Encrypt Tablespaces – Multitenant

References:
https://oracle-base.com/articles/12c/multitenant-transparent-data-encryption-tde-12cr1
https://docs.oracle.com/database/121/SQLRF/statements_1003.htm#SQLRF55976
https://docs.oracle.com/cloud/latest/db121/ASOAG/asotrans_config.htm#ASOAG10474

The tablespace will be create inside of Pluggable Database: PDBPROD3

Datafile location: /u02/oradata/cdbprod/pdbprod3/
Keystore location: /u01/oracle/admin/$ORACLE_SID/encryption_keystore/

1.) Include in SQLNET.ora:
ENCRYPTION_WALLET_LOCATION =
(SOURCE =(METHOD = FILE)(METHOD_DATA =
(DIRECTORY = /u01/oracle/admin/$ORACLE_SID/encryption_keystore/)

2.)Create the directory, if doesn’t exist:

mkdir -p /u01/oracle/admin/$ORACLE_SID/encryption_keystore/

3.)Create the KEY store:

[oracle@vm1 admin]$ cd /u01/oracle/admin/$ORACLE_SID/encryption_keystore/
[oracle@vm1 encryption_keystore]$ pwd
/u01/oracle/admin/cdbprod/encryption_keystore

Inside of Root Container execute:

ADMINISTER KEY MANAGEMENT CREATE KEYSTORE
‘/u01/oracle/admin/cdbprod/encryption_keystore/’ IDENTIFIED BY oracle;

SQL> !ls -ltr /u01/oracle/admin/cdbprod/encryption_keystore/
total 4
-rw-r–r–. 1 oracle oinstall 2408 Dec 13 16:35 ewallet.p12

4.)Open the KEY from ROOT container:

ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY oracle
CONTAINER=ALL;

5.) Activate the KEY from ROOT Container, please note the Container=ALL:

ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY oracle
WITH BACKUP CONTAINER=ALL;

6.) Check the Keys:
SELECT con_id, key_id FROM v$encryption_keys;

CON_ID KEY_ID
———- ————————————————————–
0 AZoc0eniGk+fvxf6hFmTPX8AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0 AWT1SYl9Y09Sv5KM701+2ngAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0 ATAVGrOY8k8nv3VLAuTAjwwAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0 AZK1GySH8k+Jv2lpedKOP/8AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0 AZyR5AVR3k9Mv6r7CBrT1REAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

COLUMN wrl_parameter FORMAT A50

SELECT * FROM v$encryption_wallet;

WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR FULLY_BAC CON_ID
——————– ————————————————– ———- ——————– ——— ——— ———-
FILE /u01/oracle/admin/cdbprod/encryption_keystore/ OPEN PASSWORD SINGLE NO 0

7.) Use the KEY

SQL> alter session set container=pdbprod3;

Session altered.

Create tablespace ts_tde datafile
‘/u02/oradata/cdbprod/pdbprod3/ts_tde.dbf’
size 100m ENCRYPTION USING ‘AES256’ DEFAULT STORAGE (ENCRYPT);

Note: if the CDB is restarted we need to open again the KEY
from the ROOT:

ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY oracle
CONTAINER=ALL;

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s