Generating the Master Encryption Key (MEK) on to the HSM

1. Create a wallet directory in the Oracle base path, typically in C:\oracle\admin\<db_unique_name>\wallet.

2. Log in to the database instance as a user granted the SYSDBA administrative privilege.

SQL> connect / as sysdba

3. Set the WALLET_ROOT parameter.

SQL> alter system set wallet_root='<path to the oracle wallet directory>' scope=spfile;

4. Shut down and start up the database.

SQL> shutdown immediate; 
SQL> startup;

5. Set the TDE_CONFIGURATION parameter.

SQL> alter system set TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM" SCOPE=both ;

6. Grant the ADMINISTER KEY MANAGEMENT or SYSKM privilege to SYSTEM and any user you want.

SQL> grant ADMINISTER KEY MANAGEMENT to system; 
SQL> commit;

7. Connect to the database as a system user.

SQL> connect system/<password>

8. Run the ADMINISTER KEY MANAGEMENT SQL statement to open the HSM-based keystore.

SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY <hsm_password>;

9. Set the MEK in the HSM keystore.

SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY <hsm_password>;

10. You can verify that the key gets generated on the HSM using the following command.

p11tool2 LoginUser=<hsm_password> ListObjects

Example:

List Objects