Creating or Re-Creating Protected Database TDE Master Keys

This step creates or recreates the TDE master keys used from that point forward for encrypting the DEK keys used on protected databases.

Security policies specify the frequency or circumstances for the creation of new TDE master keys for protected databases. This operation is called "re-key", and is performed as user rasys in PL/SQL on the Recovery Appliance.

The following re-key options are available.

  • Re-key ~all~ protected databases.

    SQL> exec dbms_ra.key_rekey;
  • Re-key specific a protected database.

    SQL> exec dbms_ra.key_rekey (db_unique_name=>'< DB UNIQUE NAME >');
  • Re-key ~all~ protected databases for a specific protection policy.

    SQL> exec dbms_ra.key_rekey (protection_policy_name=>'< PROTECTION POLICY >>');

Re-keying creates new TDE master keys that are used from that point in time forward. Re-keying does not affect the availability of older master keys in the keystore.