Database
Oracle Database TDE

Open the wallet or hardware keystore

3min
the security administrator must make the {{k3}} accessible to the database before oracle tde can perform any encryption or decryption this is comparable to opening the oracle wallet or logging in to the hardware keystore you can open the wallet or hardware keystore manually or automatically, but with the manual option, you must re enable access to the {{k}} every time you restart the database the following sections describe these methods manual option if using the manual option, you must run the following open command to access the {{k}} every time you restart the database instance run the following command to open the hardware keystore manually, thus making the {{k}} accessible sql> alter system set encryption wallet open identified by "kmes user password"; you can disable access with the following command sql> alter system set encryption wallet close identified by "kmes user password"; automatic option choose one of the following operating systems to use the automatic option an auto login wallet stores the {{k}} credentials in an auto login software keystore this configuration reduces the security of the system as a whole however, this configuration supports unmanned or automated operations and is useful in deployments that require automatic re login to the {{k}} run the following command to create the /etc/oracle/wallets/tde directory path sudo mkdir p /etc/oracle/wallets/tde run the following command to change ownership of the /etc/oracle directory to the oracle user chown r oracle\ oinstall /etc/oracle run the following command to set the wallet root parameter to the wallets directory created in the first step sql> alter system set wallet root = '/etc/oracle/wallets' scope=spfile; run the following command to set the tde configuration parameter to file for the keystore configuration sql> alter system set tde configuration="keystore configuration=file" scope=spfile; run the following command to stop and start the database after setting the wallet root and tde configuration parameters sql> shutdown immediate; sql> startup; if you have not migrated from a software keystore, run the following command to create the software keystore with the hardware keystore password (any password you choose) in the appropriate location (such as /etc/oracle/wallets/tde ) sql> administer key management create keystore identified by "software keystore password"; run the following command to open the new software keystore sql> administer key management set keystore open identified by "software keystore password"; run the following command to add the secret to the software keystore the secret is the {{k}} user password, and client is hsm password hsm password is an oracle defined client name that represents the hsm password as a secret in the software keystore you must provide the secret and hsm password values within single quotes or the command fails sql> administer key management add secret 'kmes user password' for client 'hsm password' identified by "software keystore password" with backup; run the following command to create a new auto login keystore by using the password of the oracle software wallet sql> administer key management create auto login keystore from keystore identified by "software keystore password"; run the following command to re set the tde configuration parameter to hsm|file for the keystore configuration sql> alter system set tde configuration = 'keystore configuration=hsm|file' scope=spfile; run the following command to stop and start the database after setting the tde configuration parameter sql> shutdown immediate; sql> startup; at this stage, the hardware security module auto login keystore opens automatically the next time a tde operation executes to confirm that the auto login wallet is working, run the following query sql> select wrl type, wrl parameter, wallet type, status from v$encryption wallet; if the auto login wallet was configured properly, the following output appears wrl type | wrl parameter | wallet type | status \ + + + file | /etc/oracle/wallets/tde/ | autologin | open no master key hsm | | hsm | open create a directory for the software wallet at a suitable location, such as c \wallets\tde run the following command to set the wallet root parameter to the wallets directory created in the first step sql> alter system set wallet root = 'c \wallet\tde' scope=spfile; run the following command to set the tde configuration parameter to file for the keystore configuration sql> alter system set tde configuration="keystore configuration=file" scope=spfile; run the following command to stop and start the database after setting the wallet root and tde configuration parameters sql> shutdown immediate; sql> startup; if you have not migrated from a software keystore, run the following command to create the software keystore with the hardware keystore password (any password you choose) in the appropriate location (such as c \wallets\tde ) sql> administer key management create keystore identified by "software keystore password"; run the following command to open the new software keystore sql> administer key management set keystore open identified by "software keystore password"; run the following command to add the secret to the software keystore the secret is the {{k}} user password, and client is hsm password hsm password is an oracle defined client name that represents the hsm password as a secret in the software keystore you must provide the secret and hsm password values within single quotes or the command fails sql> administer key management add secret 'kmes user password' for client 'hsm password' identified by "software keystore password" with backup; run the following command to create a new auto login keystore by using the password of the oracle software wallet sql> administer key management create auto login keystore from keystore identified by "software keystore password"; run the following command to re set the tde configuration parameter to hsm|file for the keystore configuration sql> alter system set tde configuration = 'keystore configuration=hsm|file' scope=spfile; run the following command to stop and start the database after setting the tde configuration parameter sql> shutdown immediate; sql> startup; at this stage, the hardware security module auto login keystore opens automatically the next time a tde operation executes to confirm that the auto login wallet is working, run the following query sql> select wrl type, wrl parameter, wallet type, status from v$encryption wallet; if the auto login wallet was configured properly, the following output appears wrl type | wrl parameter | wallet type | status \ + + + file | c \wallet\tde\tde\ | autologin | open no master key hsm | | hsm | open
Updated 16 Apr 2025
Did this page help you?
PREVIOUS
Generate a TDE master encryption key on the KMES Series 3
NEXT
Endpoint management
Docs powered by Archbee