Encrypt the Data in the Source Database

Transparent Data Encryption (TDE) transparently encrypts data at rest in an Oracle Database. It stops unauthorized attempts from the operating system to access database data stored in files, without impacting how applications access the data using SQL. TDE is fully integrated with Oracle Database and can encrypt entire database backups (RMAN), Data Pump exports, entire application tablespaces, or specific sensitive columns. Encrypted data remains encrypted in the database, whether it is in tablespace storage files, temporary tablespaces, undo tablespaces, or other files such as redo logs.

For disaster recovery, the password in your on-premises and Oracle Cloud Infrastructure instances must be the same. If they are not, use the sqlplus command to update the password.

Determine if TDE is Enabled on the Source Database

When Transparent Data Encryption (TDE) isn't enabled on your source database, data is not encrypted when you migrate the database to Oracle Cloud Infrastructure (OCI) or during disaster recovery. You'll need to manually encrypt the unencrypted data. Once in OCI, any new data is automatically encrypted.

1. Determine if the tablespace is encrypted.

   SQL> select tablespace_name, encrypted from dba_tablespaces;

   When the tablespace is not encrypted, the output will look similar to the following:

   TABLESPACE_NAME 	       		ENC
   ------------------------------ ---
   SYSTEM                          NO
   SYSAUX                          NO
   UNDOTBS1                        NO
   TEMP                            NO
   USERS			      NO

2. Find the associated database data files (.dbf ) on the filesystem.

   SQL> select TABLESPACE_NAME, FILE_NAME from dba_data_files;

   The output will look similar to the following:

   TABLESPACE_NAME
   ------------------------------
   FILE_NAME
   
   SYSTEM
   /opt/oracle/oradata/ORCLCDB/system01.dbf
   
   SYSAUX
   /opt/oracle/oradata/ORCLCDB/sysaux01.dbf
   
   UNDOTBS1
   /opt/oracle/oradata/ORCLCDB/undotbs01.dbf
   
   USERS
   /opt/oracle/oradata/ORCLCDB/users01.dbf

Enable TDE Encryption on the Source Database

Transparent Data Encryption (TDE) enables you to encrypt sensitive data that's stored in tables and tablespaces. Encrypted data is transparently decrypted for a database user or application that has access to data.

1. Go to the $ORACLE_BASE directory in your source database.

   bash-4.2$ pwd
   /opt/oracle/admin/ORCLCDB

2. Create a directory called wallet.

   $ mkdir wallet

3. Create the wallet, along with a secure password that uses a mix of alphanumeric characters.
   This step creates and opens the wallet. After the database is opened, the wallet remains open until either the wallet is explicitly closed or the database is shut down, at which time the wallet automatically closes.

   SQL> alter system set encryption key identified by "wallet_password";

4. Reopen a closed wallet after the database is restarted.

   SQL> alter system set wallet open identified by "wallet_password";

5. Encrypt the tablespace.
   The following code uses AES-128 encryption.

   alter tablespace system encryption online using 'aes128' encrypt file_name_convert=('/opt/oracle/oradata/ORCLCDB/system01.dbf','/opt/oracle/oradata/ORCLCDB/system01_enc.dbf');
   
   alter tablespace sysaux encryption online using 'aes128' encrypt file_name_convert=('/opt/oracle/oradata/ORCLCDB/sysaux01.dbf','/opt/oracle/oradata/ORCLCDB/sysaux01_enc.dbf');
   
   alter tablespace undotbs1 encryption online using 'aes128' encrypt file_name_convert=('/opt/oracle/oradata/ORCLCDB/undotbs01.dbf','/opt/oracle/oradata/ORCLCDB/undotbs01_enc.dbf');
   
   alter tablespace users encryption online using 'aes128' encrypt file_name_convert=('/opt/oracle/oradata/ORCLCDB/users01.dbf','/opt/oracle/oradata/ORCLCDB/users01_enc.dbf');
   

6. Verify that the tablespace is encrypted.

   SQL> select tablespace_name, encrypted from dba_tablespaces;

   The output will look similar to the following:

   TABLESPACE_NAME 	       ENC
   ------------------------------ ---
   SYSTEM			    YES
   SYSAUX			    YES
   UNDOTBS1                       YES
   TEMP			      NO
   USERS			     YES

7. Verify that the associated database data files (.dbf ) on the filesystem are encrypted.

   SQL> select TABLESPACE_NAME, FILE_NAME from dba_data_files;

   The output will look similar to the following:

   TABLESPACE_NAME
   ------------------------------
   FILE_NAME
   
   SYSTEM
   /opt/oracle/oradata/ORCLCDB/system01_enc.dbf
   
   SYSAUX
   /opt/oracle/oradata/ORCLCDB/sysaux01_enc.dbf
   
   UNDOTBS1
   /opt/oracle/oradata/ORCLCDB/undotbs01_enc.dbf
   
   USERS
   /opt/oracle/oradata/ORCLCDB/users01_enc.dbf

Create a Wallet on the Source Database

Create a wallet, along with a secure password.

