Encryption at Rest

Options

ttAdmin has these options for encryption at rest of checkpoint and transaction log files:

Option Description

Option	Description
`-connStr connection_string`	An ODBC connection string that specifies a database location, driver, and optionally other connection attribute settings.
`DSN`	An ODBC data source name of the database to be administered.
`-rekey [-encrAlg algorithm]`	On an encrypted database, rotates the master and data encryption keys used to encrypt the checkpoint and transaction log files. Re-encrypts the database files using the new randomly-generated keys. On an unencrypted database, creates a master and data encryption keys to encrypt the checkpoint and transaction log files. Encrypts the database files using the new randomly-generated keys. The `-encrAlg` option defines the AES encryption algorithm for the encryption keys. This option is required if: You want the database files encrypted with an encryption algorithm different from the one in use. You want to encrypt an unencrypted database. Valid values for the `-encrAlg` option are: `AES128` `AES192` `AES256` See Re-Keying an Encrypted Database in Oracle TimesTen In-Memory Database Security Guide.

-connStr connection_string

An ODBC connection string that specifies a database location, driver, and optionally other connection attribute settings.

DSN

An ODBC data source name of the database to be administered.

-rekey [-encrAlg algorithm]

On an encrypted database, rotates the master and data encryption keys used to encrypt the checkpoint and transaction log files. Re-encrypts the database files using the new randomly-generated keys.

On an unencrypted database, creates a master and data encryption keys to encrypt the checkpoint and transaction log files. Encrypts the database files using the new randomly-generated keys.

The -encrAlg option defines the AES encryption algorithm for the encryption keys. This option is required if:

You want the database files encrypted with an encryption algorithm different from the one in use.
You want to encrypt an unencrypted database.

Valid values for the -encrAlg option are:

AES128
AES192
AES256

See Re-Keying an Encrypted Database in Oracle TimesTen In-Memory Database Security Guide.

Examples

The database1 encrypted database needs its master and data encryption keys rotated. Use the following ttAdmin command to rotate the encryption keys for database1 and re-encrypt the checkpoint and transaction log files.

% ttAdmin -rekey database1

You can also use the -encrAlg option to change the encryption algorithm used for the database.

% ttAdmin -rekey -encrAlg AES256 database1

Notes

To rotate the encryption keys, the database must to be loaded into memory.

To encrypt an existing database for the first time, it is not necessary to define the DbEncrypted and DbKeyWallet data store attributes for the database in the odbc.ini file, just run the ttAdmin utility with the -rekey and -encrAlg options to encrypt the database.

Encryption attempts for an unencrypted database fail if the replication agent is running. See Replicating an Encrypted Database in Oracle TimesTen In-Memory Database Security Guide.