Oracle 12c Database TDE (Transparent Data Encryption) Setup

To setup TDE for my new database I have used and adapted Oracle Database 12c: Transparent Data Encryption (TDE)

First I have modified sqlnet.ora so that each database has its own TDE directories:

$ grep SID $ORACLE_HOME/network/admin/sqlnet.ora
ENCRYPTION_WALLET_LOCATION = (SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u01/app/oracle/admin/$ORACLE_SID/tde_wallet)))
WALLET_LOCATION = (SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u01/app/oracle/admin/$ORACLE_SID/db_wallet)))
$ I have created TDE wallet directory for NCDB database:

$ mkdir /u01/app/oracle/admin/NCDB/tde_wallet

I have connected to NCDB and run following SQL statements:

SQL> administer key management create keystore ‘/u01/app/oracle/admin/NCDB/tde_wallet’ identified by xxx;

keystore altered.

SQL> administer key management set keystore open identified by xxx;

keystore altered.

SQL> select * from v$encryption_wallet;

WRL_TYPE
——————–
WRL_PARAMETER
——————————————————————————–
STATUS                         WALLET_TYPE          WALLET_OR FULLY_BAC
—————————— ——————– ——— ———
    CON_ID
———-
FILE
/u01/app/oracle/admin/NCDB/tde_wallet/
OPEN_NO_MASTER_KEY             PASSWORD             SINGLE    UNDEFINED
         0

SQL>  administer key management create auto_login keystore from keystore ‘/u01/app/oracle/admin/NCDB/tde_wallet’ identified by xxx;

keystore altered.

SQL>
SQL> administer key management set key identified by mks with backup;

keystore altered.

SQL>

SQL> select con_id, key_id, keystore_type from v$encryption_keys;

    CON_ID
———-
KEY_ID
——————————————————————————
KEYSTORE_TYPE
—————–
         0
AdOGu2sWO085v33seosS01IAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
SOFTWARE KEYSTORE

SQL> select * from v$encryption_wallet;

WRL_TYPE
——————–
WRL_PARAMETER
——————————————————————————–
STATUS                         WALLET_TYPE          WALLET_OR FULLY_BAC
—————————— ——————– ——— ———
    CON_ID
———-
FILE
/u01/app/oracle/admin/NCDB/tde_wallet/
OPEN                           PASSWORD             SINGLE    NO
         0

Step 3: create application tablespace
I have run:

SQL> show parameter new

NAME                                 TYPE        VALUE
———————————— ———– ——————————
encrypt_new_tablespaces              string      DDL
SQL> alter system set encrypt_new_tablespaces=cloud_only;

System altered.

SQL> create tablespace data;

Tablespace created.

SQL> select tablespace_name, encrypted from dba_tablespaces;

TABLESPACE_NAME                ENC
—————————— —
SYSTEM                         NO
SYSAUX                         NO
SYS_UNDOTS                NO
DATA                           YES

  • July 15, 2017 | 13 views
  • Comments