Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Oracle Database Transparent Data Encryption (TDE)

Configuring a master encryption key for HSM-based encryption

search

Configuring a master encryption key for HSM-based encryption

To start using HSM-based encryption, you require a master encryption key that is used to encrypt or decrypt the Oracle database table columns or tablespace using encryption keys stored inside the HSM. The master encryption key is generated and stored on the HSM.

To configure a master encryption key for HSM-based encryption

Note

This procedure assumes that no software or HSM-based wallet has been created.

  1. Create a folder named "wallet" in the following directory:

    $ORACLE_BASE\admin\db_unique_name\wallet

    For example: C:\oracle\admin\orcl\wallet

  2. Log on to the database instance as a user who has been granted the SYSDBA administrative privilege.

    sqlplus / as sysdba
SQL> startup;
** Note – Ignore warning, if database is already started.

  3. Set the WALLET_ROOT parameter.

    alter system set wallet_root='<path to the oracle wallet directory>' scope=spfile;

  4. Shutdown and startup the database.

    shutdown immediate; startup;

  5. Set the TDE_CONFIGURATION parameter.

    alter system set TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM" SCOPE=both;

  6. Grant the ADMINISTER KEY MANAGEMENT or SYSKM privilege to SYSTEM and any user that you want to use.

    SQL> GRANT ADMINISTER KEY MANAGEMENT TO SYSTEM;
SQL> commit;

  7. Connect to the database as system.

    SQL> connect system/<password>

    Note

    The password for system is set during the Oracle installation.

  8. Run the ADMINISTER KEY MANAGEMENT SQL statement to open the hardware keystore.

    SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY
“<hsm_slot_password>”;

  9. Set the master encryption key in the hardware keystore.

    SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY
“<hsm_slot_password>”;

    You can verify that the keys have been generated on the HSM by running the following command to view the HSM slot contents:

    ctkmu l –s0 –u<userpin>

    Ctkmu l –s0 –u <password>
C:\Users\Administrator>ctkmu l -s0 -u 0000
ProtectToolkit C Key Management Utility 7.2.0-10
Copyright (c) Safenet, Inc. 2009-2022
Manufacturer = SafeNet Inc.
Label = oracle
Flags = 0x649 (RNG USER-PIN-INIT CLOCK TOKEN-INIT DUAL-CRYPTO)
Public and Private Objects:
DATA_OBJECT_SUPPORTED_IDEN - DATA
ORACLE.TDE.HSM.MK.0657AF7CF86C354F3CBF07C5D487B5CF32 - SECRET_KEY AES
ORACLE.SECURITY.KM.ENCRYPTION.30363537414637434638364333353446334342463037433544343837423543463332 - DATA

On this page