Appendix: Migrating from a Software Keystore to a HSM Keystore
In this section, instructions are provided on how to migrate a preexisting software Keystore to a HSM keystore.
To perform this process, the following command must be enabled on the role you created for the integration:
Command
Description
GPED
General Purpose Encryption and Decryption
Perform the following steps to migrate a software keystore to a HSM keystore:
Connect to your database as the sysdba user:
Configure the Wallet Root parameter to point to the libfxpkcs11.so file:
Bounce the database:
Configure the TDE_CONFIGURATION parameter for using an HSM:
Bounce the database:
Open the HSM KeyStore using the identity password created on the HSM:
Change back to the Software Keystore Wallet location:
Bounce the database:
Configure the TDE_CONFIGURATION parameter for FILE:
Bounce the database:
Open the software keystore:
Add the HSM identity password as a secret to the Software Keystore:
Alter the software keystore password to match the hsm_identity_pass, this is done to convert a software keystore to open with the HSM keystore.
sw_keystore_pass and the hsm_identity_pass are now the same.
Create an autologin and specify the software keystore using the keystore location:
Switch the TDE_CONFIGURATION parameter to HSM and FILE:
Bounce the database:
Confirm that both the FILE and HSM keystores are open with no master key for the HSM keystore:
You should see an output similar to the following:
Migrate the software keystore to the HSM keystore:
Switch the TDE_CONFIGURATION to HSM and confirm that your database is still able to be decrypted with just the HSM Keystore. Confirm that the keys are present on the HSM as well.