Configuring a master encryption key for HSM-based encryption
To start using HSM-based encryption, you require a master encryption key that is used to encrypt or decrypt the Oracle database table columns or tablespace using encryption keys stored inside the HSM. The master encryption key is generated and stored on the HSM.
To configure a master encryption key for HSM-based encryption
Note
This procedure assumes that no software or HSM-based wallet has been created.
-
Create a folder named "wallet" in the following directory:
$ORACLE_BASE\admin\db_unique_name\wallet
For example: C:\oracle\admin\orcl\wallet
-
Log on to the database instance as a user who has been granted the
SYSDBA
administrative privilege. -
Set the WALLET_ROOT parameter.
-
Shutdown and startup the database.
-
Set the TDE_CONFIGURATION parameter.
-
Grant the ADMINISTER KEY MANAGEMENT or SYSKM privilege to SYSTEM and any user that you want to use.
-
Connect to the database as
system
.Note
The password for
system
is set during the Oracle installation. -
Run the ADMINISTER KEY MANAGEMENT SQL statement to open the hardware keystore.
-
Set the master encryption key in the hardware keystore.
You can verify that the keys have been generated on the HSM by running the following command to view the HSM slot contents: