- \n
- Configure the TDE at the datababse level.<\/li>\n\n\n\n
- Configure the OKV RESTfull API.<\/li>\n\n\n\n
- Add the endpoint server to the OKV.<\/li>\n\n\n\n
- Upload database keys to OKV. <\/li>\n\n\n\n
- Migrate from local keys usage to OKV.<\/li>\n<\/ul>\n\n\n\n
Main configuration <\/h2>\n\n\n\n
Oracle Key Vault ip <\/td> 172.168.0.41<\/code><\/td><\/tr>Oracle Key Vault version<\/td> 21.7<\/code><\/td><\/tr>Database Server ip <\/td> 172.168.1.128<\/code><\/td><\/tr>Database name<\/td> CDB01<\/code><\/td><\/tr>Database version <\/td> 21c<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nConfigure TDE at database level<\/h2>\n\n\n\n
Create the directories<\/h3>\n\n\n\n
First let’s create some directories to keep the database wallet. <\/p>\n\n\n
\n[oracle@okvcli oracle]$ export WALLET_DIR=\/u01\/app\/oracle\/wallet\n\n[oracle@okvcli oracle]$ mkdir -p ${WALLET_DIR}\/tde\n\n[oracle@okvcli oracle]$ mkdir -p ${WALLET_DIR}\/tde_seps\n\n[oracle@okvcli oracle]$ mkdir -vp ${WALLET_DIR}\/okv\n\n[oracle@okvcli oracle]$ echo "export WALLET_DIR=\/u01\/app\/oracle\/wallet" >> $HOME\/.bashrc\n<\/pre><\/div>\n\n\nSet the TDE parameters<\/h3>\n\n\n
\n[oracle@okvcli oracle]$ . oraenv\nORACLE_SID = [CDB01] ?\n\n[oracle@okvcli oracle]$ sqlplus \/ as sysdba\n\nSQL> alter system set wallet_root = '\/u01\/app\/oracle\/wallet' scope=spfile;\n\nSQL> alter system set tablespace_encryption_default_algorithm = 'AES256';\n\nSQL> alter system set encrypt_new_tablespaces='ALWAYS';\n\nSQL> shutdown immediate; \n\nSQL> startup; \n\nSQL> alter system set tde_configuration = "KEYSTORE_CONFIGURATION=FILE"\n<\/pre><\/div>\n\n\n
Wallet creation <\/h3>\n\n\n
\nSQL> select a.con_id, b.name, a.wrl_type, \n a.wrl_parameter, a.status, \n a.wallet_type \nfrom v$encryption_wallet a, \n v$containers b \nwhere a.con_id=b.con_id \norder by a.con_id;\n\n CON_ID NAME WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE\n---------- ---------- ------------ ------------------------------------ ------------------------------ ------------\n 1 CDB$ROOT FILE \/u01\/app\/oracle\/wallet\/tde\/ NOT_AVAILABLE UNKNOWN\n 2 PDB$SEED FILE NOT_AVAILABLE UNKNOWN\n 3 PDB1 FILE NOT_AVAILABLE UNKNOWN\n<\/pre><\/div>\n\n\n
Create the keystore at CDB level <\/h3>\n\n\n
\nSQL> administer key management create keystore identified by "Hello123"; \n\nkeystore altered.\n\nSQL> administer key management add secret 'Hello123' for client 'TDE_WALLET' to local auto_login keystore '\/u01\/app\/oracle\/wallet\/tde_seps';\n\nkeystore altered.\n\nSQL> administer key management set keystore open identified by external store container=all;\n\nkeystore altered.\n\nselect a.con_id, b.name, a.wrl_type, \n a.wrl_parameter, a.status, \n a.wallet_type \nfrom v$encryption_wallet a, \n v$containers b \nwhere a.con_id=b.con_id \norder by a.con_id;\n\n CON_ID NAME WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE\n---------- ---------- ------------ ------------------------------------ --------------------- ------------\n 1 CDB$ROOT FILE \/u01\/app\/oracle\/wallet\/tde\/ OPEN_NO_MASTER_KEY PASSWORD\n 2 PDB$SEED FILE OPEN_NO_MASTER_KEY PASSWORD\n 3 PDB1 FILE OPEN_NO_MASTER_KEY PASSWORD\n<\/pre><\/div>\n\n\n
Create the master key password MEK at CDB and PDB level <\/h3>\n\n\n
