Database
Oracle Database TDE (19c)
Generate a TDE Master Encryption Key on the Vectera Plus
2min
to configure oracle database 19c tde with an hsm, we recommend that you refer to the following oracle knowledge base article oracle database 19c https //docs oracle com/en/database/oracle/oracledatabase/19/asoag/configuring transparent data encryption html this section shows a very basic example of configuring oracle tde with an hsm using pkcs #11 however, there are many nuances in an oracle database environment, so the following steps do not apply directly to all situations and implementations use this section only as a general guide and thoroughly consult the preceding oracle documentation link before implementing oracle tde with an hsm in your environment to use hsm based encryption, you must generate a master encryption key (mek) and store it on the {{vectera}} tde uses it to encrypt and decrypt the oracle table keys this section covers the following oracle database implementation methods a standard implementation of oracle database running on a server or desktop and an oracle database implementation running in a docker container choose one of the following methods to perform the implementation set the oracle environment with the following commands the oraenv tool sets up the oracle database environment for the current session and enables the sqlplus command to set the oracle environment, use the following procedure when prompted, specify the system id (sid) for the instance ( orcl in this example) or use the default value indicated between the brackets in line 4 all instances on the system require a unique sid su oracle cd /usr/local/bin/oraenv oracle sid = \[oracle] ? orcl upon success, the command returns the following message the oracle base has been set to /home/oracle/app/oracle connect to the database sqlplus / as sysdba start the oracle instance sql> startup set the static wallet root parameter, which sets the keystore location you plan to use you must set up the wallet root parameter even if you do not use a keystore sql> alter system set wallet root = '/opt/oracle/extapi/64/hsm/futurex/4 45/libfxpkcs11 so' scope=spfile; stop and restart the database after setting the wallet root parameter sql> shutdown immediate; sql> startup; set the dynamic tde configuration parameter that sets the type of keystore you plan to use sql> alter system set tde configuration='keystore configuration=hsm' scope=both sid = ' '; stop and restart the database after setting the tde configuration parameter sql> shutdown immediate; sql> startup; open the hardware keystore using the password of the identity created on the {{vectera}} sql> administer key management set keystore open identified by "hsm identity password"; create the tde master encryption key by the password of the identity created on the {{vectera}} sql> administer key management set key identified by "hsm identity password"; if migrating a previously configured tde master encryption key, refer to this article if successful, the following message displays system altered if the database contains columns encrypted with a public key, the columns are decrypted and re encrypted with the oracle table key, which you encrypt or decrypt by using the aes symmetric key generated by hsm based transparent data encryption open a command prompt window as administrator connect to the database sqlplus / as sysdba start the oracle instance sql> startup set the static wallet root parameter, which sets the keystore location you plan to use you must set up the wallet root parameter even if you do not use a keystore sql> alter system set wallet root = 'c \oracle\extapi\64\hsm\futurex\5 4 0\fxpkcs11 dll' scope=spfile; stop and restart the database after setting the wallet root parameter sql> shutdown immediate; sql> startup; set the dynamic tde configuration parameter that sets the type of keystore you plan to use sql> alter system set tde configuration='keystore configuration=hsm' scope=both sid = ' '; stop and restart the database after setting the tde configuration parameter sql> shutdown immediate; sql> startup; open the hardware keystore by using the password of the identity created on the {{vectera}} sql> administer key management set keystore open identified by "hsm identity password"; create the tde master encryption key by using the password of the identity created on the {{vectera}} sql> administer key management set key identified by "hsm identity password"; if successful, the following message displays system altered if the database contains columns encrypted with a public key, you decrypt and re encrypt the columns with the oracle table key, which is encrypted or decrypted with the aes symmetric key generated by hsm based transparent data encryption the steps outlined in this section describe how to configure the {{futurex}} pkcs #11 (fxpkcs11) library to work with an oracle database docker container for instructions on how to build and run oracle database in a docker container, refer to oracle's documentation on the host computer that runs the oracle database container, go to the location of the oracle database private key file, tls skey pem open a terminal and run the following command to make the oracle database private key readable and executable