Set the Software TDE Master Encryption Key

Once the keystore is open, you can set a TDE master encryption key for it. The TDE master encryption key is stored in the keystore. This key protects the TDE table keys and tablespace encryption keys. By default, the TDE master encryption key is a key that Transparent Data Encryption (TDE) generates.

In a multitenant environment, you can create and manage the TDE master encryption key from either the root or the PDB.

Ensure that the database OPEN_MODE is set as READ WRITE. To find the status for a non-multitenant environment, query the OPEN_MODE column of the V$DATABASE dynamic view. If you are using a multitenant environment, then query the V$PDBS view. (If you cannot access these views, then connect as SYSDBA and try the query again. To connect as SYSKM for this type of query, you must create a password file for it. See Oracle Database Administrator's Guide for more information.)

Perform the following steps to set the encryption key:

1. Log in as sysdba or user with ADMINISTER KEY MANAGEMENT or SYSKM privilege.
2. Use the following command to set the encryption key:

   CONN sys/password@serviceid AS SYSDBA

   ADMINISTER KEY MANAGEMENT SET KEY [USING TAG 'tag'] IDENTIFIED BY
   password [WITH BACKUP [USING 'backup_identifier']] [CONTAINER = ALL |
   CURRENT];

   • tag is the associated attributes and information that you define. Enclose this setting in single quotation marks (' ').
   • password is the mandatory keystore password that you created when you created the keystore in Create the Software Keystore.
   • WITH BACKUP creates a backup of the keystore. You must use this option for password-based keystores. Optionally, you can use the USING clause to add a brief description of the backup. Enclose this description in single quotation marks (' '). This identifier is appended to the named keystore file (for example, ewallet_time_stamp_emp_key_backup.p12, with emp_key_ backup being the backup identifier). Follow the file naming conventions that your operating system uses.
   • CONTAINER is for use in a multitenant environment. Enter ALL to set the key in all of the PDBs in this CDB, or CURRENT for the current PDB.

     For example,

     ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY password WITH
     BACKUPUSING 'emp_key_backup';