\nSQL> administer key management set key using tag 'CDB1: Initial MEK' identified by external store with backup container=current;\n\nKeystore altered.\n\nSQL> select a.con_id, \n b.name, a.wrl_type, a.wrl_parameter, a.status \nfrom v$encryption_wallet a, \n v$containers b \nwhere a.con_id=b.con_id order by a.con_id;\n\nCON_ID NAME WRL_TYPE WRL_PARAMETER STATUS\n---------- ---------- ------------ ------------------------------ ------------------------------\n 1 CDB$ROOT FILE \/u01\/app\/oracle\/wallet\/tde\/ OPEN\n 2 PDB$SEED FILE OPEN\n 3 PDB1 FILE OPEN_NO_MASTER_KEY\n\nSQL> alter session set container=pdb1;\n\nSession altered\n\nSQL> administer key management set key using tag 'PDB1: Initial MEK' identified by external store with backup container=current;\n\nKeystore altered.\n\nSQL> alter session set container=CDB$ROOT;\n\nSession altered.\n\nSQL> select a.con_id, \n b.name, a.wrl_type, a.wrl_parameter, a.status \nfrom v$encryption_wallet a, \n v$containers b \nwhere a.con_id=b.con_id order by a.con_id;\n\nCON_ID NAME WRL_TYPE WRL_PARAMETER STATUS\n---------- ---------- ------------ ------------------------------ ------------------------------\n 1 CDB$ROOT FILE \/u01\/app\/oracle\/wallet\/tde\/ OPEN\n 2 PDB$SEED FILE OPEN\n 3 PDB1 FILE OPEN\n<\/pre><\/div>\n\n\n
Create autologin wallet <\/h3>\n\n\n
\nSQL> show con_name\n\nCON_NAME\n------------------------------\nCDB$ROOT\n\nSQL> administer key management create local auto_login keystore from keystore '\/u01\/app\/oracle\/wallet\/tde' identified by "Hello123";\n\nkeystore altered.\n<\/pre><\/div>\n\n\n
Configure OKV RESTfull service on oracle database server<\/h2>\n\n\n
\n[oracle@okvcli bin]$ export JAVA_HOME=\/u01\/app\/oracle\/product\/21.0.0\/dbhome_1\/jdk\n\n[oracle@okvcli bin]$ echo "export JAVA_HOME=\/u01\/app\/oracle\/product\/21.0.0\/dbhome_1\/jdk" >> $HOME\/.bashrc\n\n[oracle@okvcli oracle]$ mkdir \/u01\/app\/oracle\/okvapi\n\n[oracle@okvcli oracle]$ cd okvapi\/\n\n[oracle@okvcli okvapi]$ curl -O -k https:\/\/172.168.0.41:5695\/okvrestclipackage.zip\n % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n100 3865k 100 3865k 0 0 107M 0 --:--:-- --:--:-- --:--:-- 107M\n\n[oracle@okvcli okvapi]$ unzip okvrestclipackage.zip\nArchive: okvrestclipackage.zip\n creating: lib\/\n creating: bin\/\n inflating: bin\/okv\n inflating: bin\/okv.bat\n creating: conf\/\n inflating: conf\/okvrestcli.ini\n inflating: conf\/okvrestcli_logging.properties\n inflating: lib\/okvrestcli.jar\n\n[oracle@okvcli okvapi]$ rm okvrestclipackage.zip\n\noracle@okvcli ~]$ export OKV_HOME=\/u01\/app\/oracle\/okvapi\n\n[oracle@okvcli ~]$ echo "export OKV_HOME=\/u01\/app\/oracle\/okvapi" >> $HOME\/.bashrc\n\n[oracle@okvcli ~]$ cat $OKV_HOME\/conf\/okvrestcli.ini\n[Default]\nlog_property=$OKV_HOME\/conf\/okvrestcli_logging.properties\nserver=172.168.0.41\nokv_client_config=$WALLET_DIR\/okv\/conf\/okvclient.ora\nuser=admin\nclient_wallet=$OKV_HOME\/wallet\n<\/pre><\/div>\n\n\n
Edit the
$OKV_HOME\/bin\/okv<\/code> file and uncomment the lineexport OKV_RESTCLI_CONFIG=$OKV_RESTCLI_DIR\/conf\/okvrestcli.ini<\/code><\/p>\n\n\n\nCreate the wallet for OKV RESTfull API <\/h3>\n\n\n\n
As for the
okvrestcli.ini<\/code> file I used the admin user (seeuser=admin<\/code> fromokvrestcli.ini<\/code>) to configure the wallet. The password is the one defined in OKV for theadmin<\/code> user. <\/p>\n\n\n\n[oracle@okvcli okvapi]$ mkdir $OKV_HOME\/wallet\n\n[oracle@okvcli okvapi]$ $OKV_HOME\/bin\/okv admin client-wallet add --client-wallet $OKV_HOME\/wallet --wallet-user admin\nPassword: ****** \n{\n "result" : "Success"\n}\n<\/pre><\/div>\n\n\nTest the correct installation of OKV RESTfull API <\/h3>\n\n\n
