top of page
Oracle DBA Training & Support

How to Configure TDE Auto Login Wallet in Oracle 19c

STEP 1: Create pfile from spfile in below location.


create pfile='/tmp/initprod.ora' from spfile;


STEP 2: Configure the Keystore Location and Type


You must configure the Keystore location and type by setting WALLET_ROOT and TDE_CONFIGURATION parameters in pfile or spfile.


If necessary, create a wallet directory. Typically, the wallet directory is located in $ORACLE_BASE/admin/db_unique_name/wallet.

Ideally wallet directory should be empty.


cd $ORACLE_BASE/admin/


cd db_unique_name


mkdir -p wallet/tde



alter system set WALLET_ROOT="/u01/app/oracle/admin/prod/wallet" scope=spfile;


STEP 3: Restart the Database


shutdown immediate


startup


show parameter WALLET_ROOT



alter system set TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" scope=both;


show parameter TDE_CONFIGURATION


Step 4: Create software Keystore


SELECT STATUS FROM V$ENCRYPTION_WALLET;

col WRL_PARAMETER for a60

select WRL_TYPE, WRL_PARAMETER, STATUS, CON_ID from v$encryption_wallet;


administer key management create keystore '/u01/app/oracle/admin/prod/wallet/tde' identified by Pass54321;


STEP 5: Check the status of the wallet (Status will be closed)


SELECT STATUS FROM V$ENCRYPTION_WALLET;

col WRL_PARAMETER for a60

select WRL_TYPE, WRL_PARAMETER, STATUS, CON_ID from v$encryption_wallet;



!ls -lrt /u01/app/oracle/admin/prod/wallet/tde


STEP 6: Configure Auto Login Keystore and check the status


administer key management create auto_login keystore from keystore '/u01/app/oracle/admin/prod/wallet/tde' identified by Pass54321;


!ls -lrt /u01/app/oracle/admin/prod/wallet/tde



SELECT STATUS FROM V$ENCRYPTION_WALLET;

col WRL_PARAMETER for a60

select WRL_TYPE, WRL_PARAMETER, STATUS, CON_ID from v$encryption_wallet;


select * from v$encryption_wallet;


STEP 7: Open the software Keystore


administer key management set keystore open force keystore identified by Pass54321;


select * from v$encryption_wallet;


STEP 8: Set the Keystore TDE Encryption Master Key


administer key management set key FORCE KEYSTORE identified by Pass54321 with backup;



Step9: Encrypt tablespace:


Online Encryption


select t.name,e.ENCRYPTIONALG,e.ENCRYPTEDTS,e.STATUS from V$ENCRYPTED_TABLESPACES e, v$tablespace t where t.ts#=e.ts#(+);


ALTER TABLESPACE APP ENCRYPTION ONLINE USING 'AES256' ENCRYPT;


select t.name,e.ENCRYPTIONALG,e.ENCRYPTEDTS,e.STATUS from V$ENCRYPTED_TABLESPACES e, v$tablespace t where t.ts#=e.ts#(+);


select TABLESPACE_NAME, ENCRYPTED from dba_tablespaces where ENCRYPTED='YES';


While creating new tablespace:


create tablespace TBS_NAME datafile 'LOCATION' size 100m encryption using 'AES256' DEFAULT STORAGE (ENCRYPT);


Offline Encryption

*************


SQL> alter tablespace APP offline normal;


SQL> ALTER TABLESPACE APP ENCRYPTION OFFLINE USING 'AES256' ENCRYPT;


SQL> alter tablespace APP online;


SQL> select t.name,e.ENCRYPTIONALG,e.ENCRYPTEDTS,e.STATUS from V$ENCRYPTED_TABLESPACES e, v$tablespace t where t.ts#=e.ts#(+);

NAME ENCRYPT ENC STATUS

------------------------------ ------- --- ----------

APP AES256 YES NORMAL



Steps for Decryption:

***************


Online Decryption:

**************


ALTER TABLESPACE APP ENCRYPTION online DECRYPT;


select t.name,e.ENCRYPTIONALG,e.ENCRYPTEDTS,e.STATUS from V$ENCRYPTED_TABLESPACES e, v$tablespace t where t.ts#=e.ts#(+);


Offline Decryption:

**************


Same as encryption to decrypt take the tablespace offline and decrypt.


SQL> alter tablespace APP offline normal;


SQL> ALTER TABLESPACE APP ENCRYPTION OFFLINE DECRYPT;


SQL> alter tablespace APP online;


SQL> select t.name,e.ENCRYPTIONALG,e.ENCRYPTEDTS,e.STATUS from V$ENCRYPTED_TABLESPACES e, v$tablespace t where t.ts#=e.ts#(+);



export WALLET_LOCATION=/u01/app/oracle/admin/prod/wallet


cd /u01/app/oracle/admin/prod/wallet/tde

mkstore -wrl . -list


mkstore -wrl /u01/app/oracle/admin/prod/wallet/tde -list


Done...!!!



###########################################





Comments


bottom of page