Opening the wallet or hardware keystore

1min
The security administrator must make the  accessible to the database before Oracle TDE can perform any encryption or decryption. This is comparable to opening the Oracle wallet or logging in to the hardware keystore. You can open the wallet or hardware keystore manually or automatically, but the manual option requires you to re-enable access to the HSM every time the database is restarted.
Select one of the following methods and perform the instructions:
Manual
Automatic - Windows
Automatic - Linux
1
Run the following command to manually open the hardware keystore, making the HSM accessible:
SQL
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "HSM_Identity_Password";
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "HSM_Identity_Password";
﻿
2
Optionally, disable access with the following command:
SQL
SQL> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "HSM_Identity_Password";
SQL> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "HSM_Identity_Password";
﻿
You must re-enable access to the HSM every time you restart the database instance with the manual option.
An auto-login wallet stores the HSM credentials in an auto-login software keystore. This configuration reduces the system security, but it supports unmanned or automated operations. Also, it helps with deployments that require the HSM to re-login automatically.
1
Create the C:\WALLET\tde directory path.
2
Set the WALLET_ROOT parameter to the WALLETS directory created in the first step.
SQL
SQL> ALTER SYSTEM SET WALLET_ROOT = 'C:\WALLET\tde' SCOPE=SPFILE;
SQL> ALTER SYSTEM SET WALLET_ROOT = 'C:\WALLET\tde' SCOPE=SPFILE;
﻿
3
Set the TDE_CONFIGURATION parameter to FILE for the KEYSTORE_CONFIGURATION.
SQL
SQL> ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" SCOPE=SPFILE;
SQL> ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" SCOPE=SPFILE;
﻿
4
Stop and restart the database after setting the WALLET_ROOT and TDE_CONFIGURATION parameters.
SQL
SQL> SHUTDOWN IMMEDIATE;

SQL> STARTUP;
SQL> SHUTDOWN IMMEDIATE;

SQL> STARTUP;
﻿
5
If you have not migrated from a software keystore, create the software keystore with the hardware keystore password in the appropriate location (such as C:\WALLETS\tde).
SQL
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY "Software_Keystore_Password";
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY "Software_Keystore_Password";
﻿
Set the Software_Keystore_Password value to any password you choose.
6
Open the new software keystore with the following command:
SQL
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "Software_Keystore_Password";
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "Software_Keystore_Password";
﻿
7
Add the secret to the software keystore. The secret is the HSM identity password, and the client is HSM_PASSWORD. HSM_PASSWORD is an Oracle-defined client name representing the HSM password as a secret in the software keystore.
SQL
SQL> ADMINISTER KEY MANAGEMENT ADD SECRET 'HSM_Identity_Password' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "Software_Keystore_Password" WITH BACKUP;
SQL> ADMINISTER KEY MANAGEMENT ADD SECRET 'HSM_Identity_Password' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "Software_Keystore_Password" WITH BACKUP;
﻿
You must provide the secret and HSM_PASSWORD values within single quotes, or the command fails.
8
Create a new auto-login keystore by using the password of the Oracle software wallet.
SQL
SQL> ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "Software_Keystore_Password";
SQL> ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "Software_Keystore_Password";
﻿
9
Reset the TDE_CONFIGURATION parameter to HSM|FILE for the KEYSTORE_CONFIGURATION.
SQL
SQL> ALTER SYSTEM SET TDE_CONFIGURATION = 'KEYSTORE_CONFIGURATION=HSM|FILE' SCOPE=SPFILE;
SQL> ALTER SYSTEM SET TDE_CONFIGURATION = 'KEYSTORE_CONFIGURATION=HSM|FILE' SCOPE=SPFILE;
﻿
10
Stop and restart the database after setting the TDE_CONFIGURATION parameter.
SQL
SQL> SHUTDOWN IMMEDIATE;

SQL> STARTUP;
SQL> SHUTDOWN IMMEDIATE;

