To start using Transparent Data Encryption (TDE), create a wallet and set a master key. Oracle recommends that you use a separate encryption wallet to store the master encryption key for your database.
Consider that it is not possible to migrate the master key for TDE tablespace encryption to an HSM after the Oracle Wallet has been initialized in Oracle Database 11.1.0.7. In Oracle Database 11g Release 2, both master keys for TDE column encryption and TDE tablespace encryption are migrated to a unified master encryption key that can be migrated from the Oracle Wallet to an HSM. To verify that the wallet mechanism is working fine, start a first test with the default software-based wallet:
-
Add the following lines to file
%TNS_ADMIN%\sqlnet.ora:
ENCRYPTION_WALLET_LOCATION =
(SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = C:\oracle\WALLETS)))
after creating the directory C:\oracle\WALLETS.
-
Open an SQL Plus session
(Start -> Programs -> Oracle -> OraDB11g_home1 -> Application Development -> SQL Plus). -
Connect to your database as system:
SQL> connect system/password
-
Create an encryption wallet -- the master key is added into it automatically -- the double quotes are mandatory:
SQL> alter system set encryption key identified by
<your wallet password>;
-
Encrypt the credit_limit column of the CUSTOMERS table which is owned by the user OE:
SQL> alter table oe.customers modify (credit_limit encrypt);
-
With the next command, these values listed in the encrypted column are returned in clear text. Transparent Data Encryption decrypts them automatically:
SQL> select credit_limit from oe.customers where rownum < 15;
-
This command lists the encrypted columns in your database:
SQL> select * from dba_encrypted_columns;
-
Finally, this view contains information about the wallet itself:
SQL> select * from v$encryption_wallet;
-
Create an encrypted tablespace:
SQL> CREATE TABLESPACE securespace DATAFILE
'C:\app\Administrator\oradata\orcl\secure01.dbf'
SIZE 10M ENCRYPTION DEFAULT STORAGE (ENCRYPT);
-
Check if the new tablespace is listed and marked as encrypted:
SQL> select tablespace_name, encrypted from dba_tablespaces;
-
Close the wallet:
SQL> alter system set encryption wallet close;
In Oracle Database 11g Release 2, the command to close the wallet has been changed to:
SQL> alter system set encryption wallet close identified by
<your wallet password>;
-
Exit from your SQL*Plus session:
SQL> exit
-
Start Oracle Wallet Manager (
Start -> Programs -> Oracle -> OraDB11g_home1 -> Integrated Management Tools -> Wallet Manager).
Open the software-based wallet by navigating to the wallet directory C:\oracle\WALLETS, check the Auto-Open option, click Save and the click Exit.
-
Verify that an auto-open software wallet has been created in the C:\oracle\WALLETS directory. This directory contains two wallets now, the encryption wallet (ewallet.p12) and the auto-open wallet (cwallet.sso). Check the permission settings of the auto-open wallet: Right click
cwal-
let.sso -> Properties -> Security -> Advanced -> Edit -> check "Include inheritable permissions from this object's parent" -> OK.
Rename the encryption wallet ewallet.p12 to ewallet.p24. This stops Transparent Data Encryption from opening the encryption wallet but we have an auto-open wallet now.