Skip to main content

TDE Key Store Management in Oracle Database

TDE Key Store Management in Oracle Database

Once a keystore is created, it cannot be deleted. It is important to test thoroughly before creating one in a production environment.

Steps to Set Up a Keystore:

Login as sysdba

sqlplus / as sysdba

Create the Keystore: Create a keystore by setting a password.


ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY tde_key#$03;

A new folder called tde is created under the wallet_root directory:

cd /opt/app/oracle/wallet/
$ ls
tde
cd tde/
$ ls
ewallet.p12

Open the Keystore: Open the keystore with the password:


ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY tde_key#$03;

Set the Master Key: Set the master key with a backup.


ADMINISTER KEY MANAGEMENT SET KEY USING TAG 'master key' IDENTIFIED BY tde_key#$03 WITH BACKUP USING 'masterbackup';

This creates a backup file:

ewallet.p12
ewallet_2019080809241127_masterbackup.p12

Create Auto-login for Keystore: Generate an auto-login keystore.


ADMINISTER KEY MANAGEMENT CREATE LOCAL AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY tde_key#$03;

Query to confirm wallet status:

SELECT WRL_TYPE, STATUS, WALLET_TYPE, WALLET_ORDER, FULLY_BACKED_UP, CON_ID, WRL_PARAMETER FROM V$ENCRYPTION_WALLET;

Database Restart: After restarting the database, the wallet type should change to AUTOLOGIN.



Moving the Master Key:

To delete the keystore, you must move the active master key to another location:

Identify the Key ID:


SELECT KEY_ID, CREATION_TIME, ACTIVATION_TIME, TAG FROM V$ENCRYPTION_KEYS;

Move the Master Key:


ADMINISTER KEY MANAGEMENT MOVE KEYS
TO NEW KEYSTORE '/home/oracle'
IDENTIFIED BY test
FROM FORCE KEYSTORE IDENTIFIED BY tde_key#$03
WITH IDENTIFIER IN 'ASxb82RXzk+5v+YrGLS1IYEAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
WITH BACKUP;



Change from Auto-login to Local Auto-login:

Local auto-login adds security by restricting access to the machine on which it was created.

Close the Keystore:


ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE;

Backup the Auto-login File:


mv cwallet.sso cwallet.sso.bak

Open the Password Keystore:


ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY tde_key#$03;

Create a Local Auto-login Keystore:


ADMINISTER KEY MANAGEMENT CREATE LOCAL AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY tde_key#$03;


Backup Keystore:

Backup Command:


ADMINISTER KEY MANAGEMENT BACKUP KEYSTORE USING 'backup_tag' FORCE KEYSTORE IDENTIFIED BY tde_key#$03;

Backup to Specific Location:


ADMINISTER KEY MANAGEMENT BACKUP KEYSTORE USING 'backup_tag' FORCE KEYSTORE IDENTIFIED BY tde_key#$03 TO '/home/oracle';


Create Master Key for Later Use:

Create a New Master Key:

ADMINISTER KEY MANAGEMENT CREATE KEY USING TAG 'new key for later' FORCE KEYSTORE IDENTIFIED BY tde_key#$03 WITH BACKUP USING 'later key';

Activating a Master Key Created Earlier:

Identify the Key to Activate:


SELECT KEY_ID, CREATION_TIME, ACTIVATION_TIME, TAG FROM V$ENCRYPTION_KEYS;

Activate the Master Key:


ADMINISTER KEY MANAGEMENT USE KEY 'AUBz/7910k8mvzRinUjJI8sAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' USING TAG 'later key activates' FORCE KEYSTORE IDENTIFIED BY tde_key#$03 WITH BACKUP USING 'later key activates';

Rekeying the Master Key:

Check Tablespace Status: Ensure tablespaces are not undergoing online rekeying.


SELECT TS#, ENCRYPTIONALG, STATUS FROM V$ENCRYPTED_TABLESPACES;

Set a New Master Key:


ADMINISTER KEY MANAGEMENT SET KEY USING TAG 'new key' FORCE KEYSTORE IDENTIFIED BY tde_key#$03 WITH BACKUP USING 'new key backup';

Export and Import Master Keys:

Exporting:
Export a Master Key:

ADMINISTER KEY MANAGEMENT EXPORT KEYS WITH SECRET "exported key" TO '/home/oracle/exportedkey.p12' IDENTIFIED BY tde_key#$03 WITH IDENTIFIER IN 'AW/NN5gqQk//vwjnb0ibS9oAAAAAAAAAAAAAAAAAAAAAAAAAAAAA';

or

ADMINISTER KEY MANAGEMENT EXPORT ENCRYPTION KEYS WITH SECRET "my_secret" TO '/u02/oradata/wallets/devdb02.exp' IDENTIFIED BY tde_key#$03;

Importing:
Import the Master Key:

ADMINISTER KEY MANAGEMENT IMPORT KEYS WITH SECRET "exported key" FROM '/home/oracle/exportedkey.p12' IDENTIFIED BY tde_key#$03 WITH BACKUP;

Merging Keystores:

Keystores can be merged to consolidate or migrate keys:

Merge Command:

ADMINISTER KEY MANAGEMENT MERGE KEYSTORE '/home/oracle/Public' IDENTIFIED BY test INTO EXISTING KEYSTORE '/opt/app/oracle/wallet/tde' IDENTIFIED BY tde_key#$03 WITH BACKUP;


Change Keystore Password

To change the password of the Oracle TDE keystore, follow these steps:

Specify the Old Password and New Password
Use the following command to change the keystore password by providing both the old password and the new password:


ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD FORCE KEYSTORE 
IDENTIFIED BY key#st0r403 --old password
SET tde_key#$03  -- new password
WITH BACKUP USING 'pwd_change';

key#st0r403 is the old password.
tde_key#$03 is the new password.
A backup is created using the identifier 'pwd_change'.

Auto-login File Update
After successfully changing the password, the auto-login file (cwallet.sso) and other related keystore files are automatically updated with the new password.

Example of the updated files:


-rw-------. 1 oracle asmadmin 14091 Aug 13 09:29 ewallet_2019081309291420_pwd_change.p12
-rw-------. 1 oracle oinstall 14091 Aug 13 09:29 ewallet.p12
-rw-------. 1 oracle asmadmin 14136 Aug 13 09:29 cwallet.sso

The cwallet.sso file allows automatic opening of the keystore, thus avoiding the need to manually provide the keystore password during every instance startup.





Please do like and subscribe to my youtube channel: https://www.youtube.com/@foalabs If you like this post please follow,share and comment
Labels:

Comments

Post a Comment

Popular posts from this blog

WebLogic migration to OCI using WDT tool

WebLogic migration to OCI using WDT tool Oracle WebLogic Deploy Tool (WDT) is an open-source project designed to simplify and streamline the management of Oracle WebLogic Server domains. With WDT, you can export configuration and application files from one WebLogic Server domain and import them into another, making it a highly effective tool for tasks like migrating on-premises WebLogic configurations to Oracle Cloud. This blog outlines a detailed step-by-step process for using WDT to migrate WebLogic resources and configurations. Supported WLS versions Why Use WDT for Migration? When moving Oracle WebLogic resources from an on-premises environment to Oracle Cloud (or another WebLogic Server), WDT provides an efficient and reliable approach to: Discover and export domain configurations and application binaries. Create reusable models and archives for deployment in a target domain. Key Pre-Requisites Source System: An Oracle WebLogic Server with pre-configured resources such as: Applica...
Post a Comment
Read more

Rename a PDB in Oracle Database Multitenant Architecture in TDE and Non TDE Environment

Rename a PDB in Oracle Database Multitenant Architecture I am sharing a step-by-step guide to help you rename a PDB. This approach uses SQL commands. Without TDE or encryption Wallet Initial Check Check the Current Database Name and Open Mode: SQL > SELECT NAME, OPEN_MODE FROM V$DATABASE; NAME OPEN_MODE --------- -------------------- BEECDB READ WRITE List Current PDBs: SQL > SHOW PDBS; CON_ID CON_NAME OPEN MODE RESTRICTED ---------- ------------------------------ ---------- ---------- 2 PDB$SEED READ ONLY NO 3 FUAT READ WRITE NO We need to RENAME FUAT to BEE  Steps to Rename the PDB Step 1: Export ORACLE_SID Set the Oracle SID to the Container Database (CDB): export ORACLE_SID=BEECDB Step 2: Verify Target PDB Name Availability If the target PDB name is different from the current PDB name, ensure no service exists with the target PDB name. Run SQL to Check Exi...
Post a Comment
Read more

How to make flash work on IE or Edge with IE Compatibility

How to make flash work on IE or Edge with IE Compatibility With flash been ended from 1-Jan-2021, many applications using flash have stopped working the way they were built (like OEM, OBIEE, etc). The option you have to upgrade.  This method will give a workaround in IE or Edge in IE compatibility mode without upgrading. 1. Verify you have installed flash.ocx on your desktop. Typically, flash.ocx file is located in C:\Windows\System32\Macromed\Flash or C:\Windows\SysWOW64\Macromed\Flash according to your laptop OS system. 2. Edit mms.cfg from the location as a System Administrator In the case of the 64bit system, it might have mms.cfg under C:\Windows\SysWOW64\Macromed\Flash 3. Add below options into mms.cfg file. Note: AllowListUrlPattern list is an example. The URLs need to be replaced to your hosts those have Flash pages. SilentAutoUpdateEnable=0 AutoUpdateDisable=1 EOLUninstallDisable=1 EnableAllowList=1 AllowListUrlPattern=http://www.google.com/ AllowListUrlPattern=http://goo...
Post a Comment
Read more