\n[oracle@okvcli conf]$ $OKV_HOME\/bin\/okv\n{\n "restCLIVersion" : "21.7.0.0.0"\n}\n\n[oracle@okvcli okvapi]$ $OKV_HOME\/bin\/okv server info get\n{\n "result" : "Success",\n "value" : {\n "caCertificateExpirationDate" : "2026-10-19 09:52:32",\n "cpuCores" : "4",\n "deploymentType" : "Standalone",\n "diskInGB" : "3652",\n "fraInGB" : "20",\n "memoryInKB" : "30504316",\n "serverCertificateExpirationDate" : "2024-10-19 09:57:11",\n "serverTime" : "2023-11-02 10:40:47",\n "version" : "21.7.0.0.0"\n }\n}\n<\/pre><\/div>\n\n\nAt this moment the OKV RESTfull API is communicate with the OKV server. So we can use the API to add the endpoint to OKV. <\/p>\n\n\n\n
Add the endpoint to OKV.<\/h2>\n\n\n\n
First we can create a wallet in the OKV for the endpoint. This step is optional. The name of the wallet is DBCDB01_WLT<\/p>\n\n\n
\n[oracle@okvcli okvapi]$ $OKV_HOME\/bin\/okv manage-access wallet create --wallet DBCDB01_WLT\n{\n "result" : "Success"\n}\n<\/pre><\/div>\n\n\nNow create the endpoint in the OKV <\/p>\n\n\n
\n[oracle@okvcli okvapi]$ $OKV_HOME\/bin\/okv admin endpoint create --endpoint okvcli_host --description "$HOSTNAME, $(hostname -i)" --type ORACLE_DB --platform LINUX64\n{\n "result" : "Success"\n}\n<\/pre><\/div>\n\n\nIn the OKV the added endpoint is REGISTERED as is not enrolled yet: <\/p>\n\n\n\n
![\"\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/11\/image-1024x544.png\")
<\/figure>\n\n\n\nAs we create a wallet for this endpoint let’s define it as default wallet for it:<\/p>\n\n\n
\n[oracle@okvcli okvapi]$ $OKV_HOME\/bin\/okv manage-access wallet set-default --wallet DBCDB01_WLT --endpoint okvcli_host\n{\n "result" : "Success"\n}\n<\/pre><\/div>\n\n\nEnroll the endpoint: <\/p>\n\n\n
\n[oracle@okvcli okvapi]$ echo $ORACLE_HOME\n\/u01\/app\/oracle\/product\/21.0.0\/dbhome_1\n\n[oracle@okvcli okvapi]$ echo $ORACLE_BASE\n\/u01\/app\/oracle\n\n[oracle@okvcli okvapi]$ $OKV_HOME\/bin\/okv admin endpoint provision --endpoint okvcli_host --location \/u01\/app\/oracle\/wallet\/okv --auto-login FALSE\nEnter Oracle Key Vault endpoint password: OKV_cli_123\n{\n "result" : "Success"\n}\n<\/pre><\/div>\n\n\nThe
--location<\/code> parameter must<\/strong> bewallet_root<\/code> parameter path from the database plusokv<\/code>. In this path OKV will download theokvutil<\/code> file needed by the database to communicate with OKV server: <\/p>\n\n\n\n[oracle@okvcli okvapi]$ ls \/u01\/app\/oracle\/wallet\/okv\nbin conf csdk jlib lib log ssl\n<\/pre><\/div>\n\n\n
The
okvclient.ora<\/code> file from\/u01\/app\/oracle\/wallet\/okv\/con<\/code>f path can be added in the$OKV_HOME\/conf\/okvrestcli.ini<\/code> file:okv_client_config=\/u01\/app\/oracle\/wallet\/okv\/conf\/okvclient.ora<\/code> to be able to use the RESTfull API for this database. <\/p>\n\n\n\nNotice that I put the password in the command to identified it in the next steps. <\/p>\n\n\n\n
At the end execute the
root.sh<\/code> script, which creates the directory tree\/opt\/oracle\/extapi\/64\/hsm\/oracle\/1.0.0<\/code>, changes ownership and permissions, then copies the PKCS#11 library into this directory.<\/p>\n\n\n\nThe library PKCS#11 library
liborapkcs.so<\/code> is used by Oracle Database to communicate with OKV.<\/p>\n\n\n\n[opc@tstokvcli ~]$ sudo su -\n[root@tstokvcli ~]# \/u01\/app\/oracle\/wallet\/okv\/bin\/root.sh\n<\/pre><\/div>\n\n\n
