To setup TDE for my new database I have used and adapted Oracle Database 12c: Transparent Data Encryption (TDE)
First I have modified sqlnet.ora so that each database has its own TDE directories:
$ grep SID $ORACLE_HOME/network/admin/sqlnet.ora
ENCRYPTION_WALLET_LOCATION = (SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u01/app/oracle/admin/$ORACLE_SID/tde_wallet)))
WALLET_LOCATION = (SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u01/app/oracle/admin/$ORACLE_SID/db_wallet)))
$ I have created TDE wallet directory for NCDB database:
$ mkdir /u01/app/oracle/admin/NCDB/tde_wallet
I have connected to NCDB and run following SQL statements:
SQL> administer key management create keystore '/u01/app/oracle/admin/NCDB/tde_wallet' identified by xxx;
keystore altered.
SQL> administer key management set keystore open identified by xxx;
keystore altered.
SQL> select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS WALLET_TYPE WALLET_OR FULLY_BAC
------------------------------ -------------------- --------- ---------
CON_ID
----------
FILE
/u01/app/oracle/admin/NCDB/tde_wallet/
OPEN_NO_MASTER_KEY PASSWORD SINGLE UNDEFINED
0
SQL> administer key management create auto_login keystore from keystore '/u01/app/oracle/admin/NCDB/tde_wallet' identified by xxx;
keystore altered.
SQL>
SQL> administer key management set key identified by mks with backup;
keystore altered.
SQL>
SQL> select con_id, key_id, keystore_type from v$encryption_keys;
CON_ID
----------
KEY_ID
------------------------------------------------------------------------------
KEYSTORE_TYPE
-----------------
0
AdOGu2sWO085v33seosS01IAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
SOFTWARE KEYSTORE
SQL> select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS WALLET_TYPE WALLET_OR FULLY_BAC
------------------------------ -------------------- --------- ---------
CON_ID
----------
FILE
/u01/app/oracle/admin/NCDB/tde_wallet/
OPEN PASSWORD SINGLE NO
0
Step 3: create application tablespace
I have run:
SQL> show parameter new
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
encrypt_new_tablespaces string DDL
SQL> alter system set encrypt_new_tablespaces=cloud_only;
System altered.
SQL> create tablespace data;
Tablespace created.
SQL> select tablespace_name, encrypted from dba_tablespaces;
TABLESPACE_NAME ENC
------------------------------ ---
SYSTEM NO
SYSAUX NO
SYS_UNDOTS NO
DATA YES
First I have modified sqlnet.ora so that each database has its own TDE directories:
$ grep SID $ORACLE_HOME/network/admin/sqlnet.ora
ENCRYPTION_WALLET_LOCATION = (SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u01/app/oracle/admin/$ORACLE_SID/tde_wallet)))
WALLET_LOCATION = (SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u01/app/oracle/admin/$ORACLE_SID/db_wallet)))
$ I have created TDE wallet directory for NCDB database:
$ mkdir /u01/app/oracle/admin/NCDB/tde_wallet
I have connected to NCDB and run following SQL statements:
SQL> administer key management create keystore '/u01/app/oracle/admin/NCDB/tde_wallet' identified by xxx;
keystore altered.
SQL> administer key management set keystore open identified by xxx;
keystore altered.
SQL> select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS WALLET_TYPE WALLET_OR FULLY_BAC
------------------------------ -------------------- --------- ---------
CON_ID
----------
FILE
/u01/app/oracle/admin/NCDB/tde_wallet/
OPEN_NO_MASTER_KEY PASSWORD SINGLE UNDEFINED
0
SQL> administer key management create auto_login keystore from keystore '/u01/app/oracle/admin/NCDB/tde_wallet' identified by xxx;
keystore altered.
SQL>
SQL> administer key management set key identified by mks with backup;
keystore altered.
SQL>
SQL> select con_id, key_id, keystore_type from v$encryption_keys;
CON_ID
----------
KEY_ID
------------------------------------------------------------------------------
KEYSTORE_TYPE
-----------------
0
AdOGu2sWO085v33seosS01IAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
SOFTWARE KEYSTORE
SQL> select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS WALLET_TYPE WALLET_OR FULLY_BAC
------------------------------ -------------------- --------- ---------
CON_ID
----------
FILE
/u01/app/oracle/admin/NCDB/tde_wallet/
OPEN PASSWORD SINGLE NO
0
Step 3: create application tablespace
I have run:
SQL> show parameter new
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
encrypt_new_tablespaces string DDL
SQL> alter system set encrypt_new_tablespaces=cloud_only;
System altered.
SQL> create tablespace data;
Tablespace created.
SQL> select tablespace_name, encrypted from dba_tablespaces;
TABLESPACE_NAME ENC
------------------------------ ---
SYSTEM NO
SYSAUX NO
SYS_UNDOTS NO
DATA YES