Skip to Main Content
Forums

Database Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

TDE Fundamental questions

toonieSep 27 2016 — edited Oct 1 2016

Hi all,

I have started to explore some options around TDE and I am seeking some clarifications. I am perusing the documentation and other sources [http://www.oracle.com/technetwork/database/security/tde-faq-093689.html] but would appreciate any assistance in clarifying any misunderstandings etc.

* I have some fundamental questions, so I will post them here and I have also run into a few problems in a testing environment so I will open a separate thread for that...

Okay so...

I have attempted to implement a very basic TDE setup as per below on a 12c database (Although I believe the same steps should be appropriate for an 11gR2 install). 

### Created wallet location
[oracle@oralinux7 admin]$ mkdir /u01/app/oracle/product/wallet
### Modified the sqlnet.ora
[oracle@oralinux7 admin]$ cat sqlnet.ora 
NAMES.DIRECTORY_PATH= (TNSNAMES)
ENCRYPTION_WALLET_LOCATION=
  (SOURCE=(METHOD=FILE)
          (METHOD_DATA=
          (DIRECTORY=/u01/app/oracle/product/wallet)))
### Generated wallet and Master Key
SQL> host ls -lrt /u01/app/oracle/product/wallet
total 0
SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "Easy2rem";
System altered.
SQL> host ls -lrt /u01/app/oracle/product/wallet
total 4
-rw-r--r--. 1 oracle oinstall 2840 Sep 26 22:05 ewallet.p12

Q1: The password above "Easy2rem" is only specific to opening the wallet? It doesn't have any bearing on the Master encryption key?

But the master encryption key is created (in the wallet) by the above statement - yes? 

### Opened the encryption wallet manually 
SQL>  ALTER SYSTEM SET ENCRYPTION WALLET OPEN  IDENTIFIED BY "Easy2rem";
SQL> select * from v$encryption_wallet;
WRL_TYPE     WRL_PARAMETER STATUS       WALLET_TYPE    WALLET_OR FULLY_BAC     CON_ID
-------------------- -------------------------------------------------- ------------------------------ -------------------- --------- --------- ----------
FILE     /u01/app/oracle/product/wallet/ OPEN       PASSWORD    SINGLE    NO 0
### Restarted the database 
SQL> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> startup;
ORACLE instance started.
Total System Global Area  419430400 bytes
Fixed Size    2925120 bytes
Variable Size  385879488 bytes
Database Buffers   25165824 bytes
Redo Buffers    5459968 bytes
Database mounted.
Database opened.
SQL> 
### Noted that the wallet is then closed because we do not auto-open it
SQL> select * from v$encryption_wallet;
WRL_TYPE     WRL_PARAMETER STATUS       WALLET_TYPE    WALLET_OR FULLY_BAC     CON_ID
-------------------- -------------------------------------------------- ------------------------------ -------------------- --------- --------- ----------
FILE     /u01/app/oracle/product/wallet/ CLOSED       UNKNOWN    SINGLE    UNDEFINED 0
### Manual intervention 
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN  IDENTIFIED BY "Easy2rem";
System altered.
SQL>  select * from v$encryption_wallet;
WRL_TYPE     WRL_PARAMETER STATUS       WALLET_TYPE    WALLET_OR FULLY_BAC     CON_ID
-------------------- -------------------------------------------------- ------------------------------ -------------------- --------- --------- ----------
FILE     /u01/app/oracle/product/wallet/ OPEN       PASSWORD    SINGLE    NO 0
SQL> ALTER SYSTEM SET ENCRYPTION WALLET  close  IDENTIFIED BY "Easy2rem";
System altered.
SQL> select * from v$encryption_wallet;
WRL_TYPE     WRL_PARAMETER STATUS       WALLET_TYPE    WALLET_OR FULLY_BAC     CON_ID
-------------------- -------------------------------------------------- ------------------------------ -------------------- --------- --------- ----------
FILE     /u01/app/oracle/product/wallet/ CLOSED       UNKNOWN    SINGLE    UNDEFINED 0
### Created an auto login wallet 
[oracle@oralinux7 admin]$ $ORACLE_HOME/bin/orapki wallet create -wallet /u01/app/oracle/product/wallet -auto_login -pwd "Easy2rem";
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Q2: Should you close the encryption wallet before doing this (creating the autologin wallet)?

Q3: What are the .lck files generated? 

[oracle@oralinux7 wallet]$ pwd
/u01/app/oracle/product/wallet
[oracle@oralinux7 wallet]$ ls -lrt 
total 8
-rw-r--r--. 1 oracle oinstall 2840 Sep 26 22:05 ewallet.p12
-rw-------. 1 oracle oinstall 2885 Sep 26 22:26 cwallet.sso
-rw-rw-rw-. 1 oracle oinstall    0 Sep 26 22:32 ewallet.p12.lck
-rw-rw-rw-. 1 oracle oinstall    0 Sep 26 22:32 cwallet.sso.lck

### Further checking of the wallet 
oracle@oralinux7 admin]$ orapki wallet display -wallet  /u01/app/oracle/product/wallet
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Requested Certificates: 
Subject:        CN=oracle
User Certificates:
Oracle Secret Store entries: 
ORACLE.SECURITY.DB.ENCRYPTION.AZL7GH1mZ0+Rv6/ZIkM0OZMAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
ORACLE.SECURITY.ID.ENCRYPTION.
ORACLE.SECURITY.KB.ENCRYPTION.
Trusted Certificates: 
[oracle@oralinux7 admin]$

So, I can change the wallet by using something like this?  

$ orapki wallet change_pwd -wallet <wallet_location>

Q4: But how does one change the TDE master key?

Q5: Also - what occurs if I re-execute the command "ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY <something else>...";"

Does this also modify the 'open the wallet' password and/or generate a new TDE master key?

Regards,

Ruan
This post has been answered by Vlad Visan-Oracle on Sep 28 2016
Jump to Answer
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Oct 29 2016
Added on Sep 27 2016
#database-security, #database-security-general
6 comments
3,431 views