Setting up TDE (Transparent Data Encryption) in 19c is very easy and these are the steps needed.

1:- Create a backup of spfile/initfile (it is always a good practice to create a backup before any change on the DB):

SQL> create pfile='/u01/app/oracle/product/19c/dbhome_1/network/admin/pfile_cdb19c.ora' from spfile;
File created.
SQL>

2:- Create WALLET directory in both nodes:

[oracle@RACnode1 ~]$ echo $ORACLE_HOME
/u01/app/oracle/product/19c/dbhome_1
[oracle@RACnode1 ~]$ 

[oracle@RACnode1 ~]$ mkdir /u01/app/oracle/product/19c/dbhome_1/admin/cdb19c/WALLET
[oracle@RACnode1 ~]$ 

[oracle@RACnode1 ~]$ ssh racnode2 'mkdir /u01/app/oracle/product/19c/dbhome_1/admin/cdb19c/WALLET'
[oracle@RACnode1 ~]$

3:- Update sqlnet.ora with wallet location (in all nodes):

ENCRYPTION_WALLET_LOCATION=
 (SOURCE=
  (METHOD=FILE)
   (METHOD_DATA=
    (DIRECTORY=/u01/app/oracle/product/19c/dbhome_1/admin/cdb19c/WALLET)))



[oracle@RACnode1 ~]$ scp -p /u01/app/oracle/product/19c/dbhome_1/network/admin/sqlnet.ora racnode2:/u01/app/oracle/product/19c/dbhome_1/network/admin/sqlnet.ora
sqlnet.ora                                                                                                              100%  146    59.0KB/s   00:00    
[oracle@RACnode1 ~]$

4:- Set WALLET_ROOT:

SQL> show parameter wallet_root

NAME				     TYPE	     VALUE
------------------------ ----------- ------------------------------
wallet_root			     string
SQL> 

SQL>  alter system set wallet_root='/u01/app/oracle/product/19c/dbhome_1/admin/cdb19c/WALLET' scope=spfile sid='*';
System altered.


Restart DB (if not, KEYSTORE_CONFIGURATION change will fail):

[oracle@RACnode1 ~]$ srvctl status db -d cdb19c
Instance cdb19c1 is running on node racnode1
Instance cdb19c2 is running on node racnode2
[oracle@RACnode1 ~]$ srvctl stop db -d cdb19c
[oracle@RACnode1 ~]$ srvctl start db -d cdb19c
[oracle@RACnode1 ~]$ srvctl status db -d cdb19c
Instance cdb19c1 is running on node racnode1
Instance cdb19c2 is running on node racnode2
[oracle@RACnode1 ~]$ 
SQL>  show parameter wallet_root

NAME				     TYPE	 VALUE
------------------------------------ ----------- ------------------------------
wallet_root			     string	 /u01/app/oracle/product/19c/dbhome_1/admin/cdb19c/WALLET

5:- Set TDE_CONFIGURATION:

SQL> alter system set tde_configuration="KEYSTORE_CONFIGURATION=FILE" scope=both sid='*';
System altered.

6:- Create AUTO-LOGIN Keystore:

SQL>  administer key management create keystore identified by welc0me1;
keystore altered.

SQL>  administer key management create auto_login keystore from keystore identified by welc0me1;
keystore altered.
SQL> 



[oracle@RACnode1 ~]$ ls -tlr /u01/app/oracle/product/19c/dbhome_1/admin/cdb19c/WALLET/tde/
total 8
-rw-------. 1 oracle oinstall 2555 Oct 19 12:04 ewallet.p12
-rw-------. 1 oracle oinstall 2600 Oct 19 12:05 cwallet.sso
[oracle@RACnode1 ~]$ 

**ewallet.p12 is the password-protected keystore and cwallet.sso is the auto-login keystore.



SQL> select con_id, wallet_type, status from v$encryption_wallet;

    CON_ID WALLET_TYPE		STATUS
---------- -------------------- ------------------------------
	 1 AUTOLOGIN		OPEN_NO_MASTER_KEY
	 2 AUTOLOGIN		OPEN_NO_MASTER_KEY
	 3 AUTOLOGIN		OPEN_NO_MASTER_KEY

7:- Set Master key:

SQL> administer key management set keystore open force keystore identified by welc0me1 container=all;
keystore altered.
SQL> administer key management set key force keystore identified by welc0me1 with backup container=all;
keystore altered.

