Generate Master Encryption Key (MEK) on to the HSM | Utimaco Integration Guides

Create a wallet directory located in the _{$ORACLE_BASE/admin/db_unique_name} directory e.g., wallet.
Log in to the database instance as a user who has been granted the SYSDBA administrative privilege.

›_ sqlplus console
`SQL> connect / as sysdba`

Set WALLET_ROOT parameter.

›_ sqlplus console
`SQL> alter system set wallet_root='<path to the oracle wallet directory>' scope=spfile;`

Shutdown and startup database.

›_ sqlplus console
`SQL> shutdown immediate; SQL> startup;`

Set TDE_CONFIGURATION parameter.

›_ sqlplus console
`SQL> alter system set TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM" SCOPE=both;`

Grant the ADMINISTER KEY MANAGEMENT or SYSKM privilege to SYSTEM and any user that you want to use.

›_ sqlplus console
`SQL> grant ADMINISTER KEY MANAGEMENT to system; SQL> commit;`

Connect to the database as system user.

›_ sqlplus console
`SQL> connect system/<password>`

Run the ADMINISTER KEY MANAGEMENT SQL statement to open the HSM based keystore.

›_ sqlplus console
`SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY <hsm_password>;`

Set the MEK in HSM keystore.

›_ sqlplus console
`SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY <hsm_password>;`

You can verify the key gets generated onto the HSM using following command.

›_ console
`p11tool2 LoginUser=<hsm_password> ListObjects`

Example:

›_ console
`p11tool2 LoginUser=<hsm_password> ListObjects CKO_DATA: + 1.1 CKA_LABEL = ORACLE.SECURITY.KM.ENCRYPTION.303641333441424446374444344634463437424 63934413032313033454245354331 + 1.2 CKA_LABEL = DATA_OBJECT_SUPPORTED_IDEN`

›_ console

p11tool2 LoginUser=<hsm_password> ListObjects 
CKO_DATA: 
+ 1.1 
  CKA_LABEL                      = 
ORACLE.SECURITY.KM.ENCRYPTION.303641333441424446374444344634463437424 
63934413032313033454245354331 

+ 1.2 
  CKA_LABEL                      = DATA_OBJECT_SUPPORTED_IDEN