Generate Master Encryption Key (MEK) on the HSM

1. Create a wallet directory located in $ORACLE_BASE/admin/db_unique_name directory e.g., wallet.

2. Log in to the database instance as a user who has been granted the SYSDBA administrative privilege.

SQL> connect / as sysdba 

3. Set the WALLET_ROOT parameter.

SQL> alter system set wallet_root='<path to the oracle wallet directory>' scope=spfile; 

4. Shutdown and startup the database.

SQL> shutdown immediate;  

SQL> startup; 

5. Set the TDE_CONFIGURATION parameter.

SQL> alter system set TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM" SCOPE=both; 

6. Verify the WALLET_ROOT and the TDE_CONFIGURATION parameter are set.

SQL> show parameter WALLET_ROOT; 

SQL> show parameter TDE_CONFIGURATION;

7. Grant the ADMINISTER KEY MANAGEMENT or SYSKM privilege to SYSTEM and any user that you want to use.

SQL> grant ADMINISTER KEY MANAGEMENT to system; 

SQL> commit;

8. Connect to the database as system user.

SQL> connect system/<password> 

9. Run the ADMINISTER KEY MANAGEMENT SQL statement to open the HSM based keystore.

SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY <hsm_password>;

10. Set the MEK in HSM keystore.

SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY <hsm_password>; 

11. You can verify the key gets generated onto the HSM using following command.

p11tool2 LoginUser=<hsm_password> ListObjects 

p11tool2 listobjects output

Most of the use cases for various types of tables and tablespace encryption are already covered in previous chapters. Use the following link to perform them on Oracle RAC instances. In case of Oracle RAC make sure to use shared location for wallet, software keystore and tablespace files which are accessible by all RAC instances.