Create the TDE Wallet
Published by : Obay Salah , November 20, 2024
After locating the Software Keystore, you can now create the TDE Wallet. There are three types of TDE Wallets:
· Password-protected TDE wallets
· Auto-login TDE wallets
· Local auto-login TDE wallets
Creating a Password-Protected Software Keystore
- Connect to the database with a user who has the ADMINISTER KEY MANAGEMENT or SYSKM privilege.
- Use the SHOW PARAMETER command to ensure the two parameters (WALLET_ROOT & TDE_CONFIGURATION) are initialized.
- Execute the following command:
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY password;
Automatically, a directory /tde will be created under the WALLET_ROOT path. If this path is not found and you're using ORACLE ASM, the /tde path will be created automatically in the +DATA/ORACLE_UNQNAME path.
After executing this command, the ewallet.p12 file will be created.
Creating an Auto-Login or a Local Auto-Login Software Keystore
As an alternative to password-protected keystores, you can create an auto-login or local auto-login software keystore.
These two types contain system-generated passwords, but for the auto-login software keystore, it can be opened from different computers than the one on which it was created, unlike the local auto-login software keystore, which can only be opened from the computer on which it was created.
Steps for Creation:
- Connect to the database with a user who has the ADMINISTER KEY MANAGEMENT or SYSKM privilege.
- Use the SHOW PARAMETER command to ensure the two parameters (WALLET_ROOT & TDE_CONFIGURATION) are initialized.
- Execute the following command:
ADMINISTER KEY MANAGEMENT CREATE [LOCAL] AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY password;
If you write the keyword LOCAL, it will create a local auto-login software keystore. Otherwise, remove this word if you want the Keystore to be available to other computers.
So, if you include the word LOCAL, it will create a local auto-login wallet file (cwallet.sso) and this wallet will be tied to this machine.
If you are working in an ORACLE RAC environment, do not use the LOCAL keyword, as the ORACLE RAC environment works across multiple servers.
About Opening TDE Wallets
The Keystore must be opened before use, but this also depends on the type of Keystore.
A password-protected TDE wallet must be opened before creating the TDE Master Encryption Key or accessing the Wallet.
There are two ways to open the TDE Wallet:
· Open the TDE Wallet manually using the command:
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN
· Include the phrase FORCE KEYSTORE in the ADMINISTER KEY MANAGEMENT statement. FORCE KEYSTORE will temporarily open the TDE WALLET for the duration of the operation, and once the operation is complete, the TDE WALLET will be closed.
The TDE WALLET can be in the following states:
- Open
- Closed
- Open but with no master encryption key
- Open but with an unknown master encryption key
- Undefined
After manually opening the TDE WALLET, it will remain open until you close it manually, and each time you restart the database, you must manually open the Password TDE Wallet.
You can query the status of the TDE Wallet using the query V$ENCRYPTION_WALLET.
To open the TDE Wallet, follow these steps:
- Connect to the database with a user who has the ADMINISTER KEY MANAGEMENT or SYSKM privilege.
- Execute the following command:
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY password;
To switch opening the password-protected TDE wallet when configuring the auto-login keystore.
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN FORCE KEYSTORE IDENTIFIED BY EXTERNAL STORE;
3- To verify that the TDE Wallet is open.
SELECT STATUS FROM V$ENCRYPTION_WALLET;
Set the TDE Master Encryption Key in the TDE Wallet
The TDE Master encryption key is stored in the TDE Wallet.
The TDE Master encryption key protects the (TDE table keys and tablespace encryption keys).
To set the TDE master encryption key in the TDE Wallet:
- Connect to the database with a user who has the ADMINISTER KEY MANAGEMENT or SYSKM privilege.
- Ensure that the database is open in READ WRITE mode.
- Set the TDE Master Encryption Key.
ADMINISTER KEY MANAGEMENT SET KEY FORCE KEYSTORE IDENTIFIED BY EXTERNAL STORE | password WITH BACKUP USING 'emp_key_backup';
Comments
no comment yet!