Generate a TDE master encryption key on the KMES Series 3

to configure oracle database 19c tde with an hsm, refer to the following oracle knowledge base article for oracle database 19c https //docs oracle com/en/database/oracle/oracledatabase/19/asoag/configuring transparent data encryption html this section provides a very basic example of configuring oracle tde with an hsm by using pkcs #11 however, there are many nuances in an oracle database environment, so the following steps do not apply directly to all situations and implementations use this section only as a general guide and thoroughly consult the preceding oracle documentation link before implementing oracle tde with an hsm in your environment to use hsm based encryption, you must generate a master encryption key (mek), which you store on the {{k}} tde uses the mek to encrypt and decrypt the oracle table keys this section covers two oracle database implementations a standard implementation with oracle database running on a server or desktop and one with oracle database running in a docker container standard implementation choose one of the following operating systems for the standard implementation linux this implementation uses the oraenv tool to set up the oracle database environment for the current session and enable the sqlplus command to set the oracle environment, perform the steps in this section when prompted, specify the system id (sid) for the instance, orcl in this example, or use the default value indicated between the brackets in line 4 of step 1 in the following process all instances on the system require a unique sid set the oracle environment with the following commands su oracle cd /usr/local/bin/oraenv oracle sid = \[oracle] ? orcl if it succeeds, the command returns the following message the oracle base has been set to /home/oracle/app/oracle run the following command to connect to the database sqlplus / as sysdba run the following command to start the oracle instance sql> startup run the following command to set the static wallet root parameter, which sets the location of the keystore you plan to use you must set up the wallet root parameter even if you do not use a keystore sql> alter system set wallet root = '/opt/oracle/extapi/64/hsm/futurex/4 45/libfxpkcs11 so' scope=spfile; stop and restart the database after setting the wallet root parameter sql> shutdown immediate; sql> startup; set the dynamic tde configuration parameter that sets the type of keystore you plan to use sql> alter system set tde configuration='keystore configuration=hsm' scope=both sid = ' '; stop and restart the database after setting the tde configuration parameter sql> shutdown immediate; sql> startup; run the following command to open the hardware keystore with the password of the user created on the {{k}} sql> administer key management set keystore open identified by "kmes user password"; run the following command to create the tde master encryption key with the user password created on the {{k}} sql> administer key management set key identified by "kmes user password"; if you are migrating a previously configured tde master encryption key, refer to this article if successful, the following message appears system altered if the database contains columns encrypted with a public key, the oracle table key decrypts and re encrypts the columns the aes symmetric key generated by hsm based tde encrypts and decrypts the oracle table key windows open a command prompt window as administrator run the following command to connect to the database sqlplus / as sysdba run the following command to start the oracle instance sql> startup run the following command to set the static wallet root parameter, which sets the location of the keystore you plan to use you must set up the wallet root parameter even if you do not use a keystore sql> alter system set wallet root = 'c \oracle\extapi\64\hsm\futurex\5 4 0\fxpkcs11 dll' scope=spfile; stop and restart the database after setting the wallet root parameter sql> shutdown immediate; sql> startup; set the dynamic tde configuration parameter that sets the type of keystore you plan to use sql> alter system set tde configuration='keystore configuration=hsm' scope=both sid = ' '; stop and restart the database after setting the tde configuration parameter sql> shutdown immediate; sql> startup; run the following command to open the hardware keystore with the password of the user created on the {{k}} sql> administer key management set keystore open identified by "kmes user password"; run the following command to create the tde master encryption key with the password of the user created on the {{k}} sql> administer key management set key identified by "kmes user password"; if you are migrating a previously configured tde master encryption key, refer to this article if successful, the following message appears system altered keys generated on the {{k3}} begin with something similar to oracle tde hsm mk you can view them in the key group under key management > keys if the database contains columns encrypted with a public key, the oracle table key decrypts and re encrypts the columns the aes symmetric key generated by hsm based tde encrypts and decrypts the oracle table key docker container implementation use the following steps to configure the {{futurex}} pkcs #11 ( fxpkcs11 ) library to work with an oracle database docker container for instructions on how to build and run oracle database in a docker container, refer to the oracle documentation on the host computer that runs the oracle database container, open a terminal and go to the location where you saved the oracle database private key, tls skey pem run the following command to make the oracle database private key readable and executable for all users chmod 555 tls skey pem set the openssl version to match your container in the openssl version environment variable if your oracle database 19c uses the official oracle database container images repository on github ( https //github com/oracle/docker images/blob/main/oracledatabase ), run the following command because that container image is based on oracle linux 7, which is openssl 1 0 based openssl version=openssl 1 0 x if your oracle database runs in a container based on openssl 1 1, run the following command openssl version=openssl 1 1 x download one of the following {{futurex}} pkcs #11 (fxpkcs11) library installations from the {{futurex}} portal if your container is based on openssl 1 0, download the fxpkcs11 redhat 4 xx xxxx tar file if your container is based on openssl 1 1, download the fxpkcs11 redhat8 4 xx xxxx tar file run the following command to extract the fxpkcs11 library and save the version in the pkcs version environment variable tar xvf fxpkcs11 tar pkcs version=$(grep r include= info version | awk 'nr==2{print $2}') edit the fxpkcs11 cfg file to allow the fxpkcs11 library to connect to the {{k3}} set the following fields in the \<kms> section \<kms> \# which pkcs11 slot \<slot> 0 \</slot> \<label> futurex \</label> \# hsm crypto operator user name \<crypto opr> crypto1 \</crypto opr> \# key group name \<keygroup name> oracletde \</keygroup name> \# connection information \<address> 10 0 8 30 \</address> \<prod port> 2001 \</prod port> \<prod tls enabled> yes \</prod tls enabled> \<prod tls anonymous> no \</prod tls anonymous> \<prod tls ca> /home/oracle/pki/tls ca pem \</prod tls ca> \<prod tls cert> /home/oracle/pki/tls cert pem \</prod tls cert> \<prod tls key> /home/oracle/pki/tls skey pem \</prod tls key> \#\<prod tls key pass> safest \</prod tls key pass> \# yes = this is communicating through a guardian \<fx load balance> no \</fx load balance> \</kms> field description \<slot> can leave it set to the default value of 0 \<crypto opr> specify the name of the identity created on the {{k}} \<keygroup name> specify the name of the key group that you created on the {{k}} \<address> specify the ip address of the {{k}} to which the pkcs #11 library should connect \<prod port> set the pkcs #11 library to connect to the default host api port on the {{k}} , port 2001 \<prod tls enabled> set the field to yes the only way to connect to the host api port on the {{k}} is over tls \<prod tls anonymous> set this value to no because you're connecting to the host api port by using mutual authentication this field defines whether the pkcs #11 library authenticates to the {{k}} \<prod tls ca> specify the path to where you save the tls ca pem file \<prod tls cert> specify the path to where you saved the tls cert pem file \<prod tls key> specify the path to where you saved the tls skey pem file \<prod tls key pass> field should remain commented out because a password was not set for the client private key \<fx load balance> set it to the default value of no run the following command to start the oracle database container and bind mount all of the fxpkcs11 files needed for fxpkcs11 to connect to the {{k3}} the command takes up to 20 minutes to complete, and you must run it from the same directory where you extracted the fxpkcs11 directory if the tls certificates for authentication with the {{k3}} are not stored in the /home/oracle/pki directory on your system, modify the third v flag in your command to reflect this docker run d \\ v $(pwd)/fxpkcs11 cfg /etc/fxpkcs11 cfg \\ v $(pwd)/fxpkcs11/x64/${openssl version}/libfxpkcs11 so /opt/oracle/extapi/64/hsm/futurex/${pkcs version}/libfxpkcs11 so \\ v /home/oracle/pki /pki \\ p 1521 1521 \\ p 5500 5500 \\ e oracle sid=test \\ e oracle pwd=password123 \\ v data /opt/oracle/oradata \\ \ name tde \\ oracle/database 19 3 0 ee after the oracle database container is running, run the following command to connect to the container file system docker exec it tde /bin/bash modify the /opt/oracle/product/19c/dbhome 1/network/admin/sqlnet ora file as shown in the following example, and save it name directory path= (tnsnames, ezconnect, hostname) wallet location=(source=(method=hsm)(method data=(directory=/opt/oracle/admin/wallet))) encryption wallet location=(source=(method=hsm)(method data=(directory=/opt/oracle/admin/wallet))) wallet root=/opt/oracle/admin/wallet run the following command to connect to the database sqlplus sys/password123\@test as sysdba run the following command to create the master encryption key for tde sql > alter system set encryption key identified by "safest"; if it succeeds, the following message appears system altered