Introduction: In Oracle Database Cloud Service (DBCS), Transparent Data Encryption (TDE) is a default security feature that helps protect sensitive data at rest. While TDE provides strong protection, misconfigured or missing encryption keys can cause backup operations to fail unexpectedly particularly in multitenant (CDB/PDB) environments.

In this blog, we’ll walk through a real-world error where RMAN backup fails with encryption-related errors, and how to resolve it by properly configuring the TDE master key for the affected pluggable database (PDB).

Problem Statement:

A scheduled RMAN backup in DBCS fails with the following error:

RMAN-00601: fatal error in recovery manager
RMAN-03004: fatal error during execution of command
ORA-01480: trailing null missing from STR bind value
ORA-19914: unable to encrypt backup
ORA-28361: master key not yet set

Root Cause:

In multitenant environments (CDB/PDB), each PDB requires its own TDE master key. Even if the wallet is configured and open in the CDB, individual PDBs may still not have their master key initialized.

This often happens when a PDB is:
– Cloned or plugged into the CDB
– Created without initializing its own master key
– Not registered correctly with the DBCS agent (dcsagent)

Step-by-Step Solution:

1. Confirm Wallet Status in CDB and PDB

First, check the wallet status at the CDB level:

SELECT WRL_TYPE, WRL_PARAMETER, STATUS, WALLET_TYPE FROM v$encryption_wallet;

Then switch to the affected PDB and check again:

ALTER SESSION SET CONTAINER=DEV;
SELECT WRL_TYPE, WRL_PARAMETER, STATUS, WALLET_TYPE FROM v$encryption_wallet;

2. Use DBCLI to Initialize the Master Key

In DBCS, you can use the dbcli utility to initialize the missing TDE key for the specific PDB.

Step 1: List the databases and identify the DBID:
dbcli list-database

Step 2: Run update-tdekey to initialize the master key:
dbcli update-tdekey -i <DBID> -n <PDB_NAME> -p

Example:
dbcli update-tdekey -i 1ad98924-f9ce-4040-9e8c-da231dfb8b4d -n dev -p

You will be prompted to enter the SYS password for the container database.

3. Re-Validate Wallet Status

After updating the TDE key, reconnect to the PDB and check wallet status:

ALTER SESSION SET CONTAINER=DEV;
SELECT WRL_TYPE, WRL_PARAMETER, STATUS, WALLET_TYPE FROM v$encryption_wallet;

4. Retry the RMAN Backup

Once the key is initialized, you can rerun your RMAN backup without encountering encryption-related errors.

Key Learnings

– Each PDB needs its own master key
– Use dbcli update-tdekey for OCI-managed DBCS
– Always validate wallet status at PDB level
– Wallet must be OPEN, not just OPEN_NO_MASTER_KEY, for encrypted backups to work

Conclusion: RMAN backup failures due to ORA-28361: master key not yet set are directly related to wallet and TDE key misconfigurations in pluggable databases. Fortunately, in Oracle DBCS, the dcsagent and dbcli tooling make it straightforward to initialize and manage encryption keys securely.
As an Oracle DBA, it’s essential to verify TDE configuration not just at the CDB level but also within each PDB especially in environments where security and encrypted backups are non-negotiable.