Skip to main content
To configure Oracle Database 19c TDE with a CryptoHub, we recommend that you refer to the following Oracle knowledge base article:
  • Oracle Database 19c:
https://docs.oracle.com/en/database/oracle/oracle-database/19/asoag/configuring-transparent-data-encryption.html This section walks through a very basic example of configuring Oracle TDE with CryptoHub through PKCS #11. However, many nuances exist in an Oracle Database environment, so the following steps do not apply directly to certain situations and implementations. Use this section only as a general guide, and thoroughly consult the preceding Oracle documentation before implementing Oracle TDE with an HSM in your environment. To use HSM-based encryption, you must generate a Master Encryption Key (MEK), stored on the CryptoHub and used by TDE for encrypting and decrypting the Oracle Table Keys.

Generate a TDE MEK

Perform the following steps to generate a TDE MEK on the CryptoHub:
1
Set the Oracle environment with the following commands.
The oraenv tool sets up the Oracle database environment for the current session and enables the sqlplus command. To set the Oracle environment, perform the following command sequence. When prompted, specify the system ID (SID) for the instance — orcl in this example — or use the default value indicated between the brackets in line 6 below. All instances on the system require a unique SID.
Shell
$ su oracle

$ cd ~

$ . /usr/local/bin/oraenv
ORACLE_SID = [oracle] ? orcl
If successful, the command returns the following message:
None
The Oracle base has been set to /home/oracle/app/oracle
2
Connect to the database:
Shell
$ sqlplus / as sysdba
3
Start the Oracle instance:
Sql
SQL> startup
4
Set the static WALLET_ROOT parameter, which enables you to designate the location of the keystore you plan to use.
You must set up the WALLET_ROOT parameter even if you do not use a keystore.
Sql
SQL> ALTER SYSTEM SET WALLET_ROOT = '/opt/oracle/extapi/64/hsm/futurex/4.45/libfxpkcs11.so' SCOPE=SPFILE;
5
Stop and restart the database after setting theWALLET_ROOT parameter.
Sql
SQL> SHUTDOWN IMMEDIATE;

SQL> STARTUP;
6
Set the dynamic TDE_CONFIGURATION parameter to designate the type of keystore you plan to use.
Sql
SQL> ALTER SYSTEM SET TDE_CONFIGURATION='KEYSTORE_CONFIGURATION=HSM' SCOPE=BOTH SID = '*';
7
Stop and restart the database after setting theTDE_CONFIGURATION parameter.
Sql
SQL> SHUTDOWN IMMEDIATE;

SQL> STARTUP;
8
Open the hardware keystore by using the CryptoHub identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file:
Sql
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "CryptoHub_Identity_Password";
9
Create the TDE Master Encryption Key using the CryptoHub identity password configured inside the CRYPTO-OPR-PASS tag in the fxpkcs11.cfg file:
Sql
SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "CryptoHub_Identity_Password";
If migrating a previously configured TDE Master Encryption Key, refer to this link:docs.oracle.com/en/database/oracle/oracle-database/19/asoag/managing-keystore-and-tde-master-encryption-key.html#GUID-4335220F-49FF-40BC-9EB0-21442608F436.
If successful, the following message appears.
Javascript
System altered.
If the database contains columns encrypted with a public key, the columns are decrypted and re-encrypted with the Oracle table key, which is encrypted and decrypted with the AES symmetric key generated by HSM-based transparent data encryption.