EXISTING KEYSTORE '<keystore_location2>' IDENTIFIED BY
           <keystore2_password> WITH BACKUP [USING '<backup_identifier>'];

8. Run the orapki utility, to check that the merge was successful.

   orapki wallet display -wallet <wallet-file>

   If your wallet is stored in a ASM file system, you can't use the orapki or mkstore utilities directly. Instead, you need to create a temporary wallet in a non-ASM location and then use orapki to display the wallet contents.

   1. Create a keystore locally:

      ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '<non_ASM_keystore_location>' IDENTIFIED BY <new_keystore_password>;

   2. Use AKM migrate command to copy the wallets from ASM path to create local keystore and verify the wallets using orapki or mkstore:

      ADMINISTER KEY MANAGEMENT MERGE KEYSTORE '<keystore1_location>' [IDENTIFIED BY <software_keystore1_password>] INTO NEW KEYSTORE '<non_ASM_keystore_location>' IDENTIFIED BY <new_keystore_password> WITH BACKUP [USING '<backup_identifier>'];

• Find Missing TDE Master Keys in Oracle Key Vault
  
• Find Missing TDE Master Keys in Cloud-Native Key Managers
  Check with the key management support group of your cloud vendor.
• Find Missing TDE Master Keys in Any Third Party Key Managers
  Check with your key management vendor.