Oracle Encryption Wallet
Version 12.2.0.1

General Information
Library Note Morgan's Library Page Header
For how many years have you been working with physical servers that are starving your database of the memory necessary to deploy important new performance features such as the Result Cache, Memoptimize Pool, In-Memory Aggregation, In-Memory Column Store, and Full Database Caching? Too long? Contact me to learn how to improve all queries ... not just some queries.
Secure storage of encryption keys and certificates
Data Dictionary Objects
CDB_WALLET_ACES GV$ENCRYPTION_WALLET NACL$_WALLET_EXP_TBL
CDB_WALLET_ACLS GV$WALLET USER_WALLET_ACES
DBA_WALLET_ACES NACL$_WALLET V$ENCRYPTION_WALLET
DBA_WALLET_ACLS NACL$_WALLET_EXP V$WALLET
Exceptions
Error Code Reason
ORA-28353 Wallet did not open
ORA-28354 Encryption wallet, auto login wallet, or HSM is already open
ORA-28368 Can not autocreate wallet
ORA-28390 Auto login wallet not open but encryption wallet may be open
Topics
Create Infrastructure KEYSTORE WALLET
 
Create: Operating System Level
Create directory mkdir $ORACLE_BASE\admin\<SID>\wallet
-- Note: This step is identical with the one performed with SECUREFILES. If a wallet already exists skip this step.

host

mkdir $ORACLE_BASE\admin\orabase\wallet

exit
Alter SQLNET.ORA file -- Note: This step is identical with the one performed with SECUREFILES. If a wallet already exists skip this step.

 # sqlnet.ora Network Configuration File: c:\app\oracle\product\12.2.0\dbhome_1\network\admin\sqlnet.ora
# Generated by Oracle configuration tools.

# This file is actually generated by netca. But if customers choose to
# install "Software Only", this file wont exist and without the native
# authentication, they will not be able to connect to the database on NT.

SQLNET.AUTHENTICATION_SERVICES= (NTS)

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

ENCRYPTION_WALLET_LOCATION=
(SOURCE=
(METHOD=FILE)
(METHOD_DATA= (DIRECTORY=c:\app\oracle\admin\orabase\wallet)))

-- Note: if you do not use this wallet location expect ORA-28368: cannot auto-create wallet when setting the key
 
Create: Database Level
Set Encryption Key ALTER SYSTEM SET encryption key authenticated by "<password>";
conn / as sysdba

SQL> show con_name

CON_NAME
------------------------------
CDB$ROOT

ALTER SYSTEM SET ENCRYPTION KEY AUTHENTICATED BY "N0way!";

desc gv$encryption_wallet

col wrl_parameter format a40

SELECT * FROM v$encryption_wallet;
 
KEYSTORE
Create Keystore ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '<keystore_location>'
IDENTIFIED BY <keystore_password>;
Create Autologin Keystore ADMINISTER KEY MANAGEMENT CREATE [LOCAL] AUTOLOGIN KEYSTORE' <keystore_location>'
IDENTIFIED BY <keystore_password>;
Open Keystore ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY <keystore_password>
[CONTAINER = <ALL | CURRENT>];
Close Keystore ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE
[IDENTIFIED BY <keystore_password>]
[CONTAINER = <ALL | CURRENT>];
Backup Keystore ADMINISTER KEY MANAGEMENT BACKUP KEYSTORE [USING '<backup_identifier>']
[IDENTIFIED BY <keystore_password>]
TO '<keystore_location>';
Alter Keystore Password ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD
[IDENTIFIED BY <old_keystore_password>]
SET <new_keystore_password>]
[WITH BACKUP [USING '<backup_identifier>']];
Merge Into New Keystore ADMINISTER KEY MANAGEMENT MERGE KEYSTORE
'<keystore1_location>' [IDENTIFIED BY <keystore1_password>]
ADD KEYSTORE '<keystore2_location>' [IDENTIFIED BY <keystore2_password>]
INTO NEW KEYSTORE '<keystore3_location>' [IDENTIFIED BY <keystore3_password>];
Merge Into Existing Keystore ADMINISTER KEY MANAGEMENT MERGE KEYSTORE
'<keystore1_location>' [IDENTIFIED BY <keystore1_password>]
INTO EXISTING KEYSTORE '<keystore2_location>' [IDENTIFIED BY <keystore2_password>]
[WITH BACKUP [USING '<backup_identifier>']];
Administer Key Management Syntax ADMINISTER KEY MANAGEMENT <key_management_clauses>
Administer Key Management Syntax ADMINISTER KEY MANAGEMENT <secret_management_clauses>
Create Keystore Administrator for containers 1 and 3
SQL> CREATE USER c##sec_admin IDENTIFIED BY "N0Way!";

User created.

