Open the wallet or hardware keystore

3min
The security administrator must make the  accessible to the database before Oracle TDE can perform any encryption or decryption. This is comparable to opening the Oracle wallet or logging in to the hardware keystore. You can open the wallet or hardware keystore manually or automatically, but with the manual option, you must re-enable access to the  every time you restart the database. The following sections describe these methods.
Manual option
 If using the manual option, you must run the following OPEN command to access the  every time you restart the database instance.
1
Run the following command to open the hardware keystore manually, thus making the  accessible:
SQL
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "KMES_User_Password";
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "KMES_User_Password";
﻿
2
You can disable access with the following command:
SQL
SQL> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "KMES_User_Password";
SQL> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "KMES_User_Password";
﻿
Automatic option
Choose one of the following operating systems to use the automatic option:
An auto-login wallet stores the  credentials in an auto-login software keystore. This configuration reduces the security of the system as a whole. However, this configuration supports unmanned or automated operations and is useful in deployments that require automatic re-login to the .
Linux
Windows
1
Run the following command to create the /etc/ORACLE/WALLETS/tde directory path:
Shell
sudo mkdir -p /etc/ORACLE/WALLETS/tde
sudo mkdir -p /etc/ORACLE/WALLETS/tde
﻿
2
Run the following command to change ownership of the /etc/ORACLE directory to the Oracle user:
Shell
chown -R oracle:oinstall /etc/ORACLE
chown -R oracle:oinstall /etc/ORACLE
﻿
3
Run the following command to set the WALLET_ROOT parameter to the WALLETS directory created in the first step:
SQL
SQL> ALTER SYSTEM SET WALLET_ROOT = '/etc/ORACLE/WALLETS' SCOPE=SPFILE;
SQL> ALTER SYSTEM SET WALLET_ROOT = '/etc/ORACLE/WALLETS' SCOPE=SPFILE;
﻿
4
Run the following command to set the TDE_CONFIGURATION parameter to FILE for the KEYSTORE_CONFIGURATION:
SQL
SQL> ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" SCOPE=SPFILE;
SQL> ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" SCOPE=SPFILE;
﻿
5
Run the following command to stop and start the database after setting the WALLET_ROOT and TDE_CONFIGURATION parameters:
SQL
SQL> SHUTDOWN IMMEDIATE;

SQL> STARTUP;
SQL> SHUTDOWN IMMEDIATE;

SQL> STARTUP;
﻿
6
If you have not migrated from a software keystore, run the following command to create the software keystore with the hardware keystore password (any password you choose) in the appropriate location (such as /etc/ORACLE/WALLETS/tde):
SQL
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY "Software_Keystore_Password";
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY "Software_Keystore_Password";
﻿
7
Run the following command to open the new software keystore:
SQL
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "Software_Keystore_Password";
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "Software_Keystore_Password";
﻿
8
Run the following command to add the secret to the software keystore. The secret is the  user password, and client is HSM_PASSWORD. HSM_PASSWORD is an Oracle-defined client name that represents the HSM password as a secret in the software keystore.
You must provide the secret and HSM_PASSWORD values within single quotes or the command fails.
SQL
SQL> ADMINISTER KEY MANAGEMENT ADD SECRET 'KMES_User_Password' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "Software_Keystore_Password" WITH BACKUP;
SQL> ADMINISTER KEY MANAGEMENT ADD SECRET 'KMES_User_Password' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "Software_Keystore_Password" WITH BACKUP;
﻿
9
Run the following command to create a new auto-login keystore by using the password of the Oracle software wallet:
SQL
SQL> ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "Software_Keystore_Password";
SQL> ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "Software_Keystore_Password";
﻿
10
Run the following command to re-set the TDE_CONFIGURATION parameter to HSM|FILE for the KEYSTORE_CONFIGURATION:
SQL
SQL> ALTER SYSTEM SET TDE_CONFIGURATION = 'KEYSTORE_CONFIGURATION=HSM|FILE' SCOPE=SPFILE;
SQL> ALTER SYSTEM SET TDE_CONFIGURATION = 'KEYSTORE_CONFIGURATION=HSM|FILE' SCOPE=SPFILE;
﻿
11
Run the following command to stop and start the database after setting the TDE_CONFIGURATION parameter:
SQL
SQL> SHUTDOWN IMMEDIATE;

SQL> STARTUP;
SQL> SHUTDOWN IMMEDIATE;

