In this post, I will discuss about enabling Transparent Data Encryption – TDE in Oracle 19c.
To configure Auto Login Wallet in Oracle 19c there are few parameters which needs to be set in spfile/pfile.
Step 1: Create Wallet folder in ASM
If necessary, create a wallet directory. Typically, wallet directory is located in ASM or $ORACLE_BASE/admin/db_unique_name/wallet.
Ideally wallet directory should be empty.
./grid.env -- asm file system environment file env
asmcmd
Step 2. Update wallet details in the parameter file.
You must configure Keystore location and type by setting WALLET_ROOT and TDE_CONFIGURATION parameters in pfile or spfile.
. ./clprod.env
Step 3. Restart the Database
Source the container database environment
. clprod.env
sqlplus '/as sysdba'
show con_name;
CON_NAME
CDB$ROOT
CLPROD> shut immediate
Database closed.
Database dismounted.
ORACLE instance shut down.
CLPROD> startup
ORACLE instance started.
Total System Global Area 16106127360 bytes
Fixed Size 35621984 bytes
Variable Size 1017607903 bytes
Database Buffers 534432665431 bytes
Redo Buffers 9817655 bytes
Database mounted.
Database opened.
or if RAC
srvctl status database -d CLPROD
srvctl stop database -d CLPROD
srvctl start database -d CLPROD
Step 4.Check the status of the wallet
Step 5. Create KEYSTORE for container
Source the container database environment
. clprod.env
Step 6. Open KEYSTORE for pdb
Source the container database environment
. clprod.env
Step 7. Create an Auto-Login or a Local Auto-Login Software Keystore
Source the container database environment
. clprod.env
Step 8. Restart the Database
sqlplus '/as sysdba'
CLPROD> shut immediate
Database closed.
Database dismounted.
ORACLE instance shut down.
CLPROD> startup
ORACLE instance started.
Total System Global Area 16106127360 bytes
Fixed Size 35621984 bytes
Variable Size 1017607903 bytes
Database Buffers 534432665431 bytes
Redo Buffers 9817655 bytes
Database mounted.
Database opened.
or if RAC
srvctl status database -d CLPROD
srvctl stop database -d CLPROD
srvctl start database -d CLPROD
Step 9. Verify autologin
Step 10. Recreate temp tspace in cdb
Step 11. Enable TDE for all container tablespaces
Step 12. Drop and recreate temp tspace for the pdb (prod)
Step 13. Restart the application services.
Step 14. Start Tablespace encryption
a) run the following command on VNC as terminal no.1
b) run the following command on VNC as terminal no.2
Update/edit the encrypt_prod_tspaces2.sql and run it to start the encryption for other tablespaces.
c) Complete the APPSUNDO tablespaces & system tspace at the end individually.
Make sure this is done only after all the other tablespaces are encrypted completely
d). Incase if the encryption process errors are out you need to restart the encryption process by using the following command.
To restart a failed encryption.
Conclusion
Security After the data is encrypted, it is transparently decrypted for authorized users or applications when accessed. TDE helps protect data stored on media (also called data at rest) if the storage media or data file is stolen.
Data is safe (some tools don’t encrypt by default).
Whole database encryption also hides SYSTEM, SYSAUX, TEMP and UNDO data.
You don’t need OMF anymore if you use tablespace online encryption.
Keystore can be closed even SYSTEM, SYAUX and UNDO is encrypted.
Reference: 2586100.1 2559570.1
Use the Feedback tab to make any comments or ask questions. You can also start a conversation with us.