X

Database Migration to Oracle Cloud Infrastructure: Enabling TDE in CDBs and PDBs and Encrypting Tablespaces Online or Offline

Rohit Chandok
Cloud Architect at OCI Development, Inbound Product Management

 


This post is part of the “Database Migration to Oracle Cloud Infrastructure blog series", which includes the posts related to database migration. Use these posts as building blocks for various migration approaches.

For more information on Oracle Database and Exadata Cloud Services, review the details at Oracle Cloud Infrastructure - Database


 

This post provides reference steps to help you enable Transparent Data Encryption (TDE) in Oracle Database container databases (CDBs) and pluggable databases (PDBs), and to encrypt tablespaces online or offline.

Note: TDE is mandatory for all Oracle Cloud Infrastructure databases. If TDE not used at the source, enable it either at the source or at the target, using the sample steps in this post. During migrations, be sure to back up and restore the required TDE wallets from the source to the target.

For information about Oracle Database tablespace encryption behavior in Oracle Cloud, see My Oracle Support Doc ID 2359020.1.

This sample migration workflow covers the following tasks:

  • Enable TDE in a CDB
  • Enable TDE in a PDB
  • Encrypt a Tablespace Online
  • Encrypt a Tablespace Offline

Enable TDE in a CDB

  1. Update sqlnet.ora to add ENCRYPTION_WALLET_LOCATION.

    vi $ORACLE_HOME/network/admin/sqlnet.ora
    ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u01/app/oracle/admin/CDB/wallet)))   

    For example (click image for larger view):

  2. Check the wallet status in the CDB.

    Note: The wallet is not present.

    show con_name
    select wrl_parameter, wallet_type, status from v$encryption_wallet;     

    For example (click image for larger view):

  3. Add the wallet in the CDB. Create the key store, open the key store, add the master key, and create the autologin wallet.

    administer key management create keystore '/u01/app/oracle/admin/CDB/wallet' identified by "welcome1";
    administer key management set keystore open identified by "welcome1";
    administer key management set encryption key identified by "welcome1" with backup;
    administer key management create auto_login keystore from keystore '/u01/app/oracle/admin/CDB/wallet' identified by "welcome1";     

    For example (click image for larger view):

  4. Restart the database to use the autologin wallet.

    shutdown immediate
    startup    

    For example (click image for larger view):

  5. Recheck the wallet status in the CDB.

    Note: The autologin wallet is open.

    select wrl_parameter, wallet_type, status from v$encryption_wallet;   

    For example (click image for larger view):

Enable TDE in a PDB

  1. Check the wallet status in the PDB.

    Note: The wallet is open with no master key.

    alter session set container=pdb1;
    select wrl_parameter, wallet_type, status from v$encryption_wallet;
    

    For example (click image for larger view):

  2. Add a master key for the PDB.

    administer key management set encryption key force keystore identified by "welcome1" with backup;       

    For example (click image for larger view):

  3. Recheck the wallet status in the PDB.

    Note: The autologin wallet is open.

    select wrl_parameter, wallet_type, status from v$encryption_wallet;        

    For example (click image for larger view):

Encrypt a Tablespace Online

Note: Ensure that the compatible is set to 12.2.

select con_id, tablespace_name, encrypted from cdb_tablespaces where encrypted = 'YES' order by 1;
alter tablespace users encryption online using 'AES256' encrypt;
select con_id, tablespace_name, encrypted from cdb_tablespaces where encrypted = 'YES' order by 1;

For example (click image for larger view):


Encrypt a Tablespace Offline

select con_id, tablespace_name, encrypted from cdb_tablespaces where encrypted = 'YES' order by 1;
alter tablespace users offline;
alter tablespace users encryption offline encrypt;
alter tablespace users online;
select con_id, tablespace_name, encrypted from cdb_tablespaces where encrypted = 'YES' order by 1;

For example (click image for larger view):