This is post #1 in a series of posts explaining how to implement TDE (Transparent Data Encryption). In this first post I will take my Multitenant 19c database (remember Multitenant is mandatory with 21c) and configure TDE in my 3 pluggable databases.
The database I created for this contains 3 PDBs as this will give me flexibility to unplug and move PDBs around.
The names I used are
- OKVTEST - This is my CDB, and I will not be encrypting it.
- OKVPDB1,OKVPDB2, OKVPDB3 - My 3 PDBs. I will be encrypted all datafiles that make up these 3 PDBS.
The location I chose to put the wallet file that is needed for encryption is under my $ORACLE_BASE (/home/oracle/app/oracle/okvfiles/okvtest) . In my further blogs I will converting from using a wallet only for my encryption keys, to using OKV along with a local wallet that caches the encryption keys.
I also chose to perform the encryption using the quickest method "Restore as encrypted". With my test database, I did not have a standby database. Keep in mind this method (restore as encrypted) can be used to encrypt your production database with limited downtime.
Step 1 - Perform a full backup of the database. Since I am using "restore as encrypted" this will allow me to open the database with minimal recovery. Once backed up, you also should create a restore point to quickly identify the point after the full backup prior to the encryption.
create restore point pretde;
Step 2 - Set the location of the wallet_root, and the tde configuration. I chose to use the WALLET_ROOT parameter (new with 19 I believe) because it gives the most flexibility. Keep in mind in order to go through step 2 completely the database will need to be bounced.
alter system set WALLET_ROOT='/home/oracle/app/oracle/okvfiles/okvtest/' scope=spfile;
startup force;
alter system set tde_configuration='KEYSTORE_CONFIGURATION=FILE' scope=both;
Step 3 - We are going to a look at the database and the parameters that are set for encryption. Below is the formatted query I am going to be using throughout this post.
set linesize 150;
column wrl_parameter format a50
column wrl_type heading 'Type' format a10
column status heading 'Status' format a20
select * from v$encryption_wallet;
Below is the output of the query and the current settings as of this point. You can see that there are rows for all my PDBs, and that the status is "NOT_AVAILABLE" since I have not created any master keys yet. You can also see that the keystore is UNITED, meaning that all the keys (both for the CDB and all the PDBs) are assumed to be contained in the same Wallet file.
Type WRL_PARAMETER Status WALLET_TYPE WALLET_OR KEYSTORE FULLY_BAC CON_ID
----- -------------------------------------------------- --------------- -------------------- --------- -------- --------- ----------
FILE /home/oracle/app/oracle/okvfiles/okvtest//tde/ NOT_AVAILABLE UNKNOWN SINGLE NONE UNDEFINED 1
FILE NOT_AVAILABLE UNKNOWN SINGLE UNITED UNDEFINED 2
FILE NOT_AVAILABLE UNKNOWN SINGLE UNITED UNDEFINED 3
FILE NOT_AVAILABLE UNKNOWN SINGLE UNITED UNDEFINED 4
FILE NOT_AVAILABLE UNKNOWN SINGLE UNITED UNDEFINED 5
Step 4. Now I need to set the keystore and open it for the CDB, and all my individual PDBs. Note that each PDB shares the keystore with the CDB. In isolated mode, I would create an individual keystore for each PDB.
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/home/oracle/app/oracle/okvfiles/okvtest/tde' IDENTIFIED BY "0KV2021!";
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "0KV2021!";
alter session set container=okvpdb1;
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "0KV2021!" CONTAINER = CURRENT;
alter session set container=okvpdb2;
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "0KV2021!" CONTAINER = CURRENT;
alter session set container=okvpdb3;
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "0KV2021!" CONTAINER = CURRENT;
Now let's look at the encryption settings in v$encryption_wallet. Below you can see that there is a single wallet setting (UNITED keystore), and the status is "OPEN_NO_MASTER_KEY". The master key has not been set for CDB, or the PDBs.
Type WRL_PARAMETER Status WALLET_TYPE WALLET_OR KEYSTORE FULLY_BAC CON_ID
---------- -------------------------------------------------- -------------------- -------------------- --------- -------- --------- ----------
FILE /home/oracle/app/oracle/okvfiles/okvtest//tde/ OPEN_NO_MASTER_KEY PASSWORD SINGLE NONE UNDEFINED 1
FILE CLOSED UNKNOWN SINGLE UNITED UNDEFINED 2
FILE OPEN_NO_MASTER_KEY PASSWORD SINGLE UNITED UNDEFINED 3
FILE OPEN_NO_MASTER_KEY PASSWORD SINGLE UNITED UNDEFINED 4
FILE OPEN_NO_MASTER_KEY PASSWORD SINGLE UNITED UNDEFINED 5
Step 5. Now we create the master keys for the CDB and each PDB .
NOTE: I added a tag that identifies the key with the CDB or PDB it is created for.