1. Run the following commands on Node 1 of the primary, on-premises database to create the wallet:

   SQL>
           ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/u01/app/oracle/admin/db1/wallet/' IDENTIFIED BY
           "wallet-password";

   ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE
           '/u01/app/oracle/admin/db1/wallet/' IDENTIFIED BY "wallet-password";

   SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE
           OPEN IDENTIFIED BY "wallet-password";

   SQL> ADMINISTER KEY MANAGEMENT SET
           KEY USING TAG 'master_key' IDENTIFIED BY "wallet-password” WITH BACKUP USING
           'masterbackup';

   SQL> SELECT KEY_ID,creation_time,activation_time,tag FROM V$ENCRYPTION_KEYS;

2. Display the encryption wallet parameters.

   SQL> select * from v$encryption_wallet;

   The output should be similar to the following:

   WRL_TYPE
   --------------------
   WRL_PARAMETER
   --------------------------------------------------------------------------------
   STATUS       WALLET_TYPE    WALLET_OR KEYSTORE 
   FULLY_BAC
   ------------------------------ -------------------- --------- --------  ---------
       CON_ID
   ----------
   FILE
   /u01/app/oracle/admin/db1/wallet/
   OPEN       AUTOLOGIN    SINGLE    NONE     NO

3. Check the wallet location.

   [oracle@exa11db01 wallet]$ ls -lrttotal

   The output should be similar to the following:

   total 20
   -rw------- 1 oracle dba 2987 Feb  2 15:37 ewallet_2021020223374667_masterbackup.p12
   -rw------- 1 oracle dba 5419 Feb  2 15:37 ewallet.p12
   -rw------- 1 oracle dba 5464 Feb  2 15:37 cwallet.sso

4. Copy the wallet files to the second node of the on-premises instance.

   [oracle@exa11db01 wallet]$ scp *.* exa11db02:/u01/app/oracle/admin/db1/wallet/

   The output should be similar to the following:

   cwallet.sso                                        100% 5464     8.7MB/s   00:00    
   ewallet_2021020223374667_masterbackup.p12          100% 2987    12.1MB/s   00:00    
   ewallet.p12                                         100% 5419    18.2MB/s   00:00 

5. On Node 1, get the database status.

   [oracle@exa11db01 db1]$ srvctl status database -d db1

   The output should be similar to the following:

   Instance db11 is running on node exa11db01
   Instance db12 is running on node exa11db02

6. On Node 1, stop and start the database to complete the wallet setup.

   [oracle@exa11db01 db1]$ srvctl stop database -d db1
   [oracle@exa11db01db1]$ srvctl start database -d db1

7. Create the encrypted tablespace.
   The following code sets up an encrypted tablespace with aes128 encryption:

   alter tablespace system encryption online using 'aes128' encrypt;
   alter tablespace sysaux encryption online using 'aes128' encrypt;
   alter tablespace undotbs1 encryption online using 'aes128' encrypt;
   alter tablespace undotbs2 encryption online using 'aes128' encrypt;
   alter tablespace users encryption online using 'aes128' encrypt;

8. Verify that the tablespace name and the dbf are encrypted.

   SQL> select tablespace_name, encrypted from dba_tablespaces;

   When encrypted, the files have different sequence numbers.

Create a Wallet on the Backup Database

Create a wallet on each node of the backup Oracle Database Exadata Cloud Service. The wallet must be the same on each node.

1. In the backup database on OCI, check the wallet file location.

   SQL> select * from V$ENCRYPTION_WALLET;

2. Copy the wallet files from the on-premises source database to the backup database in the cloud.

   [oracle@exa11db01 ~]$ scp -i FedExKey.ssh /u01/app/oracle/admin/db1/wallet/*.* 
   opc@10.255.195.131:/tmp/

3. Verify that the wallet appears in the directory in the Oracle Database Exadata Cloud Service.

   [oracle@exacs82-vm3sv1 admin]$ cd /var/opt/oracle/dbaas_acfs/DB1/wallet_root/tde
   [oracle@exacs82-vm3sv1 tde]$ ls -lrt

   The output should be similar to the following:

   total 72
   drwxr-xr-x 2 oracle oinstall 20480 Jan 23 13:50 Backup
   -rwxr-xr-x 1 oracle oinstall  5419 Feb  3 13:38 ewallet.p12
   -rwxr-xr-x 1 oracle oinstall  2987 Feb  3 13:38 ewallet_2021020223374667_masterbackup.p12
   -rw------- 1 oracle oinstall  5464 Feb  3 13:39 cwallet.sso

4. Copy the wallet files to the second node.