SQL> STARTUP;
﻿
11
At this stage, the hardware security module auto-login keystore opens automatically the next time a TDE operation executes. To confirm that the auto-login wallet is working, run the following query:
SQL
SQL> SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
SQL> SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
﻿
If the auto-login wallet was configured properly, the following output appears:
SQL
WRL_TYPE | WRL_PARAMETER          | WALLET_TYPE | STATUS
---------+------------------------+-------------+---------------------
FILE     | C:\WALLET\TDE\tde\     | AUTOLOGIN   | OPEN_NO_MASTER_KEY
HSM      |                        | HSM         | OPEN
WRL_TYPE | WRL_PARAMETER          | WALLET_TYPE | STATUS
---------+------------------------+-------------+---------------------
FILE     | C:\WALLET\TDE\tde\     | AUTOLOGIN   | OPEN_NO_MASTER_KEY
HSM      |                        | HSM         | OPEN
﻿
An auto-login wallet stores the HSM credentials in an auto-login software keystore. This configuration reduces the system security, but it supports unmanned or automated operations. Also, it helps with deployments that require the HSM to re-login automatically.
1
Create the /etc/ORACLE/WALLETS/tde directory path by using the mkdir command:
Shell
$ sudo mkdir -p /etc/ORACLE/WALLETS/tde
$ sudo mkdir -p /etc/ORACLE/WALLETS/tde
﻿
2
Change ownership of the /etc/ORACLE directory to the Oracle user.
Shell
$ chown -R oracle:oinstall /etc/ORACLE
$ chown -R oracle:oinstall /etc/ORACLE
﻿
3
Set the WALLET_ROOT parameter to the WALLETS directory created in the first step.
SQL
SQL> ALTER SYSTEM SET WALLET_ROOT = '/etc/ORACLE/WALLETS' SCOPE=SPFILE;
SQL> ALTER SYSTEM SET WALLET_ROOT = '/etc/ORACLE/WALLETS' SCOPE=SPFILE;
﻿
4
Set the TDE_CONFIGURATION parameter to FILE for the KEYSTORE_CONFIGURATION.
SQL
SQL> ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" SCOPE=SPFILE;
SQL> ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" SCOPE=SPFILE;
﻿
5
Stop and restart the database after setting the WALLET_ROOT and TDE_CONFIGURATION parameters.
SQL
SQL> SHUTDOWN IMMEDIATE;

SQL> STARTUP;
SQL> SHUTDOWN IMMEDIATE;

SQL> STARTUP;
﻿
6
If you have not migrated from a software keystore, create the software keystore with the hardware keystore password in the appropriate location (such as /etc/ORACLE/WALLETS/tde).
SQL
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY "Software_Keystore_Password";
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY "Software_Keystore_Password";
﻿
Set the Software_Keystore_Password value to any password you choose.
7
Open the new software keystore with the following command:
SQL
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "Software_Keystore_Password";
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "Software_Keystore_Password";
﻿
8
Add the secret to the software keystore. The secret is the HSM identity password, and client is HSM_PASSWORD. HSM_PASSWORD is an Oracle-defined client name representing the HSM password as a secret in the software keystore.
SQL
SQL> ADMINISTER KEY MANAGEMENT ADD SECRET 'HSM_Identity_Password' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "Software_Keystore_Password" WITH BACKUP;
SQL> ADMINISTER KEY MANAGEMENT ADD SECRET 'HSM_Identity_Password' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "Software_Keystore_Password" WITH BACKUP;
﻿
You must provide the secret and HSM_PASSWORD values within single quotes, or the command fails.
9
Create a new auto-login keystore by using the password of the Oracle software wallet.
SQL
SQL> ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "Software_Keystore_Password";
SQL> ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "Software_Keystore_Password";
﻿
10
Reset the TDE_CONFIGURATION parameter to HSM|FILE for the KEYSTORE_CONFIGURATION.
SQL
SQL> ALTER SYSTEM SET TDE_CONFIGURATION = 'KEYSTORE_CONFIGURATION=HSM|FILE' SCOPE=SPFILE;
SQL> ALTER SYSTEM SET TDE_CONFIGURATION = 'KEYSTORE_CONFIGURATION=HSM|FILE' SCOPE=SPFILE;
﻿
11
Stop and restart the database after setting the TDE_CONFIGURATION parameter.
SQL
SQL> SHUTDOWN IMMEDIATE;

SQL> STARTUP;
SQL> SHUTDOWN IMMEDIATE;

SQL> STARTUP;
﻿
12
At this stage, the hardware security module auto-login keystore opens automatically the next time a TDE operation executes. To confirm that the auto-login wallet is working, run the following query:
SQL
SQL> SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
SQL> SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
﻿
If the auto-login wallet was configured properly, the following output appears:
SQL
WRL_TYPE | WRL_PARAMETER               | WALLET_TYPE | STATUS
---------+-----------------------------+-------------+---------------------
FILE     | /etc/ORACLE/WALLETS/tde/    | AUTOLOGIN   | OPEN_NO_MASTER_KEY
HSM      |                             | HSM         | OPEN
WRL_TYPE | WRL_PARAMETER               | WALLET_TYPE | STATUS
---------+-----------------------------+-------------+---------------------
FILE     | /etc/ORACLE/WALLETS/tde/    | AUTOLOGIN   | OPEN_NO_MASTER_KEY
HSM      |                             | HSM         | OPEN
﻿
﻿
Generate a TDE Master Encryption Key on the Vectera Plus
Appendix: Migrate from a software keystore to an HSM keystore