ADMINISTER KEY MANAGEMENT SET encryption KEY using tag 'OKVTEST_MASTERKEY_APRIL1' IDENTIFIED BY "0KV2021!" WITH BACKUP USING 'OKVTEST_TDEKEY_APR1_backup';
alter session set container=okvpdb1;
ADMINISTER KEY MANAGEMENT SET encryption KEY using tag 'OKVPDB1_MASTERKEY_APRIL1' IDENTIFIED BY "0KV2021!" WITH BACKUP USING 'OKVPDB1_TDEKEY_APR1_backup' container=current;
alter session set container=okvpdb2;
ADMINISTER KEY MANAGEMENT SET encryption KEY using tag 'OKVPDB2_MASTERKEY_APRIL1' IDENTIFIED BY "0KV2021!" WITH BACKUP USING 'OKVPDB2_TDEKEY_APR1_backup' container=current;
alter session set container=okvpdb3;
ADMINISTER KEY MANAGEMENT SET encryption KEY using tag 'OKVPDB3_MASTERKEY_APRIL1' IDENTIFIED BY "0KV2021!" WITH BACKUP USING 'OKVPDB3_TDEKEY_APR1_backup' container=current;
And once again let's look at the settings in v$encryption_wallet. This time you will see that the wallet is open for all CDBs/PDBs except for the PDB$SEED. The wallet type is "PASSWORD" which means that the wallet needs to be manually opened with a password.
Type WRL_PARAMETER Status WALLET_TYPE WALLET_OR KEYSTORE FULLY_BAC CON_ID
---------- -------------------------------------------------- -------------------- -------------------- --------- -------- --------- ----------
FILE /home/oracle/app/oracle/okvfiles/okvtest//tde/ OPEN PASSWORD SINGLE NONE NO 1
FILE CLOSED UNKNOWN SINGLE UNITED UNDEFINED 2
FILE OPEN PASSWORD SINGLE UNITED NO 3
FILE OPEN PASSWORD SINGLE UNITED NO 4
FILE OPEN PASSWORD SINGLE UNITED NO 5
Step 6 - We have the master keys set and the wallets are open. We now to implement TDE. As I said in my example, I used "restore as encrypted". First I am going to close, restore and recover the 3 PDBs.
rman target / catalog rmancat/oracle@rmancat
rman> alter pluggable database okvpdb1 close;
rman> alter pluggable database okvpdb2 close;
rman> alter pluggable database okvpdb3 close;
rman> restore pluggable database okvpdb1 as encrypted;
rman> restore pluggable database okvpdb2 as encrypted;
rman> restore pluggable database okvpdb3 as encrypted;
rman> recover pluggable database okvpdb1;
rman> recover pluggable database okvpdb2;
rman> recover pluggable database okvpdb3;
Then once restored and recovered, I am going to open the wallet, and open the pluggable databases.
sqlplus / as sysdba
sql> alter session set container=okvpdb1;
sql> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "0KV2021!" CONTAINER = CURRENT;
sql> alter pluggable database okvpdb1 open;
sql> alter session set container=okvpdb2;
sql> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "0KV2021!" CONTAINER = CURRENT;
sql> alter pluggable database okvpdb2 open;
sql> alter session set container=okvpdb3;
sql> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "0KV2021!" CONTAINER = CURRENT;
sql> alter pluggable database okvpdb3 open;
Step 7 - I am going to verify that the pluggable databases are encrypted. I am going to use the query below to look at the encryption setting on each datafile.
set linesize 150
column status format a10
column encrypted format a10
column tablespace_name format a30
column name format a20
select c.name,b.tablespace_name,b.status,encrypted
from v_$datafile_header a,cdb_data_files b,v$pdbs c
where a.file#=b.file_id
and a.con_id=c.con_id
order by 1,2;
Below is the output. I see that all the datafiles were properly encrypted and are available.
NAME TABLESPACE_NAME STATUS ENCRYPTED
-------------------- ------------------------------ ---------- ----------
OKVPDB1 SYSAUX AVAILABLE YES
OKVPDB1 SYSTEM AVAILABLE YES
OKVPDB1 UNDOTBS1 AVAILABLE YES
OKVPDB1 USERS AVAILABLE YES
OKVPDB2 SYSAUX AVAILABLE YES
OKVPDB2 SYSTEM AVAILABLE YES
OKVPDB2 UNDOTBS1 AVAILABLE YES
OKVPDB2 USERS AVAILABLE YES
OKVPDB3 SYSAUX AVAILABLE YES
OKVPDB3 SYSTEM AVAILABLE YES
OKVPDB3 UNDOTBS1 AVAILABLE YES
OKVPDB3 USERS AVAILABLE YES
Step 8 - I am going to change the wallets to be AUTO_LOGIN, bounce the database and verify that the encrypt settings are all correct.
sqlplus / as sysdba
sql> ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY "0KV2021!";
sql> ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '/home/oracle/app/oracle/okvfiles/okvtest/tde' IDENTIFIED BY "0KV2021!";
sql> shutdown immediate
sql> startup
And v$encryption_wallet shows me that my wallets are all open, and that they are AUTOLOGIN.
Type WRL_PARAMETER Status WALLET_TYPE WALLET_OR KEYSTORE FULLY_BAC CON_ID
---------- -------------------------------------------------- -------------------- -------------------- --------- -------- --------- ----------
FILE /home/oracle/app/oracle/okvfiles/okvtest//tde/ OPEN AUTOLOGIN SINGLE NONE NO 1
FILE OPEN AUTOLOGIN SINGLE UNITED NO 2
FILE OPEN AUTOLOGIN SINGLE UNITED NO 3
FILE OPEN AUTOLOGIN SINGLE UNITED NO 4
FILE OPEN AUTOLOGIN SINGLE UNITED NO 5
Now I am ready to perform a new FULL backup of the pluggable databases, and they are ready for use.
That's all there is to implementing TDE with a wallet file. Next post, I am going to convert my wallet to OKV managed wallets.