Scribd
Upload
65 views4 pages

TDE Wallet

The document outlines the steps to enable Transparent Data Encryption (TDE) in an Oracle 19c database, including editing the SQLNET.ORA file, configuring wallet parameters, creating and opening a keystore, and setting a master encryption key. It also details how to encrypt new and future tablespaces and emphasizes the need to set certain parameters across all database instances. Additionally, it provides notes on wallet management in Oracle RAC and standby nodes.

Uploaded by

akshay
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
65 views4 pages

TDE Wallet

The document outlines the steps to enable Transparent Data Encryption (TDE) in an Oracle 19c database, including editing the SQLNET.ORA file, configuring wallet parameters, creating and opening a keystore, and setting a master encryption key. It also details how to encrypt new and future tablespaces and emphasizes the need to set certain parameters across all database instances. Additionally, it provides notes on wallet management in Oracle RAC and standby nodes.

Uploaded by

akshay
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Enabling TDE encryption in an Oracle 19c DB

1. Edit SQLNET.ORA file

2. Configure wallet parameters


Connect to the root container and create the keystore.

SQL> alter system set wallet_root='/oracle/app/oracle/admin/PRODCDB/encryption_keystore'


scope=spfile;

SQL> ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" SCOPE = BOTH;

3. Create Key store


ADMINISTER KEY MANAGEMENT CREATE KEYSTORE
'/oracle/app/oracle/admin/PRODCDB/encryption_keystore' IDENTIFIED BY mypassword;

1
4. Convert keystore to AUTOLOGIN
ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE
'/oracle/app/oracle/admin/PRODCDB/encryption_keystore' IDENTIFIED BY mypassword;

5. Open keystore
SQL> administer key management set keystore open identified by mypassword CONTAINER=ALL;

6. Set master encryption key


SQL> ADMINISTER KEY MANAGEMENT SET KEY FORCE KEYSTORE IDENTIFIED BY mypassword WITH
BACKUP;

Run same command by connecting to PDB DB

7. Close Wallet
➢ administer key management set keystore close identified by mypassword CONTAINER=ALL;

2
8. Encrypting New Tablespaces

Run the CREATE TABLESPACE the statement, using its encryption


clauses.

9. Encrypting Future Tablespaces

You can set the ENCRYPT_NEW_TABLESPACES database initialization


parameter to automatically encrypt future tablespaces that you
create.
➢ SQL> alter system set "_tablespace_encryption_default_algorithm" = 'AES256' scope =
both;
➢ alter system set encrypt_new_tablespaces = ALWAYS scope = both;

10. Adding encryption algorithm for the SYSTEM tablespace:

➢ alter tablespace SYSTEM encryption ONLINE encrypt;

3
Notes:
• You must set the compatible, wallet_root and TDE_CONFIGURATION initialization parameters on all
instances of the database (RAC or standby nodes) before creating an encrypted tablespace.

• Copy the wallet directory to all nodes in case of Oracle RAC if the wallet is not created in an ASM
disk group location.

• Copy the wallet to all standby nodes as well as any DR nodes.

-------------------------------------------------------- END---------------------------------------------------

You might also like