Transparent Data Encryption (TDE) is designed to provide the ability to transparently apply encryption within the database without impacting our applications. TDE provides the benefit of encryption without the overhead associated with traditional database encryption solutions that typically require expensive and lengthy changes to applications, including database triggers and views. In this article I will show your the minimum steps to setup TDE for one tablespace. We will go directly to the steps so that we respect the title of the article (quick guide).
You can also see the quick guide to configure TDE in 12c HERE.
We will go through the following steps:
- Configuring sqlnet.ora
- Creating Wallet
- Creating Encrypted Tablespace
- Configuring Wallet AutoLogin
Configure sqlnet.ora
In my tnsnames.ora I have included the following, the most important thing is the value of "DIRECTORY", that directory should exist and oracle OS user should have permissions on it.
[oracle@a1 ~]$ cat $ORACLE_HOME/network/admin/sqlnet.ora
ENCRYPTION_WALLET_LOCATION=
(SOURCE=(METHOD=FILE)(METHOD_DATA=
(DIRECTORY=/u01/app/oracle/orcl/wallet)))
[oracle@a1 ~]$
Creating the Wallet:
Next step is to create the wallet, the sentence will create the file "ewallet.p12" in the directory that we have specified in the sqlnet.ora file. let's see the directory now:
[oracle@a1 ~]$ ls -ltr /u01/app/oracle/orcl/wallet
total 0
[oracle@a1 ~]$
No files in there, now let's create the wallet:
[oracle@a1 ~]$ sqlplus / as sysdba
SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "Mypassword3";
System altered.
SQL>
We can confirm that the file "ewallet.p12" was created there:
[oracle@a1 ~]$ ls -ltr /u01/app/oracle/orcl/wallet
total 4
-rw-r--r-- 1 oracle asmadmin 2845 Jul 25 03:37 ewallet.p12
[oracle@a1 ~]$
Creating Encrypted Tablespace:
Now let's create an encrypted tablespace and a table, that table will be created encrypted since it is stored in an encrypted tablespace:
SQL>
SQL> CREATE TABLESPACE "TBS1" DATAFILE SIZE 100M AUTOEXTEND ON
EXTENT MANAGEMENT LOCAL AUTOALLOCATE ENCRYPTION USING 'AES128'DEFAULT STORAGE(ENCRYPT);
Tablespace created.
SQL> SQL> select tablespace_name, encrypted from dba_tablespaces where tablespace_name='TBS1';
TABLESPACE_NAME ENC
-------------------- ---
TBS1 YES
SQL> create table dgomez.t1 (col1 varchar2(20)) tablespace tbs1;
Table created.
SQL> select tablespace_name from dba_tables where table_name='T1';
TABLESPACE_NAME
------------------------------
TBS1
When we created the wallet, the wallet kept open, we will confirm it by selecting data from the encrypted table:
SQL> conn dgomez/dgomez
Connected.
SQL> insert into dgomez.t1 values ('dgomez');
1 row created.
SQL> commit;
Commit complete.
SQL> select * from dgomez.t1;
COL1
--------------------
dgomez
Configuring Wallet AutoLogin
As optional step we can configure Wallet Autologin, this means that whenever we reboot the database instance we don't have to open manually the wallet. If we have enabled this, the wallet will be open automatically. I will show you a trick, if you know if a database is already using Wallet autologin you can see if there is a file called "cwallet.sso" in the directory specified in the sqlnet.ora. If so, then the database is using Wallet autologin, otherwise you have to open the wallet manually whenever the wallet is closed. Let's see the directory now:
[oracle@a1 ~]$ ls -ltr /u01/app/oracle/orcl/wallet
total 4
-rw-r--r-- 1 oracle asmadmin 2845 Jul 25 03:37 ewallet.p12
[oracle@a1 ~]$
The file "cwallet.sso" doesn't exist. Now let's configure Wallet autologin:
[oracle@a1 ~]$ orapki wallet create -wallet /u01/app/oracle/orcl/wallet -auto_login -pwd "MyPassword123"
Oracle PKI Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.
[oracle@a1 ~]$
As you can see below the file "cwallet.sso" was created:
[oracle@a1 ~]$ ls -ltr /u01/app/oracle/orcl/wallet
total 8
-rw------- 1 oracle asmadmin 2846 Jul 25 04:13 ewallet.p12
-rw------- 1 oracle oinstall 2923 Jul 25 04:14 cwallet.sso
[oracle@a1 ~]$
Follow me:
