This article describes some of the basic key management operations as they relate to Transparent Data Encryption (TDE) in Oracle Database 12c Release 1.
123
ENCRYPTION_WALLET_LOCATION =
(SOURCE =(METHOD = FILE)(METHOD_DATA =
(DIRECTORY = /u01/app/oracle/admin/$ORACLE_SID/encryption_keystore/)))1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556
ENCRYPTION_WALLET_LOCATION =
(SOURCE =(METHOD = FILE)(METHOD_DATA =
(DIRECTORY = /u01/app/oracle/admin/$ORACLE_SID/encryption_keystore/)))
mkdir -p /u01/app/oracle/admin/$ORACLE_SID/encryption_keystore
CONN / AS SYSDBA
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/u01/app/oracle/admin/cdb1/encryption_keystore/' IDENTIFIED BY myPassword;
HOST ls /u01/app/oracle/admin/cdb1/encryption_keystore/
ewallet.p12
SQL>
-- Open
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY myPassword CONTAINER=ALL;
-- Close
ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY myPassword CONTAINER=ALL;
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY myPassword WITH BACKUP CONTAINER=ALL;
SET LINESIZE 100
SELECT con_id, key_id FROM v$encryption_keys;
CON_ID KEY_ID
---------- ------------------------------------------------------------------------------
0 AdaYAOior0/3v0AoZDBV8hoAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0 AYmKkQxl+U+Xv3UHVMgSJC8AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
SQL>
SET LINESIZE 200
COLUMN wrl_parameter FORMAT A50
SELECT * FROM v$encryption_wallet;
WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR FULLY_BAC CON_ID
-------------------- -------------------------------------------------- ------------------------------ -------------------- --------- --------- ----------
FILE /u01/app/oracle/admin/cdb1/encryption_keystore/ OPEN PASSWORD SINGLE NO 0
SQL>
CONN sys@pdb1 AS SYSDBA
-- We don't need to create a master key as we did it previously by using CONTAINER=ALL
-- ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY myPassword;
-- ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY myPassword WITH BACKUP;
SELECT con_id, key_id FROM v$encryption_keys;
CON_ID KEY_ID
---------- ------------------------------------------------------------------------------
0 ATbrc0RkAE//v/jcxOecSGIAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
SQL>12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879
CONN test/test@pdb1
-- Encrypted column
CREATE TABLE tde_test (
id NUMBER(10),
data VARCHAR2(50) ENCRYPT
);
INSERT INTO tde_test VALUES (1, 'This is a secret!');
COMMIT;
-- Encrypted tablespacew
CONN sys@pdb1 AS SYSDBA
CREATE TABLESPACE encrypted_ts
DATAFILE SIZE 128K
AUTOEXTEND ON NEXT 64K
ENCRYPTION USING 'AES256'
DEFAULT STORAGE(ENCRYPT);
ALTER USER test QUOTA UNLIMITED ON encrypted_ts;
CONN test/test@pdb1
CREATE TABLE tde_ts_test (
id NUMBER(10),
data VARCHAR2(50)
) TABLESPACE encrypted_ts;
INSERT INTO tde_ts_test VALUES (1, 'This is also a secret!');
COMMIT;
CONN sys@pdb1 AS SYSDBA
SHUTDOWN IMMEDIATE;
STARTUP;
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY myPassword;
CONN test/test@pdb1
SELECT * FROM tde_test;
ID DATA
---------- --------------------------------------------------
1 This is a secret!
SQL>
SELECT * FROM tde_ts_test;
ID DATA
---------- --------------------------------------------------
1 This is also a secret!
SQL>
CONN / AS SYSDBA
SHUTDOWN IMMEDIATE;
STARTUP;
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY myPassword CONTAINER=ALL;
CONN test/test@pdb1
SELECT * FROM tde_test;
ID DATA
---------- --------------------------------------------------
1 This is a secret!
SQL>
SELECT * FROM tde_ts_test;
ID DATA
---------- --------------------------------------------------
1 This is also a secret!
SQL>123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566
ORAENV_ASK=NO
export ORACLE_SID=cdb1
. oraenv
ORAENV_ASK=YES
sqlplus /nolog
CONN sys@pdb1 AS SYSDBA
ADMINISTER KEY MANAGEMENT EXPORT ENCRYPTION KEYS WITH SECRET "mySecret" TO '/tmp/export.p12' IDENTIFIED BY myPassword;
CONN / AS SYSDBA
ALTER PLUGGABLE DATABASE pdb1 CLOSE;
ALTER PLUGGABLE DATABASE pdb1 UNPLUG INTO '/tmp/pdb1.xml';
ORAENV_ASK=NO
export ORACLE_SID=cdb2
. oraenv
ORAENV_ASK=YES
sqlplus /nolog
CONN / AS SYSDBA
CREATE PLUGGABLE DATABASE pdb2 USING '/tmp/pdb1.xml';
-- If you are not using OMF, you will have to convert the paths manually.
--CREATE PLUGGABLE DATABASE pdb2 USING '/tmp/pdb1.xml'
-- FILE_NAME_CONVERT=('/u01/app/oracle/oradata/cdb1/pdb1/','/u01/app/oracle/oradata/cdb2/pdb2/');
ALTER PLUGGABLE DATABASE pdb2 OPEN READ WRITE;
Warning: PDB altered with errors.
CONN / AS SYSDBA
HOST mkdir -p /u01/app/oracle/admin/cdb2/encryption_keystore/
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/u01/app/oracle/admin/cdb2/encryption_keystore/' IDENTIFIED BY myPassword;
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY myPassword;
CONN / AS SYSDBA
ALTER SESSION SET CONTAINER=pdb2;
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "myPassword";
ADMINISTER KEY MANAGEMENT IMPORT ENCRYPTION KEYS WITH SECRET "mySecret" FROM '/tmp/export.p12' IDENTIFIED BY "myPassword" WITH BACKUP;
-- Restart the PDB and open the keystore.
SHUTDOWN;
STARTUP;
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "myPassword";
CONN test/test@pdb2
SELECT * FROM tde_test;
ID DATA
---------- --------------------------------------------------
1 This is a secret!
SQL>
SELECT * FROM tde_ts_test;
ID DATA
---------- --------------------------------------------------
1 This is also a secret!
SQL>1234567891011121314151617181920212223
CONN / AS SYSDBA
ADMINISTER KEY MANAGEMENT CREATE LOCAL AUTO_LOGIN KEYSTORE FROM KEYSTORE '/u01/app/oracle/admin/cdb1/encryption_keystore/' IDENTIFIED BY myPassword;
SHUTDOWN IMMEDIATE;
STARTUP
CONN test/test@pdb1
SELECT * FROM tde_test;
ID DATA
---------- --------------------------------------------------
1 This is a secret!
SQL>
SELECT * FROM tde_ts_test;
ID DATA
---------- --------------------------------------------------
1 This is also a secret!
SQL>Please to add comments
No comments yet. Be the first to comment!