Generate a TDE Master Encryption Key on the CryptoHub
To configure Oracle Database 19c TDE with a , we recommend that you refer to the following Oracle knowledge base article:
This section walks through a very basic example of configuring Oracle TDE with through PKCS #11. However, there are many nuances in an Oracle Database environment, so the following steps do not apply directly to certain situations and implementations. Use this section only as a general guide, and thoroughly consult the preceding Oracle documentation before implementing Oracle TDE with an HSM in your environment.
To use HSM-based encryption, you must generate a Master Encryption Key (MEK), stored on the and used by TDE for encrypting and decrypting the Oracle Table Keys.
Set the Oracle environment with the following commands.
The oraenv tool sets up the Oracle database environment for the current session and enables the sqlplus command. To set the Oracle environment, perorm the following command sequence. When prompted, specify the system ID (SID) for the instance — orcl in this example — or use the default value indicated between the brackets in line 6 below. All instances on the system require a unique SID.
If successful, the command will return the following message:
Connect to the database:
Start the Oracle instance:
Set the static WALLET_ROOT parameter, which allows you to designate the location of the keystore you plan to use.
You must set up the WALLET_ROOT parameter even if you do not use a keystore.
Bounce the database after setting the WALLET_ROOT parameter by shutting it down and starting it back up.
Set the dynamic TDE_CONFIGURATION parameter that enables you to designate the type of keystore you plan to use.
Bounce the database after setting the TDE_CONFIGURATION parameter by shutting it down and starting it back up.
Open the hardware keystore using the identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file:
Create the TDE Master Encryption Key using the identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file:
If migrating a previously configured TDE Master Encryption Key, refer to this link.
If successful, the following message appears.
If the database contains columns encrypted with a public key, the columns are decrypted and re-encrypted with the Oracle table key, which is encrypted/decrypted with the AES symmetric key generated by HSM-based transparent data encryption.