1. Installation and Administration Guide
  2. Advanced Security Transparent Data Encryption (TDE)
  3. Migrate Master Keys from the Oracle Wallet

Migrate Master Keys from the Oracle Wallet

Retain the old wallet and have OKM generate a new master key.

Refer to the document Oracle Advanced Security Transparent Data Encryption Best Practices, referenced at the beginning of this appendix. The Oracle Database Administrator must perform re-key operations before the key's lifecycle dictates. Otherwise, the database will not start. Refer to the various Oracle Database and TDE documents for the DDL used to perform this operation.

Re-Key Due to OKM Policy Based Key Expiration

The Oracle Database Administrator must perform re-key operations before the key's lifecycle dictates, otherwise the database will not start.

Once a key reaches the post-operational state, each key retrieval by TDE will trigger a warning in the OKM audit logs indicating that a post-operational key has been retrieved. Presence of these audit messages is an indication that it is time to re-key the database instance's master encryption key. The OKM audit message identifies the specific agent and key that is being retrieved to facilitate identification of the Oracle Database instance and master encryption key that has reached the post-operational state. Notification through SNMP v3 informs or SNMP v2 traps may be configured in OKM to support automation of this process.

The pkcs11_kms provider will attempt to inform its PKCS#11 consumers that the key has reached the post-operational state. This is done by setting the PKCS#11 "CKA_ENCRYPT" attribute to false for the master key.

All released versions of Oracle Database 11 and 12 will try to use a key to encrypt data after its encryption period has expired. TDE will never automatically re-key the TDE master key.

On Solaris, you may see errors similar to the following in the database alert logs:

  HSM heartbeat died. Likely the connection has been lost.
  PKCS11 function C_EncryptInit returned
  PKCS11 error code: 104
  HSM connection lost, closing wallet

If this error is encountered, the Database Administrator must perform the following actions:

  1. Set an environment variable for the user associated with the pkcs11_kms token (typically the Oracle user's profile). This allows the deactivated key to continue to be used for encryption:
    # export PKCS11_KMS_ALLOW_ENCRYPT_WITH_DEACTIVATED_KEYS=1
  2. Restart the database.
  3. Rekey the master key for the database instance, following the instructions in your Oracle Database administration documentation.

On Oracle Linux, the default for the pkcs11_kms provider allows use of deactivated keys, however, you will see errors similar to the following in the /var/log/messages file:

pkcs11_kms:  Encrypting with key which does not support encryption (check to see if key is expired or revoked

If this message is encountered, the database administrator should re-key the TDE master key as described in the Oracle Database administration documentation.

In spite of this, TDE will continue to use the key and not perform an automatic re-key operation. OKM administrators observing the post-operational key retrieval audit warnings must inform a Database Administrator that it is time to re-key their database instance's master key.