Configure TDE on Oracle 19c Multitenant-Database Server on Windows

1) Set Parameters

<CDB>

-- Wallet root location: E:\oracle\base\admin\tdedb\wallet

sqlplus / as sysdba

SQL> alter system set WALLET_ROOT="E:\oracle\base\admin\tdedb\wallet" scope=spfile;

System altered.

SQL> alter system set "_tablespace_encryption_default_algorithm" = 'AES256' scope=both;

-- The following parameter setting is required for patch level 19.25 (Oct-24)

SQL> alter system set TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" scope=both;

-- Shutdown and Startup the instance

-- Close the PDBS if opened

SQL> alter pluggable database all close immediate;

-- Make sure pdbs status are closed, which should be in mount stage

SQL> show pdbs;

-- We can see the wallet location is shown correctly as we set.

SQL> show parameter wallet

NAME TYPE VALUE

ssl_wallet string

wallet_root string E:\oracle\base\admin\tdedb\wallet

2) Create keystore

<CDB>

SQL> administer key management create keystore identified by "Password";

keystore altered.

SQL> select WRL_TYPE, WRL_PARAMETER, STATUS, CON_ID from v$encryption_wallet;

WRL_TYPE WRL_PARAMETER STATUS CON_ID

FILE E:\oracle\base\admin\tdedb\wallet\tde CLOSED 1

FILE CLOSED 2

FILE CLOSED 3

3) Open Keystore

<CDB>

SQL> alter pluggable database all open;

SQL> administer key management set keystore open force keystore identified by "Password" container=all;

keystore altered.

SQL> select WRL_TYPE, WRL_PARAMETER, STATUS, CON_ID f

FILE OPEN_NO_MASTER_KEY 2

FILE OPEN_NO_MASTER_KEY 3

4) Create Master Key (a)

<CDB>

SQL> administer key management set key identified by "Password" with backup;

keystore altered.

SQL> select WRL_TYPE, WRL_PARAMETER, STATUS, CON_ID from v$encryption_wallet;

WRL_TYPE WRL_PARAMETER STATUS CON_ID

FILE E:\oracle\base\admin\tdedb\wallet\tde OPEN 1

FILE OPEN 2

FILE OPEN_NO_MASTER_KEY 3

Create Master Key for PDB (b)

SQL> alter session set container=PDB1

Session altered.

SQL> administer key management set key identified by "Password" with backup;

keystore altered.

SQL> select WRL_TYPE, WRL_PARAMETER, STATUS, CON_ID from v$encryption_wallet;

WRL_TYPE WRL_PARAMETER STATUS CON_ID

FILE OPEN 3

SQL> select tablespace_name, status, encrypted from dba_tablespaces;

TABLESPACE_NAME STATUS ENC

SYSTEM ONLINE NO

SYSAUX ONLINE NO

UNDOTBS1 ONLINE NO

TEMP ONLINE NO

USERS ONLINE NO

5) Autologin Keystore

<CDB>

SQL> alter session set container=CDB$ROOT;

Session altered.

SQL> administer key management create auto_login keystore from keystore identified by "Password";

keystore altered.

SQL> alter system set encrypt_new_tablespaces = always scope=both sid='*';

System altered.

SQL> show parameter encrypt_new_tablespaces

NAME TYPE VALUE

encrypt_new_tablespaces string ALWAYS

-- Shutdown and Startup the instance and check v$encryption_wallet file status, should be OPEN.

6) Encrypt tablespace online

<PDB>

sqlplus / as sysdba

SQL> alter session set container=PDB1;

alter tablespace USERS encryption online encrypt;

Tablespace altered.

SQL> select tablespace_name, status, encrypted from dba_tablespaces;

TABLESPACE_NAME STATUS ENC

SYSTEM ONLINE NO

SYSAUX ONLINE NO

UNDOTBS1 ONLINE NO

TEMP ONLINE NO

USERS ONLINE YES

Happy Learning!

Kinein SYSDBA

Friday, November 29, 2024

Configure TDE on Oracle 19c Multitenant-Database Server on Windows

No comments:

Post a Comment

SQL Server TDE Database Encryption

About Me