Appendix: Migrate from a software keystore to an HSM keystore
This section provides instructions about migrating a preexisting software keystore to an HSM keystore.
To perform this process, enable the following command on the role you created for the integration:
Command
Description
GPED
General Purpose Encryption and Decryption
Perform the following steps to migrate a software keystore to a HSM keystore:
Connect to your database as the sysdba user:
Configure the Wallet Root parameter to point to the libfxpkcs11.so file:
Stop and restart the database:
Configure the TDE_CONFIGURATION parameter for using an HSM:
Stop and restart the database:
Open the HSM KeyStore by using the identity password created on the HSM:
Change back to the software keystore wallet location:
Stop and restart the database:
Configure the TDE_CONFIGURATION parameter for FILE:
Stop and restart the database:
Open the software keystore:
Add the HSM identity password as a secret to the Software Keystore:
Alter the software keystore password to match the hsm_identity_pass to convert a software keystore to open with the HSM keystore:
sw_keystore_pass and the hsm_identity_pass are now the same.
Create an autologin and specify the software keystore by using the keystore location:
Switch the TDE_CONFIGURATION parameter to HSM and FILE:
Stop and restart the database:
Confirm that both the FILE and HSM keystores are open with no master key for the HSM keystore:
You should see an output similar to the following:
Migrate the software keystore to the HSM keystore:
Switch the TDE_CONFIGURATION to HSM and confirm that you can still decrypt your database with just the HSM Keystore. Confirm that the keys are present on the HSM as well.