Breadcrumbs

Migrating the Software Keystore to the Utimaco HSM

  1. Log in to the database as a user granted the SYSDBA administrative privilege.

SQL
SQL> connect / as sysdba

  1. Set the WALLET_ROOT parameter.

SQL
SQL> alter system set wallet_root='<path to the oracle wallet directory>' scope=spfile

  1. Shut down and start up database.

SQL
SQL> shutdown immediate; 
SQL> startup;

  1. Set the TDE_CONFIGURATION parameter.

SQL
SQL> alter system set TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" SCOPE=both ;

  1. Connect to the database as a system user.

SQL
SQL> connect system/<password>

  1. Now, migrate the wallet to the HSM using the command below.

SQL
SQL> ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY <hsm_password> MIGRATE USING <software_keystore_password> WITH BACKUP USING 'backupdb';

  1. Now, verify that the wallet has been moved to the HSM wallet using the command below.

SQL
select * from v$encryption_wallet;

  1. The Transparent Data Encryption decrypts the encrypted column automatically and returns the data in clear format.

SQL
SQL> select salary from SCIENTISTS; 
SQL> select salary from EMP;

  1. Verify that the column is encrypted in your DB.

SQL
SQL> select * from DBA_ENCRYPTED_COLUMNS;

  1. View the information of the keystore.

SQL
SQL> select * from V$ENCRYPTION_WALLET;

  1. Change the password of the software keystore to be the same as the HSM password.

SQL
SQL> ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD IDENTIFIED BY <software_keystore_password> SET <hsm_password> WITH BACKUP USING 'backupdb';

  1. Close the keystore.

SQL
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY <software_keystore_password>;

  1. Open the keystore.

SQL
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY <software_keystore_password>;

  1. View the information of the keystore.

SQL
SQL> select * from V$ENCRYPTION_WALLET;