for all users chmod 555 tls skey pem set the openssl version to match your container in the openssl version environment variable depending on your database version, run one of the following commands if you use oracle database 19c and the official oracle database container images repository on github ( https //github com/oracle/docker images/blob/main/oracledatabase ), the container is based on oracle linux 7, which is openssl 1 0 based in that case, you need to run the following command openssl version=openssl 1 0 x if you use oracle database running in a container that is openssl 1 1 based, you need to run the following command openssl version=openssl 1 1 x download the {{futurex}} pkcs #11 (fxpkcs11) library from the {{futurex}} portal, depending on your openssl version if your container is openssl 1 0 based, download the fxpkcs11 redhat 4 xx xxxx tar file if your container is openssl 1 1 based, download the fxpkcs11 redhat8 4 xx xxxx tar file extract the fxpkcs11 library and save the version in the pkcs version environment variable tar xvf fxpkcs11 tar pkcs version=$(grep r include= info version | awk 'nr==2{print $2}') open the fxpkcs11 configuration file, fxpkcs11 cfg , in a text editor and modify the connection details in the \<hsm> section to enable the fxpkcs11 library to connect to the {{vectera}} the following configuration example shows part of the fxpkcs11 cfg file \<hsm> \# which pkcs11 slot \<slot> 0 \</slot> \<label> futurex \</label> \# hsm crypto operator user name \<crypto opr> \[identity name] \</crypto opr> \# automatically login on session open \#\<crypto opr pass> \[identity password] \</crypto opr pass> \# connection information \<address> 10 0 8 30 \</address> \<prod port> 9100 \</prod port> \<prod tls enabled> yes \</prod tls enabled> \<prod tls anonymous> no \</prod tls anonymous> \# \<prod tls ca> /home/user/tls/root pem \</prod tls ca> \# \<prod tls ca> /home/user/tls/sub1 pem \</prod tls ca> \# \<prod tls ca> /home/user/tls/sub2 pem \</prod tls ca> \<prod tls key> /home/user/tls/pki p12 \</prod tls key> \<prod tls key pass> safest \</prod tls key pass> \# yes = this is communicating through a guardian \<fx load balance> no \</fx load balance> \</hsm> field description \<slot> leave it set to the default value of 0 \<label> leave it set to the default value of futurex \<crypto opr> specify the name of the identity created for the application partition \<crypto opr pass> specify the password of the identity configured in the \<crypto opr> field you can use this to log the application into the hsm automatically if necessary \<address> specify the ip address of the hsm to which the pkcs #11 library should connect \<prod port> set the port number of the hsm that the fxpkcs11 library should connect to \<prod tls enabled> set the field to yes \<prod tls anonymous> defines whether the fxpkcs11 library authenticates to the server \<prod tls key> set the location of the client private key supported formats for the tls private key include the following values pkcs #1 clear private keys pkcs #8 encrypted private keys a pkcs #12 file containing the private key and certificates encrypted under a password because the \<prod tls key> field in this example defines the pkcs #12 file, you don't need to define the signed client cert with the \<prod tls cert> tag, nor the ca certificates with one or more instances of the \<prod tls ca> tag \<prod tls key pass> set the password of the pkcs #12 file, if necessary \<fx load balance> if you use a guardian to manage hsm devices in a cluster, set this field to yes if you don't use a guardian, set it to no run the following command to start the oracle database container and bind mount all of the fxpkcs11 files needed for fxpkcs11 to connect to the {{vectera}} you must run this command from the same directory that stores the extracted fxpkcs11 directory if the tls certificates for authentication with the {{vectera}} are not stored in the /home/oracle/pki directory on your system, modify the third v flag in your command to reflect the location docker run d \\ v $(pwd)/fxpkcs11 cfg /etc/fxpkcs11 cfg \\ v $(pwd)/fxpkcs11/x64/${openssl version}/libfxpkcs11 so /opt/oracle/extapi/64/hsm/futurex/${pkcs version}/libfxpkcs11 so \\ v /home/oracle/pki /pki \\ p 1521 1521 \\ p 5500 5500 \\ e oracle sid=test \\ e oracle pwd=password123 \\ v data /opt/oracle/oradata \\ \ name tde \\ oracle/database 19 3 0 ee the preceding command takes 10 to 20 minutes to complete, depending on your system resources after the oracle database container is up and running, run the following command to connect to the container file system docker exec it tde /bin/bash modify the /opt/oracle/product/19c/dbhome 1/network/admin/sqlnet ora file to the following and save it name directory path= (tnsnames, ezconnect, hostname) wallet location=(source=(method=hsm)(method data=(directory=/opt/oracle/admin/wallet))) encryption wallet location=(source=(method=hsm)(method data=(directory=/opt/oracle/admin/wallet))) wallet root=/opt/oracle/admin/wallet connect to the database sqlplus sys/password123\@test as sysdba create the master encryption key for tde sql > alter system set encryption key identified by "safest"; if the operation succeeds, you see the following response system altered