Generate a TDE Master Encryption Key on the CryptoHub

to configure oracle database 19c tde with a {{ch}} , we recommend that you refer to the following oracle knowledge base article oracle database 19c https //docs oracle com/en/database/oracle/oracle database/19/asoag/configuring transparent data encryption html https //docs oracle com/en/database/oracle/oracle database/19/asoag/configuring transparent data encryption html this section walks through a very basic example of configuring oracle tde with {{ch}} through pkcs #11 however, many nuances exist in an oracle database environment, so the following steps do not apply directly to certain situations and implementations use this section only as a general guide, and thoroughly consult the preceding oracle documentation before implementing oracle tde with an hsm in your environment to use hsm based encryption, you must generate a master encryption key (mek), stored on the {{ch}} and used by tde for encrypting and decrypting the oracle table keys generate a tde mek perform the following steps to generate a tde mek on the {{ch}} set the oracle environment with the following commands the oraenv tool sets up the oracle database environment for the current session and enables the sqlplus command to set the oracle environment, perform the following command sequence when prompted, specify the system id (sid) for the instance — orcl in this example — or use the default value indicated between the brackets in line 6 below all instances on the system require a unique sid $ su oracle $ cd $ /usr/local/bin/oraenv oracle sid = \[oracle] ? orcl if successful, the command returns the following message the oracle base has been set to /home/oracle/app/oracle connect to the database $ sqlplus / as sysdba start the oracle instance sql> startup set the static wallet root parameter, which enables you to designate the location of the keystore you plan to use you must set up the wallet root parameter even if you do not use a keystore sql> alter system set wallet root = '/opt/oracle/extapi/64/hsm/futurex/4 45/libfxpkcs11 so' scope=spfile; stop and restart the database after setting the wallet root parameter sql> shutdown immediate; sql> startup; set the dynamic tde configuration parameter to designate the type of keystore you plan to use sql> alter system set tde configuration='keystore configuration=hsm' scope=both sid = ' '; stop and restart the database after setting the tde configuration parameter sql> shutdown immediate; sql> startup; open the hardware keystore by using the {{ch}} identity password configured inside the \<crypto opr pass> tag in the fxpkcs11 cfg file sql> administer key management set keystore open identified by "cryptohub identity password"; create the tde master encryption key using the {{ch}} identity password configured inside the \<crypto opr pass> tag in the fxpkcs11 cfg file sql> administer key management set key identified by "cryptohub identity password"; if migrating a previously configured tde master encryption key, refer to this link docs oracle com/en/database/oracle/oracle database/19/asoag/managing keystore and tde master encryption key html#guid 4335220f 49ff 40bc 9eb0 21442608f436 if successful, the following message appears system altered if the database contains columns encrypted with a public key, the columns are decrypted and re encrypted with the oracle table key, which is encrypted and decrypted with the aes symmetric key generated by hsm based transparent data encryption