At OKV server level the endpoint is enrolled now.<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/11\/image-1-1024x544.png\")
<\/figure>\n\n\n\nLet’s test if the endpoint okvutil is working: <\/p>\n\n\n
\noracle@okvcli ~]$ cd \/u01\/app\/oracle\/wallet\/okv\/bin\n\n[oracle@okvcli bin]$ .\/okvutil list\nEnter Oracle Key Vault endpoint password: OKV_cli_123\nUnique ID Type Identifier\n3E32A151-D656-4E43-ADE8-629B11B8B4C9\tTemplate\tDefault template for OKVCLI_HOST\n\n<\/pre><\/div>\n\n\n
At this moment we have the database encrypted with TDE, and the database server is able to communicate with the OKV server, and is enrolled in the OKV client. <\/p>\n\n\n\n
The next step is to upload the TDE keys in the OKV. <\/p>\n\n\n\n
Upload TDE key to OKV. <\/h2>\n\n\n\n
The first password id the wallet password (
Hello123<\/code>) the second password is the endpoint password (OKV_cli_123<\/code>)<\/p>\n\n\n\n[oracle@okvcli bin]$ .\/okvutil upload -t WALLET -l \/u01\/app\/oracle\/wallet\/tde -g DBCDB01_WLT -v 4\nokvutil version 21.7.0.0.0\nEndpoint type: Oracle Database\nConfiguration file: \/u01\/app\/oracle\/wallet\/okv\/conf\/okvclient.ora\nServer: 172.168.0.41:5696\nStandby Servers:\nUploading from \/u01\/app\/oracle\/wallet\/tde\nEnter source wallet password: Hello123\nNo auto-login wallet found, password needed\nEnter Oracle Key Vault endpoint password: OKV_cli_123\nORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY\nTrying to connect to 172.168.0.41:5696 ...\nConnected to 172.168.0.41:5696.\nORACLE.SECURITY.DB.ENCRYPTION.AZXyYcD7Y0+Rv5tK3Y2lrT8AAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nORACLE.SECURITY.KM.ENCRYPTION.AZXyYcD7Y0+Rv5tK3Y2lrT8AAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nORACLE.SECURITY.KT.ENCRYPTION.AZXyYcD7Y0+Rv5tK3Y2lrT8AAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nORACLE.SECURITY.KB.ENCRYPTION.\nORACLE.SECURITY.ID.ENCRYPTION.\nORACLE.SECURITY.KT.ENCRYPTION.AezKLH\/ZbU8ev0KGkyVh9XAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nORACLE.SECURITY.KM.ENCRYPTION.AezKLH\/ZbU8ev0KGkyVh9XAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nORACLE.SECURITY.DB.ENCRYPTION.AezKLH\/ZbU8ev0KGkyVh9XAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY.0928CAFC93BBEE6CE0638001A8AC296F\n\nUploaded 2 TDE keys\nUploaded 0 SEPS entries\nUploaded 0 other secrets\nUploaded 4 opaque objects\n\nUploading private key\nUploading certificate request\nUploading trust points\n\nUploaded 1 private keys\nUploaded 1 certificate requests\nUploaded 0 user certificates\nUploaded 0 trust points\n\nUpload succeeded\n\n[oracle@okvcli bin]$ .\/okvutil list\nEnter Oracle Key Vault endpoint password: OKV_cli_123\nUnique ID Type Identifier\nF1C1537B-970E-4F09-BF41-6E5525D92E28\tOpaque Object\tTDE Wallet Metadata\nA2FE6566-A68E-5217-89B0-19370EF78066\tSymmetric Key\tTDE Master Encryption Key: TAG CDB1: Initial MEK\nF3C5C8F1-5DBA-4FF2-BF28-4EC3E8606772\tOpaque Object\tTDE Wallet Metadata\n3E77A59D-DB88-4F26-BF7C-5449137B46FE\tOpaque Object\tTDE Wallet Metadata\nC910D912-0031-5776-AE3F-43967710B8DB\tSymmetric Key\tTDE Master Encryption Key: TAG PDB1: Initial MEK\n0ABA58D9-7295-4F12-BFBF-F13382476355\tOpaque Object\tTDE Wallet Metadata\n492260F0-113C-4F07-BFCA-25360F0173BC\tPrivate Key\tPrivate Key\n4F1FC5D9-2C87-4F56-BF4B-6B3A5D730C6E\tOpaque Object\tCertificate Request\n3E32A151-D656-4E43-ADE8-629B11B8B4C9\tTemplate\tDefault template for OKVCLI_HOST\n<\/pre><\/div>\n\n\n
