Generate a TDE Master Encryption Key on the Vectera Plus

to configure oracle database 12c tde with an hsm, we recommend that you refer to the following oracle knowledge base article oracle database 12c https //docs oracle com/database/121/asoag/configuring transparent dataencryption htm this section shows a very basic example of configuring oracle tde with an hsm using pkcs #11 however, there are many nuances in an oracle database environment, so the following steps might not apply directly to certain situations and implementations use this section only as a general guide and thoroughly consult the preceding oracle documentation link before implementing oracle tde with an hsm in your environment to use hsm based encryption, you must generate a master encryption key (mek) and store it on the {{vectera}} tde uses it for encrypting and decrypting the oracle table keys this section covers the following oracle database implementation methods a standard implementation of oracle database running on a server or desktop, and an oracle database implementation running in a docker container set the oracle environment by using the following commands $ su oracle $ cd $ /usr/local/bin/oraenv oracle sid = \[oracle] ? orcl connect to the database $ sqlplus / as sysdba start the oracle instance sql> startup open the hardware keystore by using the password of the identity created on the {{vectera}} sql> administer key management set keystore open identified by "identity password"; perform one of the following options for the tde master encryption key migrate a previously configured tde master encryption key by referring to this article create the tde master encryption key by using the password of the identity that was created on the {{vectera}} , by running the following command sql> administer key management set key identified by "identity password"; if the master encryption key creation succeeds, you see the following message system altered if the database contains columns encrypted with a public key, the columns are decrypted and reencrypted with the oracle table key, which is encrypted/decrypted with the aes symmetric key generated by hsm based transparent data encryption the steps outlined in this section describe how to configure the {{futurex}} pkcs #11 (fxpkcs11) library to work with an oracle database docker container for instructions on how to build and run oracle database in a docker container, refer to oracle's documentation on the host computer that runs the oracle database container, go to the location of the oracle database private key file, tls skey pem open a terminal and run the following command to make the oracle database private key readable and executable for all users chmod 555 tls skey pem set the openssl version to match your container in the openssl version environment variable depending on your database version, run one of the following commands if you use oracle database 19c and the official oracle database container images repository on github ( https //github com/oracle/docker images/blob/main/oracledatabase ), the container is based on oracle linux 7, which is openssl 1 0 based in that case, you need to run the following command openssl version=openssl 1 0 x if you use oracle database running in a container that is openssl 1 1 based, you need to run the following command openssl version=openssl 1 1 x download the {{futurex}} pkcs #11 (fxpkcs11) library from the {{futurex}} portal, depending on your openssl version if your container is openssl 1 0 based, download the fxpkcs11 redhat 4 xx xxxx tar file if your container is openssl 1 1 based, download the fxpkcs11 redhat8 4 xx xxxx tar file extract the fxpkcs11 library and save the version in the pkcs version environment variable tar xvf fxpkcs11 tar pkcs version=$(grep r include= info version | awk 'nr==2{print $2}') open the fxpkcs11 configuration file, fxpkcs11 cfg , in a text editor and modify the connection details in the \<hsm> section to enable the fxpkcs11 library to connect to the {{vectera}} the following configuration example shows part of the fxpkcs11 cfg file \<hsm> \# which pkcs11 slot \<slot> 0 \</slot> \<label> futurex \</label> \# hsm crypto operator user name \<crypto opr> \[identity name] \</crypto opr> \# automatically login on session open \#\<crypto opr pass> \[identity password] \</crypto opr pass> \# connection information \<address> 10 0 8 30 \</address> \<prod port> 9100 \</prod port> \<prod tls enabled> yes \</prod tls enabled> \<prod tls anonymous> no \</prod tls anonymous> \# \<prod tls ca> /home/user/tls/root pem \</prod tls ca> \# \<prod tls ca> /home/user/tls/sub1 pem \</prod tls ca> \# \<prod tls ca> /home/user/tls/sub2 pem \</prod tls ca> \<prod tls key> /home/user/tls/pki p12 \</prod tls key> \<prod tls key pass> safest \</prod tls key pass> \# yes = this is communicating through a guardian \<fx load balance> no \</fx load balance> \</hsm> field description \<slot> leave it set to the default value of 0 \<label> leave it set to the default value of futurex \<crypto opr> specify the name of the identity created for the application partition \<crypto opr pass> specify the password of the identity configured in the \<crypto opr> field you can use this to log the application into the hsm automatically if necessary \<address> specify the ip address of the hsm to which the pkcs #11 library should connect \<prod port> set the port number of the hsm that the fxpkcs11 library should connect to \<prod tls enabled> set the field to yes \<prod tls anonymous> defines whether the fxpkcs11 library authenticates to the server \<prod tls key> set the location of the client private key supported formats for the tls private key include the following values pkcs #1 clear private keys pkcs #8 encrypted private keys a pkcs #12 file containing the private key and certificates encrypted under a password because the \<prod tls key> field in this example defines the pkcs #12 file, you don't need to define the signed client cert with the \<prod tls cert> tag, nor the ca certificates with one or more instances of the \<prod tls ca> tag \<prod tls key pass> set the password of the pkcs #12 file, if necessary \<fx load balance> if you use a guardian to manage hsm devices in a cluster, set this field to yes if you don't use a guardian, set it to no run the following command to start the oracle database container and bind mount all of the fxpkcs11 files needed for fxpkcs11 to connect to the {{vectera}} you must run this command from the same directory that stores the extracted fxpkcs11 directory if the tls certificates for authentication with the {{vectera}} are not stored in the /home/oracle/pki directory on your system, modify the third v flag in your command to reflect the location docker run d \\ v $(pwd)/fxpkcs11 cfg /etc/fxpkcs11 cfg \\ v $(pwd)/fxpkcs11/x64/${openssl version}/libfxpkcs11 so /opt/oracle/extapi/64/hsm/futurex/${pkcs version}/libfxpkcs11 so \\ v /home/oracle/pki /pki \\ p 1521 1521 \\ p 5500 5500 \\ e oracle sid=test \\ e oracle pwd=password123 \\ v data /opt/oracle/oradata \\ \ name tde \\ oracle/database 19 3 0 ee the preceding command takes 10 to 20 minutes to complete, depending on your system resources after the oracle database container is up and running, run the following command to connect to the container file system docker exec it tde /bin/bash modify the /opt/oracle/product/19c/dbhome 1/network/admin/sqlnet ora file to the following and save it name directory path= (tnsnames, ezconnect, hostname) wallet location=(source=(method=hsm)(method data=(directory=/opt/oracle/admin/wallet))) encryption wallet location=(source=(method=hsm)(method data=(directory=/opt/oracle/admin/wallet))) wallet root=/opt/oracle/admin/wallet connect to the database sqlplus sys/password123\@test as sysdba create the master encryption key for tde sql > alter system set encryption key identified by "safest"; if the operation succeeds, you see the following response system altered