Oracle Transparent Data Encryption using Oracle Wallet
If you wish to use a wallet specifically for TDE, then you must specify a wallet location in the sqlnet.ora file by using the ENCRYPTION_WALLET_LOCATION parameter. Oracle recommends that you use ENCRYPTION_WALLET_LOCATION parameter to specify a wallet location for TDE.
ENCRYPTION_WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u02/app/oracle/admin/swxdev/wallet)
)
)
SQL> select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/u02/app/oracle/admin/swxdev/wallet
OPEN
SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "***";
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "***";
SQL> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "****";
-- Modify Wallet for Auto-Login --
orapki wallet create -wallet /u02/app/oracle/admin/swxdev/wallet -auto_login
CREATE BIGFILE TABLESPACE SWX_ENCRYPTED DATAFILE
'+DATAC1' SIZE 25G AUTOEXTEND ON NEXT 250M MAXSIZE 33554431M
LOGGING
ONLINE
EXTENT MANAGEMENT LOCAL AUTOALLOCATE
BLOCKSIZE 8K
SEGMENT SPACE MANAGEMENT AUTO
encryption using 'AES256'
default storage (encrypt);
SELECT * FROM V$ENCRYPTED_TABLESPACES;
— Change Wallet Location to ACFS, has to be done in RAC where the Wallet files needs to be on a Shared Cluster File System —
1. Copy wallet files to new location
cp -p /u02/app/oracle/admin/swxdev/wallet/* /ACFS/wallet
2. Go to the sqlnet.ora file where ENCRYPTION_WALLET_LOCATION location is defined. Change to new path /ACFS/wallet
ENCRYPTION_WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /ACFS/wallet)
)
)
3. Run orapki utility to modify the wallet location for auto-login
orapki wallet create -wallet /ACFS/wallet -auto_login
4. Bounce the databases for which the encryption wallet has been set
— Add Wallet to RAC Database —
If you check the 2nd instance, you can see the wallet is closed on 2nd node and the location points to the default location
SQL> select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/u02/app/oracle/admin/swxtst/wallet
CLOSED
1. Since we have already moved the Encryption wallet to the ACFS shared file system, we have to copy the sqlnet.ora file from Node1 to
Node 2
scp -r /u02/app/oracle/product/11.2.0/dbhome_1/network/admin/sqlnet.ora
oracle@exatestdbadm02:/u02/app/oracle/product/11.2.0/dbhome_1/network/admin/
2. Now check the Instance on Node 2
SQL> select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/ACFS/wallet
OPEN
And you can now see the wallet is open.