Quick guide to use Transparent Data Encryption (TDE 12c)

In this article I will show you how to configure TDE quickly, directly to the steps that you are looking for.

You can also see the quick guide to configure TDE in 11g HERE.

We will go through the following steps:

• Configuring sqlnet.ora
• Creating Wallet
• Creating Encrypted Tablespace
• Configuring Wallet AutoLogin

Configuring sqlnet.ora

I will create the directory where the Wallet will be stored:

[oracle@db12102 ~]$ mkdir -p /u01/app/oracle/db1/wallet
[oracle@db12102 ~]$

And I have configured the sqlnet.ora with the following text:

[oracle@db12102 ~]$ vi $ORACLE_HOME/network/admin/sqlnet.ora
[oracle@db12102 ~]$ cat $ORACLE_HOME/network/admin/sqlnet.ora
ENCRYPTION_WALLET_LOCATION=
(SOURCE=
(METHOD=FILE)
(METHOD_DATA=
(DIRECTORY=/u01/app/oracle/db1/wallet)))
[oracle@db12102 ~]$

Creating the wallet(Keystore):

The syntax changed with Oracle 12c, but the concept keeps the same.

When we create the wallet the file "ewallet.p12" is created also in the directory that we specified in the file "sqlnet.ora", see that now the directory is empty:

[oracle@db12102 ~]$ ls -ltr /u01/app/oracle/db1/wallet
total 0
[oracle@db12102 ~]$

Now we will proceed to create the wallet:

SQL> administer key management create keystore '/u01/app/oracle/db1/wallet' identified by "MyPassword123";

keystore altered.

SQL>

And we can confirm that the file "ewallet.p12" was successfully created:

[oracle@db12102 ~]$ ls -ltr /u01/app/oracle/db1/wallet
total 4
-rw-r--r-- 1 oracle asmadmin 2408 Jul 26 03:31 ewallet.p12
[oracle@db12102 ~]$

However the Wallet is closed right after the creation, as you can see below:

SQL> select wrl_parameter, status from v$encryption_wallet

WRL_PARAMETER                  STATUS
------------------------------ ------------------------------
/u01/app/oracle/db1/wallet/    CLOSED

We have to open the Wallet with the following sentence:

SQL> administer key management set keystore open identified by "MyPassword123";

keystore altered.

Let's take a look if the wallet is open:

SQL> select wrl_parameter, status from v$encryption_wallet;

WRL_PARAMETER                  STATUS
------------------------------ ------------------------------
/u01/app/oracle/db1/wallet/    OPEN_NO_MASTER_KEY

Well, at least it is not "Closed". The status now is "OPEN_NO_MASTER_KEY", that means the master key has not been created yet in the keystore, so let's create the Master Key:

SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "MyPassword123" WITH BACKUP ;

keystore altered.

let's see if Wallet is open (finally :) ):

SQL> select wrl_parameter, status from v$encryption_wallet;

WRL_PARAMETER                  STATUS
------------------------------ ------------------------------
/u01/app/oracle/db1/wallet/    OPEN

Yes, Finally, now the Wallet is open and we can start creating encrypted objects.

Creating Encrypted Tablespace

For testing purposes, I will create an encrypted tablespace, a table and a row inside that table. The table will be stored in the encrypted tablespace.

Creation of Tablespace:

SQL> CREATE TABLESPACE "TBS1" DATAFILE SIZE 100M AUTOEXTEND ON
EXTENT MANAGEMENT LOCAL AUTOALLOCATE ENCRYPTION USING 'AES128' DEFAULT STORAGE(ENCRYPT) ;

Tablespace created.

SQL> SQL> SQL>

SQL> select tablespace_name, encrypted from dba_tablespaces where tablespace_name='TBS1';

TABLESPACE_NAME ENC
------------------------------ ---
TBS1 YES

As you saw, the tablespace is encrypted.

Now let's create a table and inserting a rows:

SQL> conn dgomez/dgomez
Connected.
SQL> create table dgomez.t1 (col1 varchar2(20)) tablespace tbs1;

Table created.

SQL> insert into dgomez.t1 values ('dgomez');

1 row created.

SQL> commit;

Commit complete.

SQL> select * from dgomez.t1;

COL1
--------------------
dgomez

SQL> SQL>
SQL>

So far all is Ok. TDE was successfully configured in 12c in a non-CDB Database.

Configuring Wallet AutoLogin

As an optional step, we can configure Wallet Autologin, that means that whenever the database instance is rebooted the wallet will be automatically open as soon as the first encrypted object is touched/selected. We can configure Wallet Autologin with the following sentence:

SQL> administer key management create auto_login keystore from keystore '/u01/app/oracle/db1/wallet/' identified by "MyPassword123";

keystore altered.

SQL>

When we configure Wallet autologin the file "cwallet.sso" must be created in the directory that we specified in the file "sqlnet.ora", let's confirm it:

[oracle@db12102 ~]$ ls -ltr /u01/app/oracle/db1/wallet/
total 24
-rw-r--r-- 1 oracle asmadmin 2408 Jul 26 03:37 ewallet_2016072607372482.p12
-rw-r--r-- 1 oracle asmadmin 5112 Jul 26 03:40 ewallet.p12
-rw-r--r-- 1 oracle asmadmin 3656 Jul 26 03:40 ewallet_2016072607402636.p12
-rw-r--r-- 1 oracle asmadmin 5157 Jul 26 03:57 cwallet.sso
[oracle@db12102 ~]$

We can see that the file "cwallet.sso" was created successfully and that means that TDE with Wallet Autologin is well setup.

Follow me: