Appendix: Migrate from a software keystore to an HSM keystore

this section provides instructions about migrating a preexisting software keystore to an hsm keystore preparation to perform this process, enable the following command on the role you created for the integration command description gped general purpose encryption and decryption migrate the keystore perform the following steps to migrate a software keystore to a hsm keystore connect to your database as the sysdba user sqlplus / as sysdba configure the wallet root parameter to point to the libfxpkcs11 so file alter system set wallet root = '/opt/oracle/extapi/64/hsm/futurex/4 45/libfxpkcs11 so' scope=spfile; stop and restart the database shutdown immediate; startup; configure the tde configuration parameter for using an hsm alter system set tde configuration='keystore configuration=hsm' scope=both sid=' '; stop and restart the database shutdown immediate; startup; open the hsm keystore by using the identity password created on the hsm administer key management set keystore open identified by "hsm identity pass"; change back to the software keystore wallet location alter system set wallet root = '/path/to/software/wallet' scope=spfile; stop and restart the database shutdown immediate; startup; configure the tde configuration parameter for file alter system set tde configuration='keystore configuration=file' scope=both sid=' '; stop and restart the database shutdown immediate; startup; open the software keystore administer key management set keystore open identified by sw keystore pass; add the hsm identity password as a secret to the software keystore administer key management add secret 'hsm identity pass' for client 'hsm password' identified by sw keystore pass with backup; alter the software keystore password to match the hsm identity pass to convert a software keystore to open with the hsm keystore administer key management alter keystore password force keystore identified by sw keystore pass set hsm identity pass with backup; sw keystore pass and the hsm identity pass are now the same create an autologin and specify the software keystore by using the keystore location administer key management create auto login keystore from keystore '/path/to/software/wallet' identified by software keystore pass; switch the tde configuration parameter to hsm and file alter system set tde configuration='keystore configuration=hsm|file' scope=both sid = ' '; stop and restart the database shutdown immediate; startup; confirm that both the file and hsm keystores are open with no master key for the hsm keystore select wrl type, wrl parameter, wallet type, status from v$encryption wallet; you should see an output similar to the following sql> select wrl type, wrl parameter, wallet type, status from v$encryption wallet; wrl type \ wrl parameter \ wallet type status \ file /u01/app/oracle/admin/orcl/wallet/tde/ autologin open hsm hsm open no master key migrate the software keystore to the hsm keystore administer key management set encryption key identified by "hsm identity pass" migrate using sw keystore pass; switch the tde configuration to hsm and confirm that you can still decrypt your database with just the hsm keystore confirm that the keys are present on the hsm as well alter system set tde configuration='keystore configuration=hsm' scope=both sid=' ';