SQL> STARTUP;
﻿
12
At this stage, the hardware security module auto-login keystore opens automatically the next time a TDE operation executes. To confirm that the auto-login wallet is working, run the following query:
SQL
SQL> SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
SQL> SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
﻿
If the auto-login wallet was configured properly, the following output appears:
SQL
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
WALLET_TYPE	     STATUS
-------------------- ------------------------------
FILE
/etc/ORACLE/WALLETS/tde/
AUTOLOGIN	     OPEN_NO_MASTER_KEY

HSM

HSM		     OPEN
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
WALLET_TYPE	     STATUS
-------------------- ------------------------------
FILE
/etc/ORACLE/WALLETS/tde/
AUTOLOGIN	     OPEN_NO_MASTER_KEY

HSM

HSM		     OPEN
﻿
1
Create a directory for the software wallet at a suitable location, such as C:\WALLETS\tde
2
Run the following command to set the WALLET_ROOT parameter to the WALLETS directory created in the first step:
SQL
SQL> ALTER SYSTEM SET WALLET_ROOT = 'C:\WALLET\tde' SCOPE=SPFILE;
SQL> ALTER SYSTEM SET WALLET_ROOT = 'C:\WALLET\tde' SCOPE=SPFILE;
﻿
3
Run the following command to set the TDE_CONFIGURATION parameter to FILE for the KEYSTORE_CONFIGURATION:
SQL
SQL> ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" SCOPE=SPFILE;
SQL> ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" SCOPE=SPFILE;
﻿
4
Run the following command to stop and start the database after setting the WALLET_ROOT and TDE_CONFIGURATION parameters:
SQL
SQL> SHUTDOWN IMMEDIATE;

SQL> STARTUP;
SQL> SHUTDOWN IMMEDIATE;

SQL> STARTUP;
﻿
5
If you have not migrated from a software keystore, run the following command to create the software keystore with the hardware keystore password (any password you choose) in the appropriate location (such as C:\WALLETS\tde):
SQL
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY "Software_Keystore_Password";
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY "Software_Keystore_Password";
﻿
6
Run the following command to open the new software keystore:
SQL
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "Software_Keystore_Password";
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "Software_Keystore_Password";
﻿
7
Run the following command to add the secret to the software keystore. The secret is the  user password, and client is HSM_PASSWORD. HSM_PASSWORD is an Oracle-defined client name that represents the HSM password as a secret in the software keystore.
You must provide the secret and HSM_PASSWORD values within single quotes or the command fails.
SQL
SQL> ADMINISTER KEY MANAGEMENT ADD SECRET 'KMES_User_Password' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "Software_Keystore_Password" WITH BACKUP;
SQL> ADMINISTER KEY MANAGEMENT ADD SECRET 'KMES_User_Password' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "Software_Keystore_Password" WITH BACKUP;
﻿
8
Run the following command to create a new auto-login keystore by using the password of the Oracle software wallet:
SQL
SQL> ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "Software_Keystore_Password";
SQL> ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "Software_Keystore_Password";
﻿
9
Run the following command to re-set the TDE_CONFIGURATION parameter to HSM|FILE for the KEYSTORE_CONFIGURATION:
SQL
SQL> ALTER SYSTEM SET TDE_CONFIGURATION = 'KEYSTORE_CONFIGURATION=HSM|FILE' SCOPE=SPFILE;
SQL> ALTER SYSTEM SET TDE_CONFIGURATION = 'KEYSTORE_CONFIGURATION=HSM|FILE' SCOPE=SPFILE;
﻿
10
Run the following command to stop and start the database after setting the TDE_CONFIGURATION parameter:
SQL
SQL> SHUTDOWN IMMEDIATE;

SQL> STARTUP;
SQL> SHUTDOWN IMMEDIATE;

SQL> STARTUP;
﻿
11
At this stage, the hardware security module auto-login keystore opens automatically the next time a TDE operation executes. To confirm that the auto-login wallet is working, run the following query:
SQL
SQL> SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
SQL> SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
﻿
If the auto-login wallet was configured properly, the following output appears:
SQL
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
WALLET_TYPE          STATUS
-------------------- ------------------------------
FILE
C:\WALLET\TDE\tde\
AUTOLOGIN            OPEN_NO_MASTER_KEY

HSM

HSM                  OPEN
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
WALLET_TYPE          STATUS
-------------------- ------------------------------
FILE
C:\WALLET\TDE\tde\
AUTOLOGIN            OPEN_NO_MASTER_KEY

HSM

HSM                  OPEN
﻿
﻿
﻿
Updated 01 Aug 2024
Did this page help you?
Generate a TDE master encryption key on the KMES Series 3
Endpoint management