Migrate the Software Keystore to the Utimaco HSM

Log in to the database instance as a user who has been granted the SYSDBA administrative privilege.

›_ sqlplus console
SQL> connect / as sysdba

Set WALLET_ROOT parameter.

›_ sqlplus console
`SQL> alter system set wallet_root='<path to the oracle wallet directory>' scope=spfile`

Shut down and start up the database.

›_ sqlplus console
`SQL> shutdown immediate; SQL> startup;`

Set TDE_CONFIGURATION parameter.

›_ sqlplus console
`SQL> alter system set TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM\|FILE" SCOPE=both ;`

Connect to the database as system user.

›_ sqlplus console
`SQL> connect system/<password>`

Now Migrate the wallet to HSM using the below command.

›_ sqlplus console
`SQL> ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY <hsm_password> MIGRATE USING <software_keystore_password> WITH BACKUP USING 'backupdb';`

Now verify the wallet is moved to HSM wallet now using command below.

›_ sqlplus console
`select * from v$encryption_wallet;`

The Transparent Data Encryption decrypts the encrypted column automatically and returns the data in clear format.

›_ sqlplus console
`SQL> select salary from SCIENTISTS; SQL> select salary from EMP;`

Verify the column is encrypted in your DB.

›_ sqlplus console
`SQL> select * from DBA_ENCRYPTED_COLUMNS;`

View the information of keystore.

›_ sqlplus console
`SQL> select * from V$ENCRYPTION_WALLET;`

Change the password of software keystore to be the same as HSM password.

›_ sqlplus console
`SQL> ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD IDENTIFIED BY <software_keystore_password> SET <hsm_password> WITH BACKUP USING 'backupdb';`

Close the keystore.

›_ sqlplus console
`SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY <software_keystore_password>;`

Open the keystore.

›_ sqlplus console
`SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY <software_keystore_password>;`

View the information of keystore.

›_ sqlplus console
`SQL> select * from V$ENCRYPTION_WALLET;`