Follow the exact steps below to generate your TDE master key; otherwise, the key reset operation will fail. After you generate the key, encrypt it using the Transport Key in Base64 encoded and not in binary format, and use it to reset the given TDE master key with your own. You must use OpenSSL to generate and encrypt your key.

To generate your TDE master key for your environment hosted on Oracle Cloud Infrastructure:

1. Set environment variables required for the process.

   OPENSSL	location of OpenSSL 1.1.1 or later version installation
   AES_KEY	path to file to store generated TDE master key
   WRAPPING_KEY	path to file storing encryption key, also known as the transport key, downloaded following the steps in Downloading Oracle Public Key
   WRAPPED_KEY	path to file containing encrypted TDE master key
   BASE64_WRAPPED_KEY	path to file containing wrapped TDE master key in Base64 encoded format

2. Generate a 32-byte AES symmetric key to be used as your TDE master key.

   ${OPENSSL} rand 32 > ${AES_KEY}

3. Encrypt your own TDE master key.

   You encrypt your own generated TDE master key, with RSA-OAEP with SHA-256, using the Oracle Public Transport key that you downloaded from Cloud Console.

   ${OPENSSL} pkeyutl -encrypt -in ${AES_KEY} -inkey ${WRAPPING_KEY} -pubin -out ${WRAPPED_KEY} -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256

   For example:

   openssl pkeyutl -encrypt -in "aes_key.bin" -inkey "publickey.pem" -pubin - out "wrappedkey.bin" -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256

4. Base64 encode the encrypted TDE master key.

   The encrypted key must be in Base64 encoded and not in binary format.

   cat ${WRAPPED_KEY} | base64 -w 0 > ${BASE64_WRAPPED_KEY}

5. Upload your encrypted TDE master key using the Reset TDE Master Key option described in Resetting TDE Master Encryption Key.

Follow the exact steps below to generate your TDE master key; otherwise, the key reset operation will fail. After you generate the key, encrypt it using the Transport Key in binary format and not Base64 encoded, and use it to reset the given TDE master key with your own. You must use OpenSSL to generate and encrypt your key.

To generate your TDE master key for your environment hosted on Oracle Cloud Infrastructure Classic:

1. Create a new directory for the key and assign it to an environment variable.

   $mkdir –p dir_of_key
   $export KEYPATH dir_of_key

2. Make sure the directory is restricted.

   $chmod go-rwx $KEYPATH

3. Generate a hexadecimal string of 48 bytes to be used as your TDE master key.

   The key material must be 48 byte long. The first 16-byte is used as an identifier and the remaining 32-byte is used as the TDE master key. This 48-byte string must be converted to a 96-character-long hexadecimal string.

   $openssl rand 48 | xxd -l 48 -c 256 -p > $KEYPATH/clearkey

4. Determine the checksum of your TDE master key from step 3.

   The checksum is required when you reset or restore key.

   $sha256sum –t $KEYPATH/clearkey | awk ‘{print $1}’

5. Encrypt your own TDE master key.

   You encrypt your own generated TDE master key, with RSA padding mode PKCS#1 v1.5, using the Oracle Public Transport key that you downloaded following the steps in Downloading Oracle Public Key. A new transport key must be downloaded for each key reset operation. The encrypted key from running the following command will be in binary format and must be uploaded in this format. If an openssl alternative is used, then make sure the output of the alternative tool is in binary and not in base64 or other encodings.

   $openssl rsautl -pubin -inkey $KEYPATH/OraclePublicTransportKey.pub –in
   $KEYPATH/clearkey –out customerKey_encrypted.txt –encrypt

6. Upload your encrypted TDE master key using the Reset TDE Master Key option described in Resetting TDE Master Encryption Key.