[oracle@RACnode1 ~]$ ls -tlr /u01/app/oracle/product/19c/dbhome_1/admin/cdb19c/WALLET/tde/
total 40
-rw-------. 1 oracle oinstall 6747 Oct 19 12:24 ewallet_2021101911245103.p12
-rw-------. 1 oracle oinstall 8011 Oct 19 12:24 ewallet.p12
-rw-------. 1 oracle oinstall 8056 Oct 19 12:24 cwallet.sso
[oracle@RACnode1 ~]$ 


SQL>  administer key management set keystore close identified by welc0me1 container=all;
keystore altered.
SQL> 

SQL>  select con_id, wallet_type, status from v$encryption_wallet;

    CON_ID WALLET_TYPE		STATUS
---------- --------------- ------------------------------
	 	 1 AUTOLOGIN		OPEN
   	 	 2 AUTOLOGIN		OPEN
	 	 3 AUTOLOGIN		OPEN

8:- Copy WALLET to other all nodes:

[oracle@RACnode1 ~]$ ssh racnode2 'mkdir /u01/app/oracle/product/19c/dbhome_1/admin/cdb19c/WALLET/tde'
[oracle@RACnode1 ~]$ 


[oracle@RACnode1 ~]$ scp -p /u01/app/oracle/product/19c/dbhome_1/admin/cdb19c/WALLET/tde/* racnode2:/u01/app/oracle/product/19c/dbhome_1/admin/cdb19c/WALLET/tde
cwallet.sso                                                                                                                                                                100% 8056   406.1KB/s   00:00    
ewallet_2021101911245103.p12                                                                                                                                               100% 6747     3.2MB/s   00:00    
ewallet.p12                                                                                                                                                                100% 8011     3.9MB/s   00:00    
[oracle@RACnode1 ~]$

9: – Restart DB and check open status:

SQL> select inst_id, name, open_mode, to_char(OPEN_TIME,'DD-MON-YYYY HH24:MI:SS') OPEN_TIME from gv$pdbs order by 1,2;

   INST_ID NAME 		 OPEN_MODE  OPEN_TIME
---------- ------------- ---------- -----------------------------
	 1 		CDB19C_PDB	 READ WRITE 19-OCT-2021 12:59:07
	 1 		PDB$SEED	 READ ONLY  19-OCT-2021 12:58:55
	 2 		CDB19C_PDB	 READ WRITE 19-OCT-2021 12:59:07
	 2 		PDB$SEED	 READ ONLY  19-OCT-2021 12:58:55

SQL> 



SQL> select inst_id, con_id, wallet_type, status, wrl_parameter from gv$encryption_wallet order by 1,2;

   INST_ID     CON_ID WALLET_TYPE	   STATUS     WRL_PARAMETER
---------- ---------- --------------- ---------- -----------------------------------------------------------------
		1	    1 		AUTOLOGIN 	   OPEN       /u01/app/oracle/product/19c/dbhome_1/admin/cdb19c/WALLET/tde/
	 	1	    2 		AUTOLOGIN 	   OPEN
	 	1	    3 		AUTOLOGIN 	   OPEN
	 	2	    1 		AUTOLOGIN 	   OPEN       /u01/app/oracle/product/19c/dbhome_1/admin/cdb19c/WALLET/tde/
	 	2	    2 		AUTOLOGIN 	   OPEN
	 	2	    3 		AUTOLOGIN 	   OPEN

6 rows selected.

SQL>

10:- Create an encrypted tablespace:

SQL> alter session set container=CDB19C_PDB;

Session altered.

SQL> select tablespace_name, encrypted from dba_tablespaces;

TABLESPACE_NAME 	   ENC
---------------------- ---
SYSTEM			       NO
SYSAUX			       NO
UNDOTBS1		       NO
TEMP			       NO
UNDO_2			       NO
USERS			       NO
6 rows selected.
SQL> 

SQL> CREATE TABLESPACE TDE_TBS DATAFILE '+DATA' SIZE 100M
        ENCRYPTION USING 'AES256'
DEFAULT STORAGE (ENCRYPT); 

Tablespace created.
SQL> 



SQL> select tablespace_name, encrypted from dba_tablespaces;
TABLESPACE_NAME 	   ENC
---------------------- ---
SYSTEM			       NO
SYSAUX			       NO
UNDOTBS1		       NO
TEMP			       NO
UNDO_2			       NO
USERS			       NO
TDE_TBS 		       YES
7 rows selected.
SQL>

That’s it, you can create encrypted tablespaces now. For the tablespaces created before this setup, you can do an online encryption.

Post Views: 7,959
Last modified: 19 October 2021

Author

Comments

Write a Reply or Comment

Your email address will not be published.