How to Configure TDE in Oracle 19c

 



How to Configure TDE in Oracle 19c

---------------------------------------------



Step 1: Configure the Software Keystore Location and Type



SQL> alter system set WALLET_ROOT="

" scope=spfile sid='*'; --- Shared Location 


SQL> alter system set TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" scope=spfile  sid='*';




>>>  Setup SQL NET for TDE Location  ( not mandatory)

srvctl getenv database -d KMUS

srvctl setenv database -d KMUS -T "TNS_ADMIN"=$ORACLE_HOME/network/admin

srvctl getenv database -d KMUS

SQL NET. ORA 

SQLNET.ENCRYPTION_SERVER= required

SQLNET.ENCRYPTION_TYPES_SERVER = (AES256, AES192, AES128)

SQLNET.IGNORE_ANO_ENCRYPTION_FIR_TCPS= TRUE

ENCRYPTION_WALLET_LOCATION=

  (SOURCE=

   (METHOD=FILE)

    (METHOD_DATA=

     (DIRECTORY=/oradata/app/KMUS/wallet_root)))

SQLNET.WALLET_OVERRIDE = FLASE


srvctl stop database -d KMUS

srvctl start database -d KMUS


=========================================================================

Step 2: Create the Software Keystore


sqlplus / as sysdba 



ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY <password>;


Note: ewallet.p12 file will be crated


ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "password" ;

ADMINISTER KEY MANAGEMENT SET KEY USING TAG 'masterkey' IDENTIFIED BY "password" WITH BACKUP USING 'masterbkp';

ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "password";



>> Bounce Database

srvctl stop database -d KMUS

srvctl start database -d KMUS


===========================================================================

Step 3: Check the Wallet 

set lin 200

col wrl_parameter for a55

col status for a15

select * from GV$ENCRYPTION_WALLET ;

====================================================================================

Database Tablespace default encryption algorithm from AES128


Step 4: Create Tablespace With ENCRYPTION


CREATE TABLESPACE ABC datafile '+DATA' size 1G ENCRYPTION USING 'AES128' DEFAULT STORAGE(ENCRYPT);


CREATE TABLESPACE ABC datafile '+DATA' size 1G ENCRYPTION USING 'AES256' DEFAULT STORAGE(ENCRYPT);


=======================================================================================


>>> Excrypting Existing Tablespaces:




Set linesize 200

Set pagesize 0

Set heading off

select 'alter database datafile '||chr(39)||df.name||chr(39)||' encrypt;' COMMAND from v$tablespace ts,

 v$datafile df where ts.ts#=df.ts# and (ts.name not in ('SYSTEM','SYSAUX') and ts.name not in 

(select value from gv$spparameter where name='undo_tablespace')) and

ts.ts# not in (select e.ts# FROM v$encrypted_tablespaces e) order by ts.name;


--> Keep Db in Mount State , Use below Qurey to find out Datafiles to be Encrypted


========================================================


REf:https://docs.oracle.com/en/database/oracle/oracle-database/19/asoag/configuring-transparent-data-encryption.html#GUID-C7989D41-F54B-4A48-ADE7-19175E88889C


Change the password of Wallet


SQL> ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD IDENTIFIED BY oldpasswprd SET "password" WITH BACKUP ;


keystore altered.


No comments:

Post a Comment

Subscribe to: Posts (Atom)