Skip to main content
This section provides instructions about migrating a preexisting software keystore to an HSM keystore.

Prepare

To perform this process, enable the following command on the role you created for the integration:
CommandDescription
GPEDGeneral Purpose Encryption and Decryption

Migrate the keystore

Perform the following steps to migrate a software keystore to an HSM keystore:
1
Connect to your database as the sysdba user:
Shell
sqlplus / as sysdba
2
Configure the Wallet Root parameter to point to the libfxpkcs11.so file:
Sql
ALTER SYSTEM SET WALLET_ROOT = '/opt/oracle/extapi/64/hsm/futurex/4.45/libfxpkcs11.so' SCOPE=SPFILE;
3
Stop and restart the database:
Sql
SHUTDOWN IMMEDIATE;

STARTUP;
4
Configure the TDE_CONFIGURATION parameter for using an HSM:
Sql
ALTER SYSTEM SET TDE_CONFIGURATION='KEYSTORE_CONFIGURATION=HSM' SCOPE=BOTH SID='*';
5
Stop and restart the database:
Sql
SHUTDOWN IMMEDIATE;

STARTUP;
6
Open the HSM KeyStore by using the identity password created on the HSM:
Sql
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "hsm_identity_pass";
7
Change back to the software keystore wallet location:
Sql
ALTER SYSTEM SET WALLET_ROOT = '/PATH/TO/SOFTWARE/WALLET' SCOPE=SPFILE;
8
Stop and restart the database:
Sql
SHUTDOWN IMMEDIATE;

STARTUP;
9
Configure the TDE_CONFIGURATION parameter for FILE:
Sql
ALTER SYSTEM SET TDE_CONFIGURATION='KEYSTORE_CONFIGURATION=FILE' SCOPE=BOTH SID='*';
10
Stop and restart the database:
Sql
SHUTDOWN IMMEDIATE;

STARTUP;
11
Open the software keystore:
Sql
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY sw_keystore_pass;
12
Add the HSM identity password as a secret to the Software Keystore:
Sql
ADMINISTER KEY MANAGEMENT ADD SECRET 'hsm_identity_pass' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY sw_keystore_pass WITH BACKUP;
13
Alter the software keystore password to match the hsm_identity_pass to convert a software keystore to open with the HSM keystore:
Sql
ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD FORCE KEYSTORE IDENTIFIED BY sw_keystore_pass SET hsm_identity_pass WITH BACKUP;
sw\keystore\pass and the hsm\identity\pass are now the same.
14
Create an autologin and specify the software keystore by using the keystore location:
Sql
ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '/PATH/TO/SOFTWARE/WALLET' IDENTIFIED BY software_keystore_pass;
15
Switch the TDE_CONFIGURATION parameter to HSM and FILE:
Sql
ALTER SYSTEM SET TDE_CONFIGURATION='KEYSTORE_CONFIGURATION=HSM|FILE' SCOPE=BOTH SID = '*';
16
Stop and restart the database:
Sql
SHUTDOWN IMMEDIATE;

STARTUP;
17
Confirm that both the FILE and HSM keystores are open with no master key for the HSM keystore:
Sql
SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
You should see an output similar to the following:
Sql
SQL> SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;

WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
WALLET_TYPE	     STATUS
-------------------- ------------------------------
FILE
/u01/app/oracle/admin/orcl/wallet/tde/
AUTOLOGIN	     OPEN

HSM

HSM		     OPEN_NO_MASTER_KEY
18
Migrate the software keystore to the HSM keystore:
Sql
ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "hsm_identity_pass" MIGRATE USING sw_keystore_pass;
19
Switch the TDE_CONFIGURATION to HSM and confirm that you can still decrypt your database with just the HSM Keystore. Confirm that the keys are present on the HSM as well.
Sql
ALTER SYSTEM SET TDE_CONFIGURATION='KEYSTORE_CONFIGURATION=HSM' SCOPE=BOTH SID='*';