X

Multitenant delivers isolation, agility and economies of scale

Configuring Transparent Data Encryption (TDE) in Multitenant

Can Tuzla
Senior Product Manager

Transparent Data Encryption (TDE) is a solution to encrypt data so that only an authorized user can read it. One of the best practices to protect sensitive data such as credit card or SSN info is to use encryption, especially if the data resides in a potentially unprotected environment. Just like encryption, managing the decryption process is highly important as well. To prevent unauthorized decryption, TDE stores the encryption keys in a security module external to the database, called a keystore. In this blog post, we are going to explore how to configure TDE and manage different keystore configurations in a Multitenant environment.

Configuring the Keystore

Step 1: Configure the Software Keystore Location

TDE configuration requires a one-time setup using the WALLET_ROOT and TDE_CONFIGURATION parameters so that Oracle Database can retrieve the keystore. We need to:

  • Make sure we have a wallet directory (e.g. $ORACLE_BASE/admin/cdb1/wallet).
  • Add an entry in init.ora so that WALLET_ROOT points to the wallet directory:
WALLET_ROOT=$ORACLE_BASE/admin/cdb1/wallet
  • Set the TDE_CONFIGURATION parameter in CDB$Root:
SQL> ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" SCOPE=BOTH;

System altered.

Step 2: Create the Software Keystore

Creating a Password-Protected Software Keystore

Creating a password-protected keystore is as easy as executing the following statement:

SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY oracle19;

keystore altered.

Creating an Auto-Login Software Keystore

Another option for software keystores is the auto-login keystore, which has a system generated password. An auto-login keystore is created from a password-protected keystore. In other words, after creating a password-protected keystore as above, all we have to do is to run the following statement to create an auto-login keystore:

SQL> ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE
  2  FROM KEYSTORE '/u01/app/oracle/admin/cdb1/wallet/tde'
  3  IDENTIFIED BY oracle19;

keystore altered.

Step 3: Open the Keystore

We can open the keystore as follows:

SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY oracle19;

keystore altered.

Let’s check the status of the keystore:

SQL> SELECT STATUS FROM V$ENCRYPTION_WALLET;
STATUS
------------------------------
OPEN_NO_MASTER_KEY

Since we haven’t set the master encryption key yet, the status is OPEN_NO_MASTER_KEY instead of just OPEN.

Step 4: Set the TDE Master Encryption Key

We can set the master encryption key by executing the following statement:

SQL> ADMINISTER KEY MANAGEMENT SET KEY
  2  IDENTIFIED BY oracle19
  3  WITH BACKUP USING 'cdb1_key_backup';

keystore altered.

Let’s check the status of the keystore one more time:

SQL> SELECT STATUS FROM V$ENCRYPTION_WALLET;
STATUS
------------------------------
OPEN

Now that we set the master encryption key, the status is now OPEN.

Step 5: Encrypt Your Data

We can now start encrypting our data. In order to show how our encrypted data is not accessible when the keystore is closed, I disabled the auto login keystore and just used password-protected keystore.

Let’s connect to PDB1 and create an encrypted table:

SQL> connect admin/oracle19@//localhost/pdb1

Connected.

SQL> create table t1 (c1 number encrypt);

Table created.

SQL> insert into t1 values (1234);

1 row created.

SQL> commit;

Commit complete.

SQL> select * from t1;
    C1
----------
      1234

Now, let’s close the wallet and try to run the same SELECT statement:

SQL> administer key management set keystore close identified by oracle19 container=all;

keystore altered.

SQL> select con_id, status from V$ENCRYPTION_WALLET;

    CON_ID STATUS
---------- ------------------------------
      1 CLOSED
      2 CLOSED
      3 CLOSED


SQL> connect admin/oracle19@//localhost/pdb1

Connected.

SQL> select * from t1;
select * from t1
              *
ERROR at line 1:
ORA-28365: wallet is not open

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.