DOYENSYS Knowledge Portal




We Welcome you to visit our DOYENSYS KNOWLEDGE PORTAL : Doyensys Knowledge Portal




Saturday, July 15, 2017

Oracle 12c Database TDE (Transparent Data Encryption) Setup

To setup TDE for my new database I have used and adapted Oracle Database 12c: Transparent Data Encryption (TDE)

First I have modified sqlnet.ora so that each database has its own TDE directories:

$ grep SID $ORACLE_HOME/network/admin/sqlnet.ora
ENCRYPTION_WALLET_LOCATION = (SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u01/app/oracle/admin/$ORACLE_SID/tde_wallet)))
WALLET_LOCATION = (SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u01/app/oracle/admin/$ORACLE_SID/db_wallet)))
$ I have created TDE wallet directory for NCDB database:

$ mkdir /u01/app/oracle/admin/NCDB/tde_wallet

I have connected to NCDB and run following SQL statements:

SQL> administer key management create keystore '/u01/app/oracle/admin/NCDB/tde_wallet' identified by xxx;

keystore altered.

SQL> administer key management set keystore open identified by xxx;

keystore altered.

SQL> select * from v$encryption_wallet;

WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS                         WALLET_TYPE          WALLET_OR FULLY_BAC
------------------------------ -------------------- --------- ---------
    CON_ID
----------
FILE
/u01/app/oracle/admin/NCDB/tde_wallet/
OPEN_NO_MASTER_KEY             PASSWORD             SINGLE    UNDEFINED
         0


SQL>  administer key management create auto_login keystore from keystore '/u01/app/oracle/admin/NCDB/tde_wallet' identified by xxx;

keystore altered.

SQL>
SQL> administer key management set key identified by mks with backup;

keystore altered.

SQL>

SQL> select con_id, key_id, keystore_type from v$encryption_keys;

    CON_ID
----------
KEY_ID
------------------------------------------------------------------------------
KEYSTORE_TYPE
-----------------
         0
AdOGu2sWO085v33seosS01IAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
SOFTWARE KEYSTORE


SQL> select * from v$encryption_wallet;

WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS                         WALLET_TYPE          WALLET_OR FULLY_BAC
------------------------------ -------------------- --------- ---------
    CON_ID
----------
FILE
/u01/app/oracle/admin/NCDB/tde_wallet/
OPEN                           PASSWORD             SINGLE    NO
         0

Step 3: create application tablespace
I have run:

SQL> show parameter new

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
encrypt_new_tablespaces              string      DDL
SQL> alter system set encrypt_new_tablespaces=cloud_only;

System altered.

SQL> create tablespace data;

Tablespace created.

SQL> select tablespace_name, encrypted from dba_tablespaces;

TABLESPACE_NAME                ENC
------------------------------ ---
SYSTEM                         NO
SYSAUX                         NO
SYS_UNDOTS                NO
DATA                           YES

No comments: