By Mouhamadou Diaw
Oracle gives us some tools to secure our data in transit and in rest.
Oracle Transparent Data Encryption will allow us to encrypt data in rest. Oracle TDE need The Oracle Advanced Security License
Oracle TDE allow to do encryption at 2 levels
-Tablespace Level
-Table column level
In this first part of this blog, we will see how we can set up the TDE in a multitenant database. Documentation can be found here
In a multitenant environment we have two modes for configuring TDE
-The united mode where the keystore is managed at CDB$ROOT.
-The isolated mode which allow PDBs to independently create and manage their own keystore. An isolated mode PDB can have its own keystore, independent of the keystore of the CDB root.
In this blog we are using united mode
–Configuring initialization related parameters
Create first a directory for to store the TDE master encryption key
oracle@svoradl02:~]$ mkdir -p /u01/app/oracle/admin/CDB19P/tde_wallet
oracle@svoradl02:/u01/app/oracle/admin/CDB19P/tde_wallet/ [CDB19P] ls -ld /u01/app/oracle/admin/CDB19P/tde_wallet
drwxr-xr-x. 2 oracle oinstall 6 Feb 22 09:33 /u01/app/oracle/admin/CDB19P/tde_wallet
oracle@svoradl02:/u01/app/oracle/admin/CDB19P/tde_wallet/ [CDB19P]
On cdb$root change the parameter wallet_root to point to this directory
SQL> select name from v$database;
NAME
---------
CDB19P
SQL> show con_name
CON_NAME
------------------------------
CDB$ROOT
SQL>
SQL> alter system set wallet_root='/u01/app/oracle/admin/CDB19P/tde_wallet' scope=spfile;
System altered.
SQL>
Bounce the database
SQL> shut immediate
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> startup
ORACLE instance started.
Total System Global Area 6442450048 bytes
Fixed Size 9178240 bytes
Variable Size 1644167168 bytes
Database Buffers 4781506560 bytes
Redo Buffers 7598080 bytes
Database mounted.
Database opened.
Verify the value of the parameter wallet_root
SQL> show parameter wallet_root
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
wallet_root string /u01/app/oracle/admin/CDB19P/
tde_wallet
SQL>
As we will use a file, let’s set the parameter TDE_CONFIGURATION to FILE
SQL> ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" scope=both;
System altered.
SQL> show parameter tde_configuration
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
tde_configuration string KEYSTORE_CONFIGURATION=FILE
SQL>
At this moment we can validate that the keystore_mode is UNITED for the PDBS
SQL> SELECT CON_ID, KEYSTORE_MODE FROM V$ENCRYPTION_WALLET;
CON_ID KEYSTORE
---------- --------
1 NONE
2 UNITED
3 UNITED
5 UNITED
The software keystore will be in the CDB root but the master keys from this keystore will be available for the PDBs that have their keystore in united mode.
SQL> show con_name
CON_NAME
------------------------------
CDB$ROOT
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY secret1;
keystore altered.
SQL>
If there is no error a sub-directory tde will be created and will contain following file
SQL> host ls -l /u01/app/oracle/admin/CDB19P/tde_wallet/tde
total 4
-rw-------. 1 oracle oinstall 2555 Feb 22 09:49 ewallet.p12
SQL>
-Create a password-protected software keystore
Then create a password for the software keystore
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/u01/app/oracle/admin/CDB19P/tde_wallet' IDENTIFIED BY secret1;
keystore altered.
SQL>
-Create the auto-login or local auto-login
The keystore should be opened every time the database is opened. To automatically open the keystore at database startup, we can create an auto-login file
SQL> ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '/u01/app/oracle/admin/CDB19P/tde_wallet/tde' IDENTIFIED BY secret1;
keystore altered.
A .sso file should exist now
SQL> host ls -l /u01/app/oracle/admin/CDB19P/tde_wallet/tde
total 8
-rw-------. 1 oracle oinstall 2600 Feb 22 09:53 cwallet.sso
-rw-------. 1 oracle oinstall 2555 Feb 22 09:49 ewallet.p12
SQL>
-Opening the Software Keystore
The software keystore should be open in cdb$root and in any concerned PDB
– on cdb$root
SQL> show con_name
CON_NAME
------------------------------
CDB$ROOT
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY secret1;
keystore altered.
– on the PDB
SQL> show pdbs
CON_ID CON_NAME OPEN MODE RESTRICTED
---------- ------------------------------ ---------- ----------
2 PDB$SEED READ ONLY NO
3 PDB1 READ WRITE NO
5 PDB1CLONE MOUNTED
SQL>
SQL> alter session set container=PDB1;
Session altered.
SQL> show con_name
CON_NAME
------------------------------
PDB1
SQL>
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY secret1;
keystore altered.
SQL>
-Setting the TDE Master Encryption Key
– On both CDB$ROOT and PDB1 run following command
SQL> show con_name
CON_NAME
------------------------------
CDB$ROOT
SQL> administer key management set key FORCE KEYSTORE identified by secret1 with backup;
keystore altered.
SQL>
Validate that the master key is activated allowing us to use TDE
SQL> SELECT CON_ID,MASTERKEY_ACTIVATED FROM V$DATABASE_KEY_INFO;
Conclusion
TDE is now activated. In the second part we will see how we can encrypt data