At database level we are still in the
FILE<\/code> keystore mode (local on the server).<\/p>\n\n\n\nSQL> select wrl_type, status, con_id from v$encryption_wallet;\n\nWRL_TYPE STATUS CON_ID\n---------------- ------ ------\nFILE OPEN 1\nFILE OPEN 2\nFILE OPEN 3\n<\/pre><\/div>\n\n\n
At OKV server level the wallet
DBCDB01_WLT<\/code> contains our keys and theOKVCLI_HOST<\/code> endpoint has access to the wallet: <\/p>\n\n\n\n![\"\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/11\/image-2-1024x657.png\")
<\/figure>\n\n\n\nMigrate the FILE local wallet to OKV<\/h2>\n\n\n
\nSQL> show con_id\n\nCON_ID\n------------------------------\n1\n\nSQL> alter system set tde_configuration = "KEYSTORE_CONFIGURATION=OKV|FILE" ;\n\nSQL> administer key management set encryption key identified BY "OKV_cli_123" migrate using "Hello123" WITH BACKUP;\n\nkeystore altered.\n<\/pre><\/div>\n\n\n
The parameter
\"KEYSTORE_CONFIGURATION=OKV|FILE\"<\/code> means that the database will get the encryption key from OKV and the auto_login filecwallet.sso<\/code> from local disk (\/u01\/app\/oracle\/wallet\/tde<\/code>)<\/p>\n\n\n\nRemove the auto_login file from the
tde<\/code>, directory in order to create the new auto_login file: <\/p>\n\n\n\n[oracle@okvcli tde]$ cd \/u01\/app\/oracle\/wallet\/tde\n\n[oracle@okvcli tde]$ rm cwallet.sso\n<\/pre><\/div>\n\n\n
Create the auto_login file for OKV access: <\/p>\n\n\n
\nSQL> administer key management add secret 'OKV_cli_123' for client 'OKV_PASSWORD' to local auto_login keystore '\/u01\/app\/oracle\/wallet\/tde';\n\nkeystore altered.\n\nSQL> select wrl_type, status, con_id from v$encryption_wallet;\n\nWRL_TYPE STATUS CON_ID\n----------- -------- --------\nFILE OPEN 1\nOKV OPEN 1\nFILE OPEN 2\nOKV OPEN 2\nFILE OPEN 3\nOKV OPEN 3\n<\/pre><\/div>\n\n\n
At this step the database use OKV for the encryption key and local file for auto_login. In the wallet directory
\/u01\/app\/oracle\/wallet\/tde <\/code>only thecwallet.sso <\/code>file should exist. <\/p>\n\n\n\nFinal test<\/h2>\n\n\n\n
The final test consist in the creation of an encrypted tablespace with a table inside, then clean local wallet (
ewallet.p12<\/code> file ) and finally restart the database. <\/p>\n\n\n\nIf everything is correctly configured then no password should be asked, the CDB and PDB(s) must be opened, the encrypted tablespace and the table must be accessible. <\/p>\n\n\n\n
Let’s clean the
\/u01\/app\/oracle\/wallet\/tde<\/code> directory (is a good practice to start by making a backup in another directory, just in case):<\/p>\n\n\n\n[oracle@okvcli tde]$ cd \/u01\/app\/oracle\/wallet\/tde\n\n[oracle@okvcli tde]$ mkdir bck\n\n[oracle@okvcli tde]$ mv ewallet_* bck\n\n[oracle@okvcli tde]$ ls \ncwallet.sso\n\n<\/pre><\/div>\n\n\n
Create an encrypted (
ENCR_TBS<\/code>) tablespace and add a table (ENCR_TABLE<\/code>):<\/p>\n\n\n\nSQL> alter session set container=pdb1;\n\nSession altered.\n\nSQL> create tablespace encr_tbs;\n\nSQL> select tablespace_name, encrypted from dba_tablespaces where tablespace_name='ENCR_TBS';\n\nTABLESPACE_NAME \t ENC\n------------------------------ ---\nENCR_TBS\t\t YES\n\nSQL> create table encr_table(c number) tablespace encr_tbs;\n\nTable created.\n\nSQL> insert into encr_table values(1);\n\n1 row created.\n\nSQL> commit;\n\nCommit complete.\n\nSQL> select * from encr_table;\n\n\t C\n----------\n\t 1\n\nSQL> alter session set container=CDB$ROOT;\n\nSession altered \n<\/pre><\/div>\n\n\n
Finally restart the database and try to select the table: <\/p>\n\n\n
\nSQL> shutdown immediate; \n\nSQL> startup; \n\nSQL> show pdbs;\n\n CON_ID CON_NAME OPEN MODE RESTRICTED\n---------- ----------- ----------- ---------- \n 2 PDB$SEED READ ONLY NO\n 3 PDB1 READ WRITE NO\n\nSQL> alter session set container=pdb1;\n\nSession altered.\n\nSQL> select * from encr_table;\n\n\t C\n----------\n\t 1\n\n<\/pre><\/div>\n\n\n
Conclusion<\/h2>\n\n\n\n
Using OKV to store TDE encryption keys is the preferred solution. The RESTfull API proposed by OKV is complete and easy to configure. It is a good practice to script all commands in order to add the endpoints, and configure the database, as a post script of vm creation for instance.<\/p>\n","protected":false},"excerpt":{"rendered":"
How to configure, from scratch, the TDE on the database, how to upload the wallet keys in the OKV and how to configure the database to use these keys. <\/p>\n","protected":false},"author":27,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[59],"tags":[3153,2857,1930,3152],"type_dbi":[3156,3155],"class_list":["post-29079","post","type-post","status-publish","format-standard","hentry","category-oracle","tag-okv","tag-online-tablespace-encryption","tag-oracle-cloud-infrastructure","tag-oracle-key-vault","type-oci","type-okv"],"acf":[],"yoast_head":"\n
Add TDE to Oracle Database and upload keys to OKV - dbi Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.dbi-services.com\/blog\/add-tde-to-oracle-database-and-upload-keys-to-okv\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Add TDE to Oracle Database and upload keys to OKV\" \/>\n<meta property=\"og:description\" content=\"How to configure, from scratch, the TDE on the database, how to upload the wallet keys in the OKV and how to configure the database to use these keys.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.dbi-services.com\/blog\/add-tde-to-oracle-database-and-upload-keys-to-okv\/\" \/>\n<meta property=\"og:site_name\" content=\"dbi Blog\" \/>\n<meta property=\"article:published_time\" content=\"2023-11-02T13:35:02+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-01-24T09:43:47+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/11\/image.png\" \/>\n\t<meta property=\"og:image:width\" content=\"2814\" \/>\n\t<meta property=\"og:image:height\" content=\"1494\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Oracle Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Oracle Team\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/add-tde-to-oracle-database-and-upload-keys-to-okv\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/add-tde-to-oracle-database-and-upload-keys-to-okv\/\"},\"author\":{\"name\":\"Oracle Team\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee\"},\"headline\":\"Add TDE to Oracle Database and upload keys to OKV\",\"datePublished\":\"2023-11-02T13:35:02+00:00\",\"dateModified\":\"2025-01-24T09:43:47+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/add-tde-to-oracle-database-and-upload-keys-to-okv\/\"},\"wordCount\":853,\"commentCount\":7,\"image\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/add-tde-to-oracle-database-and-upload-keys-to-okv\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/11\/image-1024x544.png\",\"keywords\":[\"OKV\",\"online tablespace encryption\",\"oracle cloud infrastructure\",\"Oracle Key Vault\"],\"articleSection\":[\"Oracle\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/add-tde-to-oracle-database-and-upload-keys-to-okv\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/add-tde-to-oracle-database-and-upload-keys-to-okv\/\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/add-tde-to-oracle-database-and-upload-keys-to-okv\/\",\"name\":\"Add TDE to Oracle Database and upload keys to OKV - dbi Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/add-tde-to-oracle-database-and-upload-keys-to-okv\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/add-tde-to-oracle-database-and-upload-keys-to-okv\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/11\/image-1024x544.png\",\"datePublished\":\"2023-11-02T13:35:02+00:00\",\"dateModified\":\"2025-01-24T09:43:47+00:00\",\"author\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/add-tde-to-oracle-database-and-upload-keys-to-okv\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/add-tde-to-oracle-database-and-upload-keys-to-okv\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/add-tde-to-oracle-database-and-upload-keys-to-okv\/#primaryimage\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/11\/image.png\",\"contentUrl\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/11\/image.png\",\"width\":2814,\"height\":1494},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/add-tde-to-oracle-database-and-upload-keys-to-okv\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.dbi-services.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Add TDE to Oracle Database and upload keys to OKV\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/\",\"name\":\"dbi Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee\",\"name\":\"Oracle Team\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g\",\"caption\":\"Oracle Team\"},\"url\":\"https:\/\/www.dbi-services.com\/blog\/author\/oracle-team\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Add TDE to Oracle Database and upload keys to OKV - dbi Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.dbi-services.com\/blog\/add-tde-to-oracle-database-and-upload-keys-to-okv\/","og_locale":"en_US","og_type":"article","og_title":"Add TDE to Oracle Database and upload keys to OKV","og_description":"How to configure, from scratch, the TDE on the database, how to upload the wallet keys in the OKV and how to configure the database to use these keys.","og_url":"https:\/\/www.dbi-services.com\/blog\/add-tde-to-oracle-database-and-upload-keys-to-okv\/","og_site_name":"dbi Blog","article_published_time":"2023-11-02T13:35:02+00:00","article_modified_time":"2025-01-24T09:43:47+00:00","og_image":[{"width":2814,"height":1494,"url":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/11\/image.png","type":"image\/png"}],"author":"Oracle Team","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Oracle Team","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.dbi-services.com\/blog\/add-tde-to-oracle-database-and-upload-keys-to-okv\/#article","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/add-tde-to-oracle-database-and-upload-keys-to-okv\/"},"author":{"name":"Oracle Team","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee"},"headline":"Add TDE to Oracle Database and upload keys to