SQL> GRANT create session TO c##sec_admin;

Grant succeeded.

SQL> GRANT syskm TO c##sec_admin;

Grant succeeded.

-- also grant create session
SQL> conn sys@pdbdev as sysdba
Enter password:
Connected.

SQL> GRANT create session TO c##sec_admin;

Grant succeeded.
Create Keystore ADMINISTER KEY MANAGEMENT CREATE [LOCAL] [AUTO_LOGIN] KEYSTORE <'keystore_path_and_location'>
IDENTIFIED BY <password>;
conn / as sysdba

SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE 'c:\app\oracle\admin\orabase\wallet' IDENTIFIED BY "N0Way!";
Open Keystore ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY <password> [CONTAINER = <ALL | CURRENT>];
conn / as sysdba

SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "N0Way!";

keystore altered.

SQL> SELECT * FROM v$encryption_wallet;

WRL_TYPE WRL_PARAMETER                       STATUS             WALLET_TY WALLET_OR FULLY_BAC CON_ID
-------- ----------------------------------- ------------------ --------- --------- --------- ------
FILE     C:\APP2\ORACLE\ADMIN\ORABASE\WALLET OPEN_NO_MASTER_KEY PASSWORD  SINGLE    UNDEFINED      1

-- log in to container 3
SQL> conn sys@pdbdev as sysdba

SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "N0Way!";

SQL> SELECT * FROM v$encryption_wallet;

WRL_TYPE  WRL_PARAMETER  STATUS             WALLET_TYPE WALLET_OR FULLY_BAC CON_ID
--------- -------------- ------------------ ----------- --------- --------- ------
FILE                     OPEN_NO_MASTER_KEY PASSWORD    SINGLE    UNDEFINED      3
Set a Master Key ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY '<keystore_password>']
[WITH BACKUP USING '<backup_name>'
[CONTAINER = <ALL | CURRENT>;
SQL> conn c##sec_admin/"N0Way!"
password:

SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "N0WayIn!" WITH BACKUP USING 'tde_key_backup';
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "N0Access!" WITH BACKUP USING 'tde_key_backup'
*
ERROR at line 1:
ORA-46671: master key not set in root container

SQL> conn c##sec_admin/"N0Way!"
Connected.

SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "N0WayIn!" WITH BACKUP USING 'tde_key_backup';

keystore altered.

SQL> SELECT * FROM v$encryption_wallet;

WRL_TYPE  WRL_PARAMETER                        STATUS  WALLET_TYPE WALLET_OR FULLY_BAC CON_ID
--------- ------------------------------------ ------- ----------- --------- --------- ------
FILE      C:\APP\ORACLE\ADMIN\ORABASE\WALLET\  OPEN    PASSWORD    SINGLE    NO             1
Close Keystore ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE
[IDENTIFIED BY '<keystore_password>']
[CONTAINER = <ALL | CURRENT>;
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY "N0Access!";

keystore altered.
Drop Keystore ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE
[IDENTIFIED BY '<keystore_password>']
[CONTAINER = <ALL | CURRENT>;
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY "N0Access!";

keystore altered.
 
WALLET
Open the wallet ALTER SYSTEM SET [ENCRYPTION] WALLET OPEN IDENTIFIED BY <password>;
desc gv$encryption_wallet

col wrl_parameter format a50

SELECT *
FROM gv$encryption_wallet;

ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "N0way!";

-- failure to do so will result in: ORA-28365: wallet is not open
SELECT *
FROM v$encryption_wallet;
Close the wallet ALTER SYSTEM SET WALLET CLOSE;
ALTER SYSTEM SET WALLET CLOSE;

Related Topics
Network Access Control Lists
SecureFiles
Security
Transparent Data Encryption
What's New In 12cR1
What's New In 12cR2

Morgan's Library Page Footer
This site is maintained by Dan Morgan. Last Updated: This site is protected by copyright and trademark laws under U.S. and International law. © 1998-2019 Daniel A. Morgan All Rights Reserved