Encrypt Tablespaces – Multitenant

References:
https://oracle-base.com/articles/12c/multitenant-transparent-data-encryption-tde-12cr1

https://docs.oracle.com/database/121/SQLRF/statements_1003.htm#SQLRF55976
https://docs.oracle.com/cloud/latest/db121/ASOAG/asotrans_config.htm#ASOAG10474

The tablespace will be create inside of Pluggable Database: PDBPROD3

Datafile location: /u02/oradata/cdbprod/pdbprod3/
 Keystore location: /u01/oracle/admin/$ORACLE_SID/encryption_keystore/

1.) Include in SQLNET.ora:
 ENCRYPTION_WALLET_LOCATION =  
(SOURCE =(METHOD = FILE)(METHOD_DATA =    
(DIRECTORY = /u01/oracle/admin/$ORACLE_SID/encryption_keystore/)

2.)Create the directory, if doesn’t exist:

mkdir -p /u01/oracle/admin/$ORACLE_SID/encryption_keystore/

3.)Create the KEY store:

[oracle@vm1 admin]$ cd /u01/oracle/admin/$ORACLE_SID/encryption_keystore/
[oracle@vm1 encryption_keystore]$ pwd
/u01/oracle/admin/cdbprod/encryption_keystore

Inside of Root Container execute:

ADMINISTER KEY MANAGEMENT CREATE KEYSTORE 
'/u01/oracle/admin/cdbprod/encryption_keystore/' IDENTIFIED BY oracle;

SQL> !ls -ltr /u01/oracle/admin/cdbprod/encryption_keystore/
 total 4
 -rw-r--r--. 1 oracle oinstall 2408 Dec 13 16:35 ewallet.p12

4.)Open the KEY from ROOT container:

ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY oracle 
CONTAINER=ALL;

5.) Activate the KEY from ROOT Container, please note the Container=ALL:

ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY oracle 
WITH BACKUP CONTAINER=ALL;

6.) Check the Keys:
 SELECT con_id, key_id FROM v$encryption_keys;

    CON_ID KEY_ID
---------- --------------------------------------------------------------
         0 AZoc0eniGk+fvxf6hFmTPX8AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
         0 AWT1SYl9Y09Sv5KM701+2ngAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
         0 ATAVGrOY8k8nv3VLAuTAjwwAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
         0 AZK1GySH8k+Jv2lpedKOP/8AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
         0 AZyR5AVR3k9Mv6r7CBrT1REAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

COLUMN wrl_parameter FORMAT A50

SELECT * FROM v$encryption_wallet;

WRL_TYPE            WRL_PARAMETER                                   STATUS     WALLET_TYPE            WALLET_OR FULLY_BAC    CON_ID
-------------------- -------------------------------------------------- ---------- -------------------- --------- --------- ----------
FILE                /u01/oracle/admin/cdbprod/encryption_keystore/  OPEN       PASSWORD               SINGLE    NO                0

7.) Use the KEY

SQL> alter session set container=pdbprod3;

Session altered.

Create tablespace ts_tde datafile 
'/u02/oradata/cdbprod/pdbprod3/ts_tde.dbf' 
size 100m ENCRYPTION USING 'AES256' DEFAULT STORAGE (ENCRYPT);
  • Note: if the CDB is restarted we need to open again the KEY
    from the ROOT:
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY oracle 
CONTAINER=ALL;

 

Advertisements