OKV","datePublished":"2023-11-02T13:35:02+00:00","dateModified":"2025-01-24T09:43:47+00:00","mainEntityOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/add-tde-to-oracle-database-and-upload-keys-to-okv\/"},"wordCount":853,"commentCount":7,"image":{"@id":"https:\/\/www.dbi-services.com\/blog\/add-tde-to-oracle-database-and-upload-keys-to-okv\/#primaryimage"},"thumbnailUrl":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/11\/image-1024x544.png","keywords":["OKV","online tablespace encryption","oracle cloud infrastructure","Oracle Key Vault"],"articleSection":["Oracle"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.dbi-services.com\/blog\/add-tde-to-oracle-database-and-upload-keys-to-okv\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.dbi-services.com\/blog\/add-tde-to-oracle-database-and-upload-keys-to-okv\/","url":"https:\/\/www.dbi-services.com\/blog\/add-tde-to-oracle-database-and-upload-keys-to-okv\/","name":"Add TDE to Oracle Database and upload keys to OKV - dbi Blog","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/add-tde-to-oracle-database-and-upload-keys-to-okv\/#primaryimage"},"image":{"@id":"https:\/\/www.dbi-services.com\/blog\/add-tde-to-oracle-database-and-upload-keys-to-okv\/#primaryimage"},"thumbnailUrl":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/11\/image-1024x544.png","datePublished":"2023-11-02T13:35:02+00:00","dateModified":"2025-01-24T09:43:47+00:00","author":{"@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee"},"breadcrumb":{"@id":"https:\/\/www.dbi-services.com\/blog\/add-tde-to-oracle-database-and-upload-keys-to-okv\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.dbi-services.com\/blog\/add-tde-to-oracle-database-and-upload-keys-to-okv\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.dbi-services.com\/blog\/add-tde-to-oracle-database-and-upload-keys-to-okv\/#primaryimage","url":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/11\/image.png","contentUrl":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/11\/image.png","width":2814,"height":1494},{"@type":"BreadcrumbList","@id":"https:\/\/www.dbi-services.com\/blog\/add-tde-to-oracle-database-and-upload-keys-to-okv\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.dbi-services.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Add TDE to Oracle Database and upload keys to OKV"}]},{"@type":"WebSite","@id":"https:\/\/www.dbi-services.com\/blog\/#website","url":"https:\/\/www.dbi-services.com\/blog\/","name":"dbi Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee","name":"Oracle Team","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g","caption":"Oracle Team"},"url":"https:\/\/www.dbi-services.com\/blog\/author\/oracle-team\/"}]}},"_links":{"self":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/29079","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/users\/27"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/comments?post=29079"}],"version-history":[{"count":38,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/29079\/revisions"}],"predecessor-version":[{"id":36880,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/29079\/revisions\/36880"}],"wp:attachment":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/media?parent=29079"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/categories?post=29079"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/tags?post=29079"},{"taxonomy":"type","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/type_dbi?post=29079"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}