Oracle Encryption Wallet
Version 12.1.0.2

General Information
Library Note Morgan's Library Page Footer
The Library is currently in the process of being upgraded from Oracle Database Version 11.2.0.3 to 12.1.0.1. Demos are being upgraded to reflect the new Container paradigm as well as EBR (Edition Based Redefinition) and may contain references to CDBs, PDBs, and other objects you may not be familiar with such as CDB_OBJECTS_AE: Welcome to 12c.
Secure storage of encryption keys and certificates
Data Dictionary Objects
CDB_WALLET_ACES GV$ENCRYPTION_WALLET NACL$_WALLET_EXP_TBL
CDB_WALLET_ACLS GV$WALLET USER_WALLET_ACES
DBA_WALLET_ACES NACL$_WALLET V$ENCRYPTION_WALLET
DBA_WALLET_ACLS NACL$_WALLET_EXP V$WALLET
Exceptions
Error Code Reason
ORA-28353 Wallet did not open
ORA-28354 Encryption wallet, auto login wallet, or HSM is already open
ORA-28368 Can not autocreate wallet
ORA-28390 Auto login wallet not open but encryption wallet may be open
 
Create: Operating System Level
Create directory mkdir $ORACLE_BASE\admin\<SID>\wallet
-- Note: This step is identical with the one performed with SECUREFILES. If a wallet already exists skip this step.

host

mkdir $ORACLE_BASE\admin\orabase\wallet

exit
Alter SQLNET.ORA file -- Note: This step is identical with the one performed with SECUREFILES. If a wallet already exists skip this step.

NAMES.DIRECTORY_PATH = (TNSNAMES, EZCONNECT)

ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD=FILE) (METHOD_DATA = (DIRECTORY = c:\app\oracle\admin\orabase\wallet)))

-- Note: if you do not use this wallet location you will likely receive ORA-28368: cannot auto-create wallet when setting the key
 
Create: Database Level
Set Encryption Key ALTER SYSTEM SET encryption key authenticated by "<password>";
conn / as sysdba

SQL> show con_name

CON_NAME
------------------------------
CDB$ROOT

ALTER SYSTEM SET ENCRYPTION KEY AUTHENTICATED BY "N0way!";

desc gv$encryption_wallet

col wrl_parameter format a40

SELECT * FROM v$encryption_wallet;
 
Other Actions
Open the wallet ALTER SYSTEM SET [ENCRYPTION] WALLET OPEN IDENTIFIED BY <password>;
desc gv$encryption_wallet

col wrl_parameter format a50

SELECT *
FROM gv$encryption_wallet;

ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "N0way!";

-- failure to do so will result in: ORA-28365: wallet is not open
SELECT *
FROM v$encryption_wallet;
Close the wallet ALTER SYSTEM SET WALLET CLOSE;
ALTER SYSTEM SET WALLET CLOSE;
 
Keystore
Create ADMINISTER KEY MANAGEMENT or SYSKM system privilege

CREATE KEYSTORE '<keystore_location>';

CREATE [LOCAL] AUTO_LOGIN KEYSTORE FROM KEYSTORE '<keystore_location>';
CREATE KEYSTORE uwkeystore;
Alter SET KEYSTORE OPEN IDENTIFIED BY '<keystore_password>' [CONTAINER = <ALL | CURRENT>;
 
Close SET KEYSTORE CLOSE [IDENTIFIED BY '<keystore_password>'] [CONTAINER = <ALL | CURRENT>;
 

Related Topics
Network Access Control Lists
SecureFiles
Security
Transparent Data Encryption

Morgan's Library Page Footer
This site is maintained by Dan Morgan. Last Updated: This site is protected by copyright and trademark laws under U.S. and International law. © 1998-2014 Daniel A. Morgan All Rights Reserved