1. Installation and Administration Guide
  2. Advanced Security Transparent Data Encryption (TDE)
  3. Locate TDE Master Keys in OKM

Locate TDE Master Keys in OKM

You can locate the TDE master keys within OKM using either the GUI or CLI. TDE generates the master key labels and OKM uses a data unit's External Tag attribute to store this value. TDE master key generation (including re-key operations) always creates a new data unit object and key object within the OKM cluster.

  1. Perform a query on the OKM data units and filter the list using an ExternalTag filter: "ExternalTag" begins with "ORACLE.TDE". All TDE key labels begin with this string so this will generate a list of OKM data units that were created by TDE. Each OKM data unit will have a single TDE master key associated with it. These keys can be viewed using the OKM GUI to examine their lifecycle state and other properties, such as key group, export/import status, and which OKM backups contain destroyed keys. These keys can also be viewed using the OKM CLI. For example:
    >okm listdu --kma=acme1 --user=joe \
--filter="ExternalTag=ORACLE.TDE"
  2. When multiple Oracle Database instances share an OKM cluster, an OKM administrator can identify which keys correspond to a particular database by using a query against the audit events for the agent that corresponds to that database instance. These audit events can be viewed using the Oracle GUI. Filter the agent's audit history using the filter: "Operation equals CreateDataUnit". This produces a list of the audit events corresponding to TDE master key creations. The audit event details provide the necessary information to identify the specific data units for the master keys. These audit events can also be viewed using the OKM CLI. For example:
    >okm listauditevents --kma=acme1 --user=joe \
--filter="Operation=CreateDataUnit"