Transparent Data Encryption (TDE) provides mechanism to encrypt the data stored in the OS data files. TDE enables the encryption of data at the storage level to prevent data tempering from outside of the database.
New commands has been introduced in oracle 12c for enabling Transperant data encryption.ADMINISTER KEY MANAGEMENT will replace the previous commands like ALTER SYSTEM SET ENCRYPTION WALLET and Wallet is known as keystore in 12c.
Lets see how to configure TDE.
1. Create a wallet/keystore location.
mkdir -p /media/sf_stuff/WALLET
2. update the wallet/keystore location in sqlnet.ora. It should look like.
cat $ORACLE_HOME/network/admin/sqlnet.ora
# sqlnet.ora Network Configuration File: /home/oracle/app/oracle/product/12.1.0/dbhome_1/network/admin/sqlnet.ora
# Generated by Oracle configuration tools.
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
ENCRYPTION_WALLET_LOCATION =
(SOURCE =(METHOD = FILE)(METHOD_DATA =
(DIRECTORY = /media/sf_stuff/WALLET)))
Create keystore:
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/media/sf_stuff/WALLET/' IDENTIFIED BY walletpass#123; keystore altered. SQL> host ls /media/sf_stuff/WALLET/ ewallet.p12
Now open the keystore:
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY walletpass#123; keystore altered.
Now activate the key:
SQL> SET LINESIZE 100
SELECT con_id, key_id FROM v$encryption_keys;SQL>
no rows selected
SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY walletpass#123 WITH BACKUP;
keystore altered.
SQL> SET LINESIZE 100
SELECT con_id, key_id FROM v$encryption_keys;SQL>
CON_ID KEY_ID
---------- ------------------------------------------------------------------------------
0 AS6cSkI4u09zv9+RRWMrX2QAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
SQL> SET LINESIZE 200
COLUMN wrl_parameter FORMAT A50
SELECT * FROM v$encryption_wallet;
SQL> SQL>
WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR FULLY_BAC CON_ID
-------------------- -------------------------------------------------- ------------------------------ -------------------- --------- --------- ----------
FILE /media/sf_stuff/WALLET/ OPEN PASSWORD SINGLE NO 0
create a encrypted a tablespace
SQL> CREATE TABLESPACE TEST_ENCRY
datafile '/home/oracle/app/oracle/oradata/cdb1/testencry.dbf' size 2G
ENCRYPTION USING 'AES256'
DEFAULT STORAGE(ENCRYPT); 2 3 4
Tablespace created.
SQL> create table emp_ency(
empno Number(3),
Name varchar(10)
) tablespace TEST_ENCRY; 2 3 4
Table created.
SQL> select tablespace_name,encrypted from dba_tablespaces where tablespace_name='TEST_ENCRY';
TABLESPACE_NAME ENC
------------------------------ ---
TEST_ENCRY YES
Create a table with encrypted column:
SQL> CREATE TABLE employee (
first_name VARCHAR2(128),
last_name VARCHAR2(128),
empID NUMBER,
salary NUMBER(6) ENCRYPT
); 2 3 4 5 6
Table created.
SQL> select owner,table_name,column_name,encryption_alg from dba_encrypted_columns where table_name='EMPLOYEE';
OWNER TABLE_NAME COLUMN_NAME ENCRYPTION_A
---------- ------------ ------------ ------------
RAJ EMPLOYEE SALARY AES 192 bits
key
ENABLE AUTOLOGIN :
SQL> SELECT * FROM v$encryption_wallet;
WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR FULLY_BAC CON_ID
-------------------- -------------------------------------------------- ------------------------------ -------------------- --------- --------- ----------
FILE /media/sf_stuff/WALLET/ OPEN PASSWORD SINGLE NO 0
Here the wallet_type is PASSWORD , i.e every time we restart the database, we need to open the key/wallet explicitly. To avoid this, we can enable auto login ,so that next time when db gets restart, it will open the wallet automatically.
SQL> ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '/media/sf_stuff/WALLET/' IDENTIFIED BY walletpass#123;
keystore altered.
SQL> SELECT * FROM v$encryption_wallet;
WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR FULLY_BAC CON_ID
-------------------- -------------------------------------------------- ------------------------------ -------------------- --------- --------- ----------
FILE /media/sf_stuff/WALLET/ OPEN PASSWORD SINGLE NO 0
SQL>
SQL> startup force
ORACLE instance started.
Total System Global Area 838860800 bytes
Fixed Size 2929936 bytes
Variable Size 570428144 bytes
Database Buffers 260046848 bytes
Redo Buffers 5455872 bytes
Database mounted.
Database opened.
SQL> SELECT * FROM v$encryption_wallet;
WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR FULLY_BAC CON_ID
-------------------- -------------------------------------------------- ------------------------------ -------------------- --------- --------- ----------
FILE /media/sf_stuff/WALLET/ OPEN AUTOLOGIN SINGLE NO 0
we can see the wallet opened automatically and the wallet_type has been changed from PASSWORD TO AUTOLOGIN.
For multi-tenant database:
In a multi-tenant database (CDB), the Keystore has to be be created in the ROOT container (CDB$ROOT).
This single Keystore will be shared by all the associated PDBs as well as the CDB$ROOT container.
So for this we need to use CONTAINER=ALL clause to open and activate the keystore in all pdbs.
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY walletpass#123 CONTAINER=ALL; ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY walletpass#123 WITH BACKUP CONTAINER=ALL;
NOTE: To create a keystore user should have either ADMINISTER KEY MANAGEMENT or SYSKM privilege.
Related dictionary tables for TDE:
----What tables contain TDE encrypted columns?
sql> select table_name, column_name from dba_encrypted_columns;
-------What tables are stored in TDE encrypted tablespaces?
sql> select a.table_name, a.tablespace_name from dba_tables a, dba_tablespaces b
where a.tablespace_name = b.tablespace_name and b.encrypted = 'YES';
-------What indexes are stored in TDE encrypted tablespaces?
sql> select a.index_name, a.tablespace_name from dba_indexes a, dba_tablespaces b
where a.tablespace_name = b.tablespace_name and b.encrypted = 'YES' and index_name not like 'SYS_IL%';
------- getting key/wallet details:
SQL> SELECT * FROM v$encryption_wallet;
SQL> SELECT con_id, key_id FROM v$encryption_keys;
How does this work with a RAC?
Dear,
For RAC, you can give asm disk path as wallet location , as below
at step 2 :
ENCRYPTION_WALLET_LOCATION =
(SOURCE =(METHOD = FILE)(METHOD_DATA =
(DIRECTORY = +DISK1/sf_stuff/WALLET)))
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE ‘+DISK1/sf_stuff/WALLET’ IDENTIFIED BY walletpass#123;
DB-admin
We don’t want to create keystore on ASM storage..can you pls explain what is details procedure needs to follow for Oracle RAC 12.1
Do you have the procedure to reverse migrate the password based hsm wallet to password based oracle wallet ?
Dear I will let you know on this .
What would be the default format of enryption?
Dear ,
TDE supports AES256, AES192 (default for TDE column encryption), AES128 (default for TDE tablespace encryption), and 3DES168.
Regards
DBACLASS Admin
what is the implications on the system, from applications team point of view.
how appliations will work after encryption is done on tables column.
There is no impact on the appliation, when the wallet is open.
If the wallet is closed, then no user will be able to access those encrypted table/tablespaces.
According to this , wallet Kay want only at a time of restoration only.
what will sqlnet.ora configuration for TDE look like if it is shared by multiple instances on the same server?
The sqlnet.ora file will same . But if multiple instances are having same oracle_home, and both are using TDE, then they have to create the wallet in the same location defined in ENCRYPTION_WALLET_LOCATION .
cat $ORACLE_HOME/network/admin/sqlnet.ora
# sqlnet.ora Network Configuration File: /home/oracle/app/oracle/product/12.1.0/dbhome_1/network/admin/sqlnet.ora
# Generated by Oracle configuration tools.
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
ENCRYPTION_WALLET_LOCATION =
(SOURCE =(METHOD = FILE)(METHOD_DATA =
(DIRECTORY = /media/sf_stuff/WALLET)))
Great article,
Whats the procedure to drop and recreate TDE (wallet) for 12c?
Am getting ORA-28374: typed master key not found in wallet
and as per my check on oracle support, I can do a recreate (database is newly created and no encryption yet)
Thanks
Can we push other tables from non-encrypted tablespace into Encrypted tablespace, please let us know.
Thanks,
Sheik
Yes you can Dear.
Dear Admin,
Thanks a lot for your quick answer. Please if possible let me know the action plan or any supporting documents to proceed further .
Thanks,
Sheik.
Can we use the below commands to move the tables from non-encrypted tbs to encrypted tablespaces.
ALTER TABLE t1 MOVE ONLINE TABLESPACE users;
Thanks in Advance.
Yes you can .
Auto_login not works in 12.1.0.2 .
Thank you for taking out time and sharing the knowledge – appreciate very much.
Can we de-install TDE ?
Hi,
Can I add existing tablespaces to TDE in 12.1.0.2?.
I would like to know whether encryption can be enabled for already existing tablespace in 12.1.0.2, does it support OBIA application. does it require any license and any certificate to be installed or configured
in oracle 12.1.0.2 it is not possible to encrypt existins tablespace online. And no certificate is required.
How do you use oracle wallet with dbms_crypto.encrypt and decrypt functions ?
Hi
How about sqlnet.ora file. we have same oracle home for 3 databases, if we modify sqlnet.ora any impact to DB or application
we have primary and DR in place, what is the impact of implementing TDE
Thanks,
Anil
No impact to other database, unless you activated wallet at db level. For dr database, you can copy the same wallet file of primary to dr db server .
Hi Admin.
I have enabled TDE in my DB. Now I want to disable TDE in 12.1.0.2
Please help me with it.
my steps:
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE ‘$ORACLE_BASE/admin/$ORACLE_SID/wallet/’ IDENTIFIED BY XXXXX;
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY XXXXX;
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY XXXXXX WITH BACKUP;
ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE ‘$ORACLE_BASE/admin/$ORACLE_SID/wallet/’ IDENTIFIED BY XXXXX;
then how to disable..
SQL> select tablespace_name,encrypted from dba_tablespaces;
TABLESPACE_NAME ENC
—————————— —
TALLYDATA YES
TALLYINDEX YES
will wallet need to be open during restoration of rman or